Frequently Asked Questions
How do I identify a personal data breach, and what do I do if one occurs?
If personal data or special category data is used in a way that it wasn’t supposed to be used – e.g, if it is shared with the wrong person, inadvertently lost or stolen, or if a system is unlawfully accessed – this is considered a personal data breach. A data breach should be reported to the Data Protection & FOI Office as soon as it is discovered.
See the DP&FOI Office’s guidance on personal data breaches for more information on identifying and responding to a breach.
Do I need to let people know if I’m using information about them?
With very minimal exceptions relating to research, any time you collect, store, or in any way use information that identifies another person, you must ensure they are properly informed. You will need to present the individuals whose data you process with a privacy notice.
The University has numerous privacy notices in place, covering a range of processes:
If your use of personal or special category data is not covered by one of the above notices, you will need to draft one for your data subjects.
What do I need to do to get ethical approval?
If you are undertaking a research project involving human data subjects, as part of the ethical approval process, you will need to complete a Data Protection Impact Assessment. Information on the DPIA and what it involves is available at the link provided.
Please be advised that a DPIA should be completed in the early stages of your ethics application.
Do I have to do anything for data protection if I want to start using a new technology/service/software/system?
A Data Protection Impact Assessment is required if you are building or migrating to new IT systems for storing or accessing personal data or special category data. This assessment will help to ensure that there are no security or other privacy issues surrounding the new system, and that the data in question is handled in line with data protection legislation. The DPIA must be completed BEFORE you start using the new system.
I want to use a free, third-party tool for teaching. What do I do to make this compliant?
Consider the following:
What is personal data?
Data protection legislation regulates the processing of personal data about a living individual (data subject). Personal data is any information relating to a data subject who can be identified, directly or indirectly by that information including name, location data, online identifier such as IP address, pseudonymised data, and any factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.
Are you sharing student data with the service?
If the service will be processing data on the University’s behalf you will need to put in place a data sharing agreement with the third party.
You will also need to conduct a Data Protection Impact Assessment (DPIA), which is a tool for building and demonstrating compliance and trust and for protecting the rights and freedoms of data subjects.
Are you asking students to sign up for an account?
If so, conduct due diligence to establish what data will be collected and why. Is it just name and contact email address, or is the service asking for more personal data, e.g. DOB, links to personal social media accounts, financial information (some freemium services are only free for a limited time or limited use of product)?
Review the service privacy notice to ensure they are clear and transparent on how the students' personal data will be used and how long it will be retained. Do they offer a choice in relation to receiving marketing information and communications? If a student has linked a personal social media account how will this information be used? If you have any general questions about the privacy notice contact the Data Protection Office.
I am working with an organisation outside the University and need to share student/staff data with them. Do I need to think about data protection?
When multiple organisations work together and share data about people, legislation requires that all parties understand and follow data protection obligations. The data controller (loosely, the organisation in charge) is responsible for deciding how the data will be collected, used, and stored, for appropriately informing data subjects (including telling them that their data will be shared with external parties), and for conducting a DPIA if needed.
The data controller must also ensure that all other participating organisations are following the established data handling decisions. This may be done via a data sharing agreement, contract clause, or other formal agreement that all parties accept.
Examples of sharing data with external parties include:
- using a transcription service to transcribe meetings or interviews
- using third-party survey services, such as SurveyMonkey or Qualtrics, for research data collection
- collaborating on research with another University or the NHS
- using an IT system that is maintained or run by an outside company
If you are working with an external organisation and sharing personal or special category data with that organisation, please complete and submit the Questionnaire for Data Processing Involving Third Parties.
How do I spot an FOI request and what do I do if I receive one?
Any recorded question (e.g. email, letter, voicemail) asking about general information must be considered a potential FOI request. An FOI request does not have to be submitted via the Data Protection & FOI Office – it can be sent to any member of staff.
If you receive an FOI request, either in your email inbox, voicemail, or via post, please notify the DP&FOI Office promptly as the University has 20 working days to respond. If the request is straightforward and you can answer it as ‘business as usual’, you do not have to run it past the FOI team.
Please note that if you receive a request for information about the enquirer, that is handled under data protection legislation. You should direct the individual to our GDPR Rights Request webform (they will have to submit ID to proceed with their enquiry).
Do I have to respond to an FOI request, or give out all the information requested?
We cannot ignore FOI requests. The Freedom of Information (Scotland) Act 2002 requires the University to acknowledge that a request was made and respond to the enquirer, even if it will take time to respond or we are concerned about how the response may read.
There are several exemptions that allow us to avoid disclosure of requested information in certain circumstances. If there are concerns regarding the release of certain information, or if it will take more than one day to produce the requested information, we may be able to withhold it. However, we must respond to the enquirer, explaining why we will not provide the requested information.
If an exemption is to be applied to an FOI request, it must be done by the DP&FOI Office. So, if you receive an FOI request and have concerns about providing the information, get in touch with the team.
What should I do if I get a request for information on staff or students from the Police?
Under data protection legislation, the University can share personal data on a staff member or student without the consent of the individual concerned, if it aids the prevention or detection of crime, or if it is an emergency and in the vital interests of the individual. However, it is at the University’s discretion whether information is shared, so the Police must provide a formal Schedule 2(1)(2) form disclosure request form. The form must detail the information sought by the Police and why they want it, and it must be signed by two officers. It is a Police form, so they should always have access to it.
All disclosure forms are processed by the Data Protection and Freedom of Information Office and the release of the information is at our discretion. If the Police approach you for information, please get in touch with the DP&FOI Office for guidance and assistance. If you are approached outside standard office hours, please contact Security.
For additional information on handling Police requests for information, including what to do in an emergency situation, please see Police Requests for Personal Data and Emergency Requests for Personal Data.
How long do I keep emails?
The retention of information depends on the content of the information, not the format it comes in. Email is a format for sending information, so you will need to consider the details of individual emails (e.g., what are they about, who are they from, what purpose do they hold) to determine how long to keep them.
Information should only be kept for as long it is needed. You and your team will need to decide how long you require access to the information in the email, considering internal and stakeholder requirements, business need for access, relevant legislation dictating retention, etc.
The Data Protection & FOI Office can advise on retention considerations and best practice. Contact us at firstname.lastname@example.org.
Can I record lectures or conversations?
If you are going to record other individuals, particularly in a way that will make them identifiable, then you must ensure that they are properly informed about the recording (and the use of their data).
The University has a general Lecture Recording Policy, along with a privacy notice for recording lectures for academic purposes. Review this policy, and if the privacy notice is relevant ensure that it is available for your participants. If your intended recording purposes fall outwith the scope of the policy, you will need to create your own privacy notice.
How do I handle reference requests?
Guidance on writing references for students can be found here: References for students
Guidance on writing references for staff can be found on the P&OD website: References for staff
There is no data protection obligation to release a reference written about you. However, People & Organisational Development will generally provide access to the references they hold on you, so any requests for access to this information should be directed to them: https://www.gla.ac.uk/myglasgow/humanresources/.