The new General Data Protection Regulation (GDPR) came in to force on Friday 25 May 2018.
These regulations apply to you and your work
If you access, use, or store personal information about living people - (GDPR calls this ‘processing personal information') - you will need to understand the GDPR and how to comply with it.
If any staff you line manage (or students you teach) process this kind of data, you will all need to understand the GDPR. The regulations will also apply to mailing lists that you use to send information about College activities to individuals.
What do you mean by personal data?
- Information about or relating to a living person
- Identifiable (on its own or in combination with other information)
- Please see FoM GDPR definitions (SharePoint) for more information.
Examples of data categories
Examples of data categories
- Clinical observation cohorts
- Population cohorts for epidemiology studies
- Tissue donors
- Clinical trial datasets
- Consent to participate in research (either electronic or hard copy)
- Participants’ personal details used for reimbursement
- Questionnaires, surveys and tests
Admin or HR data
- CVs of job applicants (could be held on laptops, PCs, emails, shared drives, paper copies, etc.)
- Information about staff performance, reviews, disciplinary hearings
- Finance FTE reports
- Expense forms
- Names and contact details used for course marketing purposes
- Students' data that could be used to help with their welfare, occupational health (eg. GP letters)
- Students' data used for examination assessment
- Supervisory reviews of students' activities
- Student CVs
Patient data (non-research)
- Emails, patient notes, records regarding Trust clinical activities
- Data stored about Trust patients on your Imperial machine (PC, iPad, laptop, Mac)
- Remember that processing of data for patient management purposes is not permitted on the College network and equipment
Key questions around GDPR
What is the Faculty of Medicine doing about GDPR?
A FoM GDPR working group, chaired by Professor Richard Reynolds, was established to create an implementation action plan for the Faculty. The group worked closely with College legal services and ICT to align the College policies and the Faculty’s practical guidance.
As a result, the Faculty now has a dedicated FoM Information Governance SharePoint site that provides practical guidance for the Faculty specific activities.
Faculty Information Governance & Strategy Committee is now established to take forward IG enhancement programme. SharePoint site will be continuously updated as a result of their work.
What can I do now?
- FoM GDPR Definitions
- Managing your data – good practice guide
- How to manage personal data at the Faculty of Medicine – core roles and responsibilities and Faculty-specific mechanisms to facilitate implementation
- How to manage personal data for research purposes - key principles and practical guidance for handling of health and social care data when conducting research activities
- Online data breach form – you can use it to notify about any potential data breaches
- Research DPIA tool – a bespoke solution for registration and risk assessment of research data