Data Protection Laws and Regulation
Legislation
The UK data protection framework is set out in the Data Protection Act 2018, along with the General Data Protection Regulation (UK GDPR), which also forms part of UK law.
Together they regulate the collection and use of personal data – information about identified or identifiable individuals. For example, name, address or email address.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act 2018 and the UK GDPR. They give people specific privacy rights in relation to electronic communications, such as marketing by email or the use of cookies on websites.
Contact our Data Protection Officer at:
Data Protection Officer, Coventry University, Priory Street, Coventry, CV1 5FB
UK GDPR Principles
The University is required to follow and be able to demonstrate that they are complying with the principles set out in the UK GDPR, when processing personal data.
The principles are that personal data must be:
1
processed fairly, lawfully and transparently;
Fairly – means that individuals should not be misled or deceived when their personal data is collected
Lawfully – means you must process personal data in accordance with one pre-determined ‘lawful basis’
Transparently – means you must be open and clear to data subjects about the processing of their personal data, so they can make an informed decision about whether to provide that data, or exercise their data subject rights or not. This information is set out in the University’s Privacy Notices
2
personal data must only be used for specified, explicit and legitimate purposes;
3
must only be used in a way that is adequate, relevant and limited to only what is necessary for the purpose it was collected;
4
must be accurate and, where necessary kept up to date;
5
must not be kept for no longer than is necessary for purpose it was collected; and
6
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
There is also a seventh principle – Accountability. This means that the University has to take responsibility for complying with the principles, and to have appropriate processes and records in place to demonstrate compliance.
Learn more about how the University’s demonstrates compliance with the accountability principle.
Data protection regulation
The Information Commissioners Office (ICO) regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.
You can find out more by visiting the ICO’s website.