wiki:GDPR

Version 28 (modified by Richard Bramley, 7 years ago) ( diff )

--

GDPR

Tags: Information_Governance_Category

Regulation

Latest Developments

Guidance

Work Requirements

Communicate with all Researchers

Documentation

Study Data Documentation

  • Lawful basis for processing (probably only consent is applicable):
    • Consent
    • Contract with individual
    • Legal obligation
    • Vital interest (i.e., to protect someone's life)
    • Public task (as directed by legislation)
    • Legitimate interest
  • Safeguards (Need to double check these):
    • Data minimisation
    • Pseudonymisation
    • Limited period of identification
    • Limited period of retention
    • No distress or damage caused to individual
    • Not used for personal decisions
    • Policies are in place
  • Informing the public
  • Anonymisation:
    • Anonymous
    • Pseudonymised
    • Identifiable
  • Data type:
    • Personal data
    • Special category data
      • Racial or ethnic origin
      • Political opinions
      • Religious or philosophical beliefs
      • Trade union membership
      • Genetic data
      • Biometric data (where used for personal identification)
      • Health data
      • Sex life
      • Sexual orientation
  • Conditions for processing Special Category Data (requires link to actually description):
    • Explicit consent
    • Necessitated by employment, social security or social protection law.
    • Necessary to protect vital interest of subject or other person and consent is not possible.
    • Legitimate activities of a not-for-profit organisation with a direct contact to data subject.
    • Data has been made public by the data subject
    • For legal purposes
    • For substantial public interest.
    • For health provision
    • For serious public health issues
    • Archiving for historical or scientific research
  • Archives
  • Data retension timescales
  • Data source
  • Location of data
  • Outputs and data sharing

Audits and Review Meetings

  • Frequency
  • Items to cover

Transfers, Processors and Data Sharing

  • Organisations
  • Contracts
  • Anonymisation
  • Data type
  • Data processing agreements / Information sharing agreements
  • Length of agreement

Data Protection Impact Assessment

Policies / SOPs / Mitigation

Rights of Data Subject

  • Right to be informed
  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to not be subject to automated decision-making, including profiling

Areas requiring Action

  • Public communication:
    • Web sites
    • posters
  • Withdrawal / Do not contact / erasure requests
  • Data breach notification
  • Data review meetings
  • Anonymisation / Pseudonymisation
  • Data transfer and encryption
  • Authentication
  • Request management:
    • Access
    • Recification
    • Erasure
    • Restrict processing
    • Data portability
    • Objections

Security

Error: Macro BackLinks(None) failed
'Environment' object has no attribute 'get_db_cnx'

Note: See TracWiki for help on using the wiki.