Our Approach to  Data Protection

At Wrexham Glyndŵr University, we take data privacy seriously. We are committed to complying with data protection laws and handling personal data correctly and appropriately.

We are continuously working to update our policies and processes to ensure that we have the appropriate framework to support individuals’ rights.

What do I need to know?

Please think about how you manage personal information. For more information on personal information and the GDPR, please see our policies page or visit the website of the Information Commissioners Office.

If you are a member of staff, you can access the internal information governance site for help and support on how GDPR impacts you and what you need to know (note: you will need to be logged in with your University account to access this). You also need to ensure that you have completed the GDPR e-learning.

Data Protection Legislation

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018, designed to protect individual personal data, became law on 25 May 2018. Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). It is based around the notions of principles, rights and accountability obligations. 

The harmonising and strengthening of data protection rules is a major part of the EU’s ambition to grow its digital economy, making better use of innovative services such as big data and cloud computing. Understandably, the UK also needs to be in a position to be part of this economic development.

The importance of this new legislation is signalled by the considerable increase in the maximum financial penalty, which can be levied for a breach, from £500,000 to around £17 million for public authorities or 4% turnover.

The changes brought about by the GDPR require us to be more conscientious about the way in which we process personal data, putting the rights of individuals at the heart of what we do, and being more transparent about how we use that data.

Principles

Data controllers processing personal data must follow - and be able to demonstrate that they are following - the data protection principles.

Under the GDPR, there are six principles. Personal data must be processed following these principles so that the data is:

  • Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so.
  • Processed only for specified, explicit and legitimate purposes.
  • Adequate, relevant and limited.
  • Accurate (and rectified if inaccurate).
  • Not kept for longer than necessary.
  • Processed securely - to preserve the confidentiality, integrity and availability of the personal data.

Personal Data Breaches

One of the most important accountability obligations concerns personal data breaches - that is, if personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published. Some typical examples of a personal data breach are:

  • Sending an email or letter containing personal data to the wrong recipient.
  • Accidentally disclosing personal email addresses (e.g. by using cc instead of bcc).
  • Inadvertently publishing University records containing personal data, or login credentials allowing access to them, on the internet.
  • Losing an unsecured laptop or other personal device storing University records containing personal data.
  • Having a University website, email account or drive hacked, with personal data stolen or 'locked down' by the hacker.

Personal data breaches may arise from IT security incidents, but not all IT security incidents are personal data breaches, and vice versa. Some types of personal data breach have to be reported to the ICO and the affected data subjects within short timeframes, so recognising and reporting them internally is crucial. The University has a dedicated data breach process for dealing with instances where there has been (or where there is suspicion that there might have been) a data breach.

All members of staff within the University have a duty to report any such instances without delay. Also, if any students or members of the public become aware of a data breach at the University, then we would strongly advise you to report it to us so that we can investigate and take action.

Details of how we handle personal data breaches, including how to report a breach can be found on the report a data breach page.

Privacy Notices

Under GDPR all organisations which process personal data must inform individuals about that processing in a concise, transparent and intelligible manner. This needs to be written in clear and plain language and easily accessible.

The University has numerous privacy notices to inform data subjects about how we process their personal information. Links to these can be found on the policies and statements page.

Rights

Under the GDPR, data subjects are given various rights, which they are free to exercise:

  • The right to be informed of how their personal data are being used - this right is usually fulfilled by the provision of 'privacy notices' as described above.
  • The right of access to their personal data - accessing personal data in this way is usually known as making a subject access request.
  • The right to have their inaccurate personal data rectified. The right to have their personal data erased where appropriate - also known as the right to be forgotten.
  • The right to restrict the processing of their personal data pending its verification or correction. The right to receive copies of their personal data in a machine-readable and commonly-used format - known as the right to data portability.
  • The right to object- to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing and to processing of their data for research purposes where that research is not in the public interest.
  • The right not to be subject to a significant decision based solely on automated decision - making using their personal data.

A response to a rights request normally needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions both in the GDPR and in the DPA 2018 (for example, nearly all the rights may not apply if the personal data is being processed solely in an academic research context). These rights build upon and strengthen rights previously given to data subjects under the DPA 1998.