GDPR

Tags: Information_Governance_Category

Regulation

• ​EU Regulation
• ​Nicely Formatted
• ​UK Data Protection Bill

Latest Developments

• ​NHS Digital GDPR FAQ (Check Monthly)
• ​ICO - What's New (Check Monthy)

Guidance

• ​Write up (GP Sysytem)
• ​NHS Digital
• ​ICO - Certainly the best. A good starting point for creating policies and SOPs. Contains templates and checklists.
• ​ICO Big Data and Machine Learning guidance
• ​GDPR Webinar

Work Requirements

• ​ICO Checklist

Communicate with all Researchers

• ​ICO Overview - distribute?

Documentation

• ​ICO Documentation Guidance with templates and checklists

Study Data Documentation

• Lawful basis for processing (probably only consent is applicable):
  • Consent
  • Contract with individual
  • Legal obligation
  • Vital interest (i.e., to protect someone's life)
  • Public task (as directed by legislation)
  • Legitimate interest
• Safeguards (Need to double check these):
  • Data minimisation
  • Pseudonymisation
  • Limited period of identification
  • Limited period of retention
  • No distress or damage caused to individual
  • Not used for personal decisions
  • Policies are in place
• Informing the public
• Anonymisation:
  • Anonymous
  • Pseudonymised
  • Identifiable
• Data type:
  • Personal data
  • Special category data
    • Racial or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership
    • Genetic data
    • Biometric data (where used for personal identification)
    • Health data
    • Sex life
    • Sexual orientation
• Conditions for processing Special Category Data (requires link to actually description):
  • Explicit consent
  • Necessitated by employment, social security or social protection law.
  • Necessary to protect vital interest of subject or other person and consent is not possible.
  • Legitimate activities of a not-for-profit organisation with a direct contact to data subject.
  • Data has been made public by the data subject
  • For legal purposes
  • For substantial public interest.
  • For health provision
  • For serious public health issues
  • Archiving for historical or scientific research
• Archives
• Data retension timescales
• Data source
• Location of data
• Outputs and data sharing

Audits and Review Meetings

• Frequency
• Attendees
• Items to cover:
  • Review of lawful basis
  • Review of safeguarding
  • Review user access list

Transfers, Processors and Data Sharing

• Organisations
• Contracts
• Anonymisation
• Data type
• Data processing agreements / Information sharing agreements
• Length of agreement

Data Protection Impact Assessment

• ​ICO Data Protection Impact Assessment
• ​ICO Code of Practice - i.e., How to guide

Policies / SOPs / Mitigation

Rights of Data Subject

• Right to be informed
• Right to access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Right to not be subject to automated decision-making, including profiling

Areas requiring Action

• Public communication:
  • Web sites
  • posters
• Withdrawal / Do not contact / erasure requests
• Data breach notification
• Data review meetings
• Anonymisation / Pseudonymisation
• Data transfer and encryption
• Authentication
• Request management:
  • Access
  • Recification
  • Erasure
  • Restrict processing
  • Data portability
  • Objections

Security

• ​ICO Guidance (work in progress)

Error: Macro BackLinks(None) failed

'Environment' object has no attribute 'get_db_cnx'