UEL Privacy Statement
The University of East London recognises that personal privacy is an important issue, and our website practices are in compliance with all relevant UK legislation.
At time of writing, users are not required to register or provide any personal information in order to use the main website at the University of East London. No personal data is stored by or captured through the site without users’ prior knowledge and consent.
Where personal information is captured (eg through web forms for prospectus requests, applications to study, feedback, etc), the user will be aware of what information is being given and why. Any personal information that you provide to us will be used only for the purpose stated at the time we request it or for related communications. See also our Data Protection Policy.
What data is collected?
In common with most websites, this site automatically logs certain information about every request made of it. The University’s website does not automatically capture or store personal data from visitors to the site, other than to log your IP address and session information. Session information includes the time and duration of your visit to the site, the files requested, and the browser used.
This information will only be accessed by authorised persons of the University of East London or its agents. The information will be kept by the University and used only for the purpose of:
- Managing the site system
- The identification of broken links
- Bug tracking
- For statistical and audit purposes.
Relevant subsets of this data may be passed to computer security teams as part of investigations of computer misuse involving this site or other computing equipment in the University. Data may be passed to the administrators of other computer systems to enable investigation of problems accessing this site or of system misconfigurations.
Data may incidentally be included in information passed to contractors and computer maintenance organisations working for the University, in which case it will be covered by appropriate non-disclosure agreements.
Personal data in forms
A number of fill-in forms are provided on this site. The pages containing these forms include information on how data submitted on them will be processed and used, and such information is held by the University in accordance with the provisions of the Data Protection Act 1998. The information collected will only be used for the stated purpose, and, by supplying such information you consent to the University storing the information for that purpose. See also our Data Protection Policy document.
The UEL website uses Google Analytics, a web analytics service provided by Google, Inc. Google Analytics sets a cookie in order to evaluate your visit to our website and compile reports and to help us improve the site.
How to control and delete cookies
Please visit www.aboutcookies.org for a more comprehensive guide to deleting and controlling cookies.
The University of East London is committed to the security of our users’ personal information and we have security procedures in place to protect against loss, misuse or alteration of personal information under the University’s control.
Data protection at UEL - Important changes to the law
All organisations that process the personal data of individuals are bound by rules regarding how they manage that data under the Data Protection Act (DPA). The DPA is being replaced by the General Data Protection Regulation (GDPR) on 25th May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR which will be introduced in the form of the Data Protection Bill.
The GDPR updates the rules on how organisations manage and use personal data. It also gives people rights regarding how organisations manage their personal data.
The University will need to do some things differently in the way we collect, use and manage personal data and all staff will need to play their part to ensure compliance. Work is underway to prepare for the changes and these pages will continue to be updated to provide further advice and guidance.
What information is covered under GDPR?
Like the DPA, the GDPR applies to ‘personal data’. The GDPR’s definition of personal data is more comprehensive and includes online identifiers such as online accounts, IP address etc. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are similar to those in the DPA such as gender, ethnicity and disability but also include new areas such as genetic and biometric data. Processing sensitive personal data has additional requirements, which much be adhered to.
The GDPR principles
Like the DPA, the GDPR sets out principles of processing for all personal data. In essence, if an organisation cannot meet these principles, they cannot legally process the data. The new principles are:
(a) personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Overlying all of these principles is a new accountability principle which requires UEL to be responsible for, and be able to demonstrate, compliance with the principles.
When can UEL process personal data
The processing of personal data under the GDPR needs to have a legal basis for the processing to be valid, often referred to as the “conditions for processing” under the DPA.
It is important that UEL determine the legal basis for processing as under the GDPR this has an effect on individuals rights. For example, if we only rely on consent as the basis for processing personal data, individuals have stronger rights such as having data deleted.
What are the processing conditions?
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Legitimate interest – this condition will not available to processing carried out by public authorities in the performance of their tasks under the GDPR. This means that any personal data processed by the University under the DPA Legitimate Interest condition will need to be reviewed.
There are additional requirements when processing sensitive personal data.
How does consent change?
Consent under the GDPR has far more specific requirements than DPA.
- Consent must be freely given, specific, informed and unambiguous
- Consent requires some form of clear affirmative action. Opt out or silence does not constitute consent
- Consent must be demonstrable. Some form of record must be kept of how and when consent was given.
- Individuals have the right to withdraw consent at any time.
Where we already use consent under the DPA we will not need to obtain fresh consent, as long as it meets the standard required by the GDPR. Therefore all current processing that uses consent should be reviewed to ensure it meets the GDPR requirements. As a general rule, If a person withdraws their consent and as a result they can no longer use a UEL service (such as a placement opportunity or be a member of a course or group) then consent is the wrong basis for processing.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The GDPR provides the following rights for individuals:
- The right to be informed – usually via a Fair Processing Notice
- The right of access – known as subject access requests (SAR)
- The right to rectification
- The right to erasure – also known as the right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object – includes profiling, direct marketing and processing for research
- Rights in relation to automated decision making and profiling.
These are not absolute rights and do not always apply. There are a number of exemptions to all these rights to ensure for example, legal requirements can be met and to protect public interest.
Privacy impact assessments
Under current DPA rules it is recommended that a Privacy Impact Assessment is carried out to ensure all projects and new systems are built with appropriate security measures in mind and that the new project/system complies with the principles of the DPA.
Under the GDPR a Privacy Impact Assessment becomes a mandatory legal requirement and for high-risk situations UEL may need to consult with the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Carrying out an impact assessment at the start of a project ensures privacy by design, compliance with legislation and that systems are built with security from outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be expensive.
Further information and templates will be made available on these pages for staff to use.
The GDPR will introduce a duty on UEL to record all data breaches and report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected within 72 hours of UEL being made aware of the breach.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Fines for breaches of the GDPR have increased and the maximum fines can be up to €20 million or 4% Global Turnover for a breach, depending on a number of factors. Individuals also have the right to compensation if processing of personal data does not conform to the GDPR principles outlined above.
UEL is fully committed to ensuring that it can comply with the obligations it has under GDPR. We are in the process of reviewing our data handling practices and updates to this page will provide further information in the coming months.