= GDPR Tags: [[Information_Governance_Category]] == Regulation - [[http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN|EU Regulation]] - [[https://gdpr-info.eu/art-9-gdpr/|Nicely Formatted]] - [[https://publications.parliament.uk/pa/bills/lbill/2017-2019/0074/18074.pdf|UK Data Protection Bill]] == Latest Developments - [[https://digital.nhs.uk/media/34227/GDPR-FAQs/doc/20171122_GDPR_FAQs|NHS Digital GDPR FAQ (Check Monthly)]] - [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/|ICO - What's New (Check Monthy)]] == Guidance - [[http://www.writeupp.com/blog/gdpr-a-practical-perspective/|Write up (GP Sysytem)]] - [[https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance|NHS Digital]] - [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr|ICO]] - Certainly the best. A good starting point for creating policies and SOPs. Contains templates and checklists. - [[https://ico.org.uk/for-organisations/guide-to-data-protection/big-data/|ICO Big Data and Machine Learning guidance]] - [[https://www.youtube.com/watch?v=S7xKH8KQlqE&feature=youtu.be|GDPR Webinar]] == Work Requirements - [[https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/|ICO Checklist]] === Communicate with all Researchers - [[https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf|ICO Overview - distribute?]] === Documentation - [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/|ICO Documentation Guidance with templates and checklists]] ==== Study Data Documentation - Lawful basis for processing (probably only consent is applicable): - Consent - Contract with individual - Legal obligation - Vital interest (i.e., to protect someone's life) - Public task (as directed by legislation) - Legitimate interest - Safeguards (Need to double check these): - Data minimisation - Pseudonymisation - Limited period of identification - Limited period of retention - No distress or damage caused to individual - Not used for personal decisions - Policies are in place - Informing the public - Anonymisation: - Anonymous - Pseudonymised - Identifiable - Data type: - Personal data - Special category data - Racial or ethnic origin - Political opinions - Religious or philosophical beliefs - Trade union membership - Genetic data - Biometric data (where used for personal identification) - Health data - Sex life - Sexual orientation - Conditions for processing Special Category Data (requires link to actually description): - Explicit consent - Necessitated by employment, social security or social protection law. - Necessary to protect vital interest of subject or other person and consent is not possible. - Legitimate activities of a not-for-profit organisation with a direct contact to data subject. - Data has been made public by the data subject - For legal purposes - For substantial public interest. - For health provision - For serious public health issues - Archiving for historical or scientific research - Archives - Data retension timescales - Data source - Location of data - Outputs and data sharing ==== Audits and Review Meetings - Frequency - Items to cover ==== Transfers, Processors and Data Sharing - Organisations - Contracts - Anonymisation - Data type - Data processing agreements / Information sharing agreements - Length of agreement === Data Protection Impact Assessment - [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/|ICO Data Protection Impact Assessment]] - [[https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf|ICO Code of Practice - i.e., How to guide]] === Policies / SOPs / Mitigation ==== Rights of Data Subject - Right to be informed - Right to access - Right to rectification - Right to erasure - Right to restrict processing - Right to data portability - Right to object - Right to not be subject to automated decision-making, including profiling ==== Areas requiring Action - Public communication: - Web sites - posters - Withdrawal / Do not contact / erasure requests - Data breach notification - Data review meetings - Anonymisation / Pseudonymisation - Data transfer and encryption - Authentication - Request management: - Access - Recification - Erasure - Restrict processing - Data portability - Objections === Security - [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/|ICO Guidance (work in progress)]] [[BackLinks]]