The General Data Protection Regulation (GDPR) is a European-wide law that sets out how personal data must be handled by organisations. It came into effect on 25 May 2018. In the UK, it replaced the Data Protection Act 1998.
The GDPR was introduced to:
Despite sharing many similarities with the 1998 Act, the GDPR introduced a number of changes to data protection practices. Key changes included:
any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular in reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data includes: name, date of birth, NI number, home address, email address, student ID number, dates of enrolment, attendance information, visa and immigration information, student or staff photo, disciplinary information, bank and financial details, exam and assessment results.
Special categories of personal data
i.e. personal data, revealing:
Examples of special category data include open door and disability support records, sick notes and medical fit notes, equality data.
Note: Data relating to criminal offences and convictions does not fall within the definition above despite being treated as 'sensitive personal data' under the Data Protection Act, 1998.Rules around the use of this type of personal data are even more restrictive and covered in Article 10 of the GDPR and sections 10, 11 and Schedule 1 of the DPA 2018. For further information contact, firstname.lastname@example.org.