Collecting data through surveys
When collecting personal data we are required to supply the person providing the data with certain pieces of information explaining why we are processing their data, how we will process it, if we will share it outside of the University, what their data protection legislation rights are, and who to contact with any questions or concerns.
One of the easiest ways to collect data is by using a survey tool. Whenever you set up a survey, you should only collect the data that you definitely need to meet your purpose. And you must include a Privacy Notice at the point of collection, normally this is achieved by including a link to the Notice in the survey itself.
We have produced some Privacy Notice Guidance, which includes a checklist to use to audit existing Privacy Notices, and a Privacy Notice template to use to produce your Notice if one covering your processing doesn’t currently exist.
Collecting data in the form of photographs / video recordings
Personal data includes a person’s image so when taking photographs or recordings of events on campus we need to highlight to those whose images might be captured that we are collecting this data and to explain what we are going to use it for. You don’t necessarily need consent as the lawful basis under UK GDPR to use the photos / videos but you do need to provide clear details (ideally in advance) of how the individual can ask that their image is not used. Best practice is to obtain permission even if you are relying on another lawful basis under UK GDPR. For some purposes (such as marketing) you will need to obtain written permission in advance in any event.
If the event is by invitation only, a Privacy Notice should be included with the invitation explaining that photographs / video recordings may be taken. If the event is open to all, a Privacy Notice should still be made available and appropriate for the intended audience and one easy way of doing this is by posting QR codes in the area of the event (although a paper copy should also be on display for those without their phones).
When the events include anybody under the age of 18 years old, their parents / guardians also need to be made aware and give their permission for the use of the images.
Mailing Lists – moderated, even for moderators
The cause of many data breaches is sending an email containing personal data to the wrong recipient. If this email is sent to an unmoderated mailing list, it is potentially even worse as it will be sent to multiple wrong recipients!
One control that can be put in place is to use Sympa to manage your mailing list. Sympa gives you an option to require all emails – even those written by a moderator – to be sent to the moderators for distribution. By having this control in place, the risk of sending an email to an entire mailing list of incorrect recipients is significantly reduced.
If you are a moderator of a mailing list, please select this option in Sympa. If you manage a mailing list outside of Sympa, please contact IT Helpdesk <firstname.lastname@example.org> for assistance with the initial set up.
If you have any questions not answered on the Assurance and Data Protection sites, or if you need further support and guidance please do get in touch with the team by emailing email@example.com.
Head of Data Protection / Data Protection Officer (DPO)