General Data Protection Regulation comes into force on 25th May this year and replaces the 1995 data protection directive (Directive 95/46/EC). The technological landscape has changed dramatically since the 1995 directive and GDPR aims to address this by providing a modernised, single set of data protection and privacy rules across Europe. For Data Controllers GDPR emphasises transparency, security, and accountability, while at the same time standardising and strengthening the rights of an individual to data privacy. More broadly speaking, this new regulation aims to invoke a cultural shift in how we think about and manage personal data.
We have put together this guide to GDPR for Computer Science. This is not an exhaustive guide but it should get you thinking about GDPR and how to achieve compliance. If you have any further questions please contact firstname.lastname@example.org
What exactly is Personal Data?
Personal data is defined as any information that relates to an identified or identifiable living individual. Different pieces of information, which when combined lead to the identification of a particular person, also constitute personal data. This is a deliberately broad definition that in principle covers any information that identifies a living individual. The most obvious identifier for an individual would be their full name but keep in mind that a combination of information, such as physical characteristics, pseudonyms, occupation, address, can be used to identify an individual. Perhaps a clearer way of looking at this is to divide personal data into Direct and Indirect.
If the concept of personal data still seems unclear take a look at these examples of Personal Data in circulation within UCD.
Sensitive Data & Children’s Data
A subcategory of personal data is sensitive data. Some examples of this type of data are bio-metric, genetic, political, religious, trade-union views, sex life, data, racial or ethnic origin, criminal offences/ conviction. Sensitive data requires a higher degree of control and security. There are also additional conditions to be met for the processing of such data to be legitimate. Usually this will be the explicit consent of the person about whom the data relates.
For Children’s data the GDPR introduces special protections, particularly in the context of social media and commercial internet services. The state will define the age up to which an organisation must obtain consent from a guardian before processing a child’s data. It should be noted that consent needs to be verifiable, and therefore communicated to minors in language that they can understand.
If your work involves the processing of data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians. You must also liaise with the UCD Office of Research Ethics
Are you a Data Controller/Data Processor?
GDPR defines a Data Controller as “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” By contrast, a Data Processor is anyone who processes personal data on behalf of the data controller, but this does not include employees of a data controller who processes such data in the course of his/her employment.
Therefore with respect to UCD systems like Banner, Sisweb, Infohub, RMS, Blackboard, Moodle etc, you are neither the Data Controller or Data Processor. However, as a UCD employee your are obligated to use these systems in a manner that ensures the data is secure from unauthorised access, disclosure, destruction or accidental loss. The data controller will provide you with a clear set of rules to for responsible processing, see for example UCD Banner’s usage policy
If you collect, store, and process personal data for research, administrator, or teaching purposes or any other reason, you are the Data Controller. As data controller, it is your responsibility to ensure data is collected and processed in compliance with GDPR Article 5 - “Principles relating to processing of personal data” These principles are outlined here:
Principle 1: Fair obtaining
- At the time when we collect information about individuals, are they made aware of the uses for that information?
- Are people made aware of any disclosures of their data to third parties?
- Have we obtained people's consent for any secondary uses of their personal data, which might not be obvious to them
- Can we describe our data-collection practices as open, transparent and up-front?
Principle 2: Purpose specification
- Are we clear about the purpose (or purposes) for which we keep personal information?
- Are the individuals on our database also clear about this purpose?
- Has responsibility been assigned for maintaining a list of all data sets and the purpose associated with each?
Principle 3: Use and disclosure of information
- Are there defined rules about the use and disclosure of information?
- Are all staff aware of these rules?
- Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures.
Principle 4: Security
- Is there a list of security provisions in place for each data set?
- Is someone responsible for the development and review of these provisions?
- Are these provisions appropriate to the sensitivity of the personal data we keep?
- Are our computers and our databases password-protected, and encrypted if appropriate?
- Are our computers, servers, and files securely locked away from unauthorised people?
Principle 5: Adequate, relevant and not excessive
- Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair and comprehensive manner?
- Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose?
- If an individual asked us to justify every piece of information we hold about him or her, could we do so?
- Does a policy exist in this regard?
Principle 6: Accurate and up-to-date
- Do we check our data for accuracy?
- Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated?
- Do we take steps to ensure our databases are kept up-to-date?
Principle 7: Retention time
- Is there a clear statement on how long items of information are to be retained?
- Are we clear about any legal requirements on us to retain data for a certain period?
- Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members?
- Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed?
Principle 8: The Right of Access
- Is a named individual responsible for handling access requests?
- Are there clear procedures in place for dealing with such requests?
- Do these procedures guarantee compliance with the Act's requirements?
Information Lifecycle Management (ILM)
Information Lifecycle Management (ILM) outlines your key considerations and responsibilities when processing personal data from collection to destruction under GDPR Article 5, “Principles relating to processing of personal data.” It is critical that Data Controllers and Processors understand this information lifecycle.
- Data Collection: What type of personal data do you collect? Are you collecting too much data or irrelevant data for your purposes? Can you identify ways to minimise the data you gather? Collect only the data that is essential to your requirements and anonymise whenever possible. If applicable you should identify your legal basis for collecting the data and document it.
- Transparency/Consent: An individual should have full knowledge and clear understanding how the data they provide will be used. This means specifying the purpose and retention period of the data. Have a mechanism in place that allows individuals to freely give specific, informed and unambiguous consent
- Storage: Is the personal data you process secured? You should have adequate physical and technical security measures in place to maintain the confidentiality and integrity of data. Access to the data must be restricted to only those who are authorised to process it.
- Integrity: Ensure accuracy and integrity of data is maintained. Have a process for auditing your data and updating it when necessary.
- Retention: Do not store personal data indefinitely. Adhere to a retention policy and delete data when it is no longer required or in accordance with UCD retention period.
- Right to Access: An individual has the right to ‘Right to Access’ their personal data that you hold. You have a procedure in place that allows you to meet such requests within the statutory deadlines.
How Long can I hold on to Personal Data?
This is complex because GDPR does not define retentions periods. Retention is decided by other statutes and regulations relative to an organisation and country. These periods can range from months to decades. You should adhere to UCD policy with regard to retention periods and delete data accordingly.
- Student Records Retention Schedule (Central Records - Registrar's Office)
Currently there are no detailed retention periods suggested for research data. For research data at present it depends on individual research projects and their purpose.
Pseudonymous Data is subject to GDPR, Anonymised Data is not
Personal data that is effectively and irreversibly anonymised is no longer subject to data protection law. By effective, it is meant that data subjects are not identified, having regard to all methods reasonably likely to be used by the data controller or any other person to identify the data subject. Irreversible in that the source data was deleted at the same time as the anonymised data was created.
“Pseudonymisation" of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Pseudonymisation provides a limited protection for the identity of data subjects in many cases as it still allows identification using indirect means. Where a pseudonym is used, it is often possible to identify the data subject by analysing the underlying or related data. Therefore, personal data that has been pseudonymised but can be used to re-identify a person remains personal data and falls within data protection law.
Data Protection law is Technology Neutral
GDPR makes it clear that the law applies to personal data in any form, and this includes paper files. You should take time to audit all physical personal data in your possession, e.g. Student Applications, Exam scripts, etc. Ensure that this data is securely stored under lock & key when not in use, accessible only by those authorised to view it. Personal Data which has passed its retention period needs to be securely disposed off (shredded). Check UCD’s retention periods for further guidance and and ensure schedule timely disposal of documents. For more information on shredding contact email@example.com.
What about my UCD email?
Take care when sending personal data over email. UCD to UCD emails are encrypted in transit which helps protect from interception and eavesdropping. When sending personal data outside of UCD email avoid including the data in the body of the email. Instead, place the data in an encrypted file and attach it to the mail. The password for decryption can be given separately by phone or text. [How to encrypt a file or folder]. Lastly, you should never use your personal email account to send or receive UCD personal data.
With regard to storing personal data in your UCD email Inbox. We would advise having a separate folder for emails containing personal data. This will make it easier for you to review and delete these mails when necessary. There is currently no expectation for you take action on historical email with regard to GDPR.
I’ve had a Data Breach, what now?
Avoid making your own judgement call when personal data has been lost or compromised. GDPR legally obligates us to contact the Data Protection Commissioner within 72 hours of a breach. For serious risks, such as an identity theft or financial loss, we may also need to inform individuals directly. If you think your data has been breached you should immediately contact the Head of School and UCD’s Data Protection Officer. Data Breaches fall into three categories:
- Confidentiality breach: where there is an unauthorised or accidental disclosure of, or access to, personal data.
- Availability breach: where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
- Integrity breach: where there is an unauthorised or accidental alteration of personal data.
The government has published the Data Protection Bill 2018, which gives effect in legislation to the General Data Protection Regulation. A proposed amendment to the Bill allows for fines of up to €1 million for public bodies.
"Where the Commission decides to impose an administrative fine on a controller or processor that— (a) is a public authority or a public body, but (b) is not a public authority or a public body that acts as an undertaking within the meaning of the Competition Act 2002, the amount of the administrative fine concerned shall not exceed €1,000,000.” -- DATA PROTECTION BILL 2018 [Sixth list of amendments]
Beyond fines, you should consider the reputational damage that a data breach can cause to the school or your research group.
What should I do now?
Audit Your Data
- Review all your stored digital personal data and delete anything that is past the required retention period. Put a schedule in place to ensure deletion of personal data when future retention periods expire.
- As much as is possible, keep personal data on UCD systems, e.g. sisweb, banner etc. Only export and store personal data from these systems locally when absolutely necessary.
- Restrict access to personal data that you process to authorised individuals.
- Remove Personal data from third party storage vendors, e.g. dropbox, iCloud etc. UCD’s storage options are, Novell, Google Drive, and Microsoft OneDrive [more info].
- Remove personal data from any non UCD Information systems, e.g. CMSs, CRMs etc.
- Avoid putting personal data on easy to lose media like USB keys. When required to do so please use file/folder level encryption [more info].
- Review all your stored personal data and securely dispose (shred) anything that is past the required retention period.
- Put a schedule in place to ensure secure disposal of personal data when future retention periods expire.
- Restrict access to personal data that you process to authorised individuals.
- When not is use, store data in a secure location, e.g. Locked private office, filing cabinet, etc
- Use secure courier services when sending personal data outside of UCD.
- As much as is possible avoid taking personal data outside UCD.
- Take care when printing personal data. Don't leave print jobs in queue and collect printouts immediately.
Keep your Laptop and Desktop Secure
- Passwords should be strong, regularly changed, and never shared.
- Always lock your computer when unattended.
- Keep Operating System up-to-date. [Windows] [Mac]
- Use Anti-Virus Software. [Windows] [Mac]
- Enable local Firewall. [Windows] [Mac]
- Encrypt hard drive and backup drive. [Windows] [Mac]
- Backup data regularly. [Windows] [Mac]
- Use Eduroam or Wired network in UCD. ‘UCD Wireless’ should be considered a guest access network only.
- When off campus use UCD’s VPN while on open unsecured Networks, e.g. airports, coffee shops, etc.
- Remove any third party apps with access to your Google Drive Data. To do this login to UCD Connect, go to https://security.google.com and run the security check-up.
- Use email safely [more info]
- Ensure that personal data is securely removed from computers before disposal or redistribution. For advice on this contact firstname.lastname@example.org
- Report any information security problems or potential problems immediately to email@example.com
Keep your Smartphone Secure
- Use a strong pin code (6 or more digits)
- Use biometric authentication when possible, e.g. fingerprint, facial recognition
- Enable automatic locking, 30 seconds or less
- Configure remote tracking and data deletion to protect your information from loss or theft, e.g Find my iPhone,
- Encrypt your device [iPhone] [Android]
- Install system updates often
- Use Eduroam Wifi. ‘UCD Wireless’ should be considered a guest access network only.
- When off campus use UCD’s VPN while on open Networks, e.g. airports, coffee shops, etc.
- Be wary of social engineering scams
- Avoid jailbreaking/rooting your device
- Download anti-malware for your Android device, e.g. Malwarebytes.
Keep your Server Secure
- Use strong non-trivial passwords
- Enforce a strong password policy for users
- Keep operating system patched and up-to-date
- Keep applications and services patched and up-to-date
- Securely configure applications and services
- Enable firewall and allow access to only essential ports
- Install malware protection software
- Install intrusion prevention software, e.g. fail2ban
- Use HTTPS and SSL certificate for your website. To get a digital cert contact firstname.lastname@example.org
- Request a vulnerability scan on your server. Contact email@example.com