On May 2018 a new Europe-wide law called the General Data Protection Regulation (GDPR) will replace the current Data Protection Act 1998 (DPA).
GDPR will better protect individual's rights around privacy and data protection, especially since the DPA was written in a pre-internet world.
Like the DPA, the GDPR will applies to any personal data that is collected, stored or processed by the University whether that is in house, off-site, outsourced or in cloud applications.
Furthermore, the GDPR definition of personal data is more detailed: it applies to both electronic data including emails and CCTV images as well as manual filing systems and includes on-line identifiers such as an IP address as well as genetic and biometric data.
GDPR applies to all processing of personal data in the EU and of personal data relating to EU citizens beyond the EU’s borders.
Despite GDPR being European legislation and the UK being scheduled to leave the EU in 2019, this does not mean that these rules will not apply for us after that date: the UK Government has made it clear that the UK will adhere to the requirements of the GDPR and has launched a Data Protection Bill which will enshrine GDPR into UK law and clarify many issues which the EU left to national governments to decide upon. The DP bill is expected to become a law in 2018.
The GDPR does not mean we can no longer collect the personal data we need but it does mean, however, that we need to understand what data we need, why we need it, how it is used and disposed of. Once we have the answers to these questions, we may need to make some changes to the ways in which we collect, use, share and store personal data.