Skip to navigation | Skip to main content | Skip to footer
Menu
Search the Staffnet siteSearch StaffNet

GDPR Frequently Asked Questions

Email Detox

Q1: I have staff names in my emails such as john.doe@manchester.ac.uk, is this personal data?

It is personal data but it is not considered as information we are looking to delete from emails. We consider staff information to be significant personal data only if it is about them as an individual, for example about their performance in their role. If a name appears in an email simply because there is a reference to them carrying out their job within the University e.g. “John Smith attended a meeting with Estates” this is not significant personal data. The context of the communication is the determining factor. Minutes of meetings or emails your colleagues have sent you with their names which are incidental to the topic being discussed should not be prioritised for deletion.

If you are a line manager and you have information relating to your staff, such as old P&DRs, sickness records or occupational health reports, this information must be prioritised for deletion if it has been held longer than the Records Retention Schedule (RRS) states it would be.

Q2: I have CVs that are 20 years old but I need them for student references, should I delete them?

These will be older than the RRS allows and the information will be out of date, so they must be deleted. Try and work towards new ways of working, e.g. when a student ask for a reference, ask them to provide you with an up to date CV.

Q3: What if I have an obligation to keep information for longer than the University RRS prescribes?

If you believe that some of the information you have needs to be kept for longer than the period described in the Records Retention Schedule (RRS), you should first seek advice from the Information Governance Office.

Q4: Should I just archive all of my emails or move them to another storage solution?

We are asking that you tidy your email folders and look at how you use your mail to ensure you comply with the University’s Records Retention Schedule (RRS) because, where personal data is concerned, we are legally obliged to delete information that we cannot justify retaining. If you move or archive, you are just transferring the information elsewhere. Some of the information may still be out of date and the risk of non-compliance with data protection laws remains.

Q5: I also have documents containing personal data stored on the shared drive, what should I do?

We have asked that you concentrate on the deletion of out of date information in your inboxes, including archives (.ost files / .pst files), however if you have PII stored elsewhere that you have also identified as being too old and not up to date, this should also be deleted. Likewise, the same applies for any personal data held in paper documents.

Q6: How can I identify where the personal data is in my inbox?

  1. There are a few searches that you can perform that would bring up email that would certainly contain personal data. Try this multiple search: “CVs”;”PDR”;”sick note”;”absence”;”disability”;”disciplinary”;”mitigating circumstances” or similar perhaps adding the names of known individuals or other key words or terms.
  2. The retention period for student information is six years after they have left, so you can therefore delete that category of data. 
  3. If you have processes that generate lists of staff, alumni, advertising contacts or students, that is also something to look for. It is likely that you have downloaded this information from a system (created a copy) then sent it out in emails (duplications), possibly as attachments. This should be easily spotted and only latest copies should be kept.

Q7: What about the emails in my sent items?

You will need to consider your entire mailbox when carrying out this exercise. This includes folders you have created within your inbox, as well as the inbox itself, your sent items and deleted items folders. Do not forget to “double delete” i.e. ensure that you empty your deleted items folder. In future, consider changing your Outlook settings so that your deleted items folder is automatically deleted when you exit Outlook. You can do this in advanced options (file, options, advanced).

Q8: Why are we referring to duplicates in mailboxes?

It is likely that the master copy of a key document is not the one in your mailbox e.g. the final version of a policy you were helping to draft will be stored elsewhere and you will probably have a duplicate version because you sent an attachment to someone else in an email. The same is true for any attachments that you have received which will be in your inbox.

A lot of information has a short "shelf life" and once read can be deleted. This is especially true of emails but will also apply to information that was sent to you for reference purposes e.g. meeting papers The versions you received will be duplicates and can be deleted as soon as you no longer need them, usually shortly after the meeting.

Q9: Will I be asked to carry out this exercise again next year?

It is important that as part of carrying out this exercise we all think about the ways we work and in particular how we manage the information we create and receive as part of our jobs. In future we need to apply new approaches to ensure that we are better able to delete the information that is no longer required or beyond its retention period. This might include creating folders for particular types of information e.g. staff management so that you can more easily find it and delete it.

Q10: Is there any guidance on storage solutions and what can be used instead of my mailbox?

We will be working with colleagues from across the University to address this issue and provide new tools and ways of working to establish improved records management. In the meantime shared drives, SharePoint and Dropbox are some of the places where information should be stored with appropriate access rights.

Training

Q1: What sanctions will apply for not completing Data Protection training?

The Planning and Resources Committee (PRC), informed by the Information Governance Committee has agreed that the data protection training is mandatory for all staff and that continued access to IT systems is conditional on this being completed. Failure to complete the training in accordance with policy could therefore result in the removal of IT access.

Q2: I've done my data protection training before, why am I receiving reminders to complete it again?

It is important that you keep your data protection knowledge up to date. All staff at the University must carry out the training every two years. You can find out when you last completed it on MyManchester.

Research

Q1: What research data is affected by GDPR?

The GDPR applies to any personal data processed by organisations in the EU, and personal data of people in the EU that is processed anywhere.

Personal data means related to living people and from which they can be identified. This is very broadly defined and even includes data that have been pseudonymised, but not anonymised data. Be clear on the definition of anonymous, it means we (This means “we”, as in the University not just the research team) have no way / methods to re-identify the individual at all. Methods include re-applying the “key”, linking dataset for example.

Particularly sensitive data—such as data about health, political opinions, religious beliefs, or genetic or biometric data that are uniquely identifying—are classed as special categories of personal data, and require additional protection.

Q2: How does GDPR affect me as a researcher?

It shouldn’t impede research. Many existing processes that underpin good research practice are reflected in the new requirements.

The regulation requires you to be lawful, fair and transparent. To be lawful, anyone who processes personal data needs to comply with one of six ‘legal bases’ for doing so.

The appropriate one for university research is likely to be the ‘public task’ basis, where processing is necessary to perform a ‘task in the public interest’. Where special categories of data are processed, such as health data, an additional condition is needed. This is likely to be ‘necessary for scientific research in accordance with safeguards’.

Safeguards apply widely to the processing of personal data for research, not just for special categories. But don’t worry: the safeguards are probably already in place as part of current good practice. They include obtaining Research Ethics Committee approval, only processing personal data that is necessary, and anonymising or pseudonymising where possible. Data should be held securely, and those handling the data should be aware of the importance of confidentiality. We details our safeguard in our general research privacy notice.

Q3: What about consent?

It can be understood in two ways: as one of the six lawful bases under GDPR, and as consent to take part in a research project because of ethical or other legal requirements.

If you are using ‘public task’ as the lawful basis plus the research condition for special categories of personal data, you do not need to meet the ‘consent’ requirements of GDPR, such as getting reconsent from participants every two years.

You will still need to seek initial consent from participants to take part in your research project. This is for ethical or other legal reasons, such as disclosing confidential information in line with the common law of confidentiality.

So participants have dual assurance: the GDPR ‘public task’ reassures them that the organisation processes personal data for the public good, and the existing safeguards are appropriate enabling them to participate confidently in the research.

Q4: What does fair and transparent mean?

Your research using personal data will also need to be fair and transparent. Fairness includes respecting participants’ rights and ensuring that personal data are used in line with their expectations.

Transparency is very important for fairness. You need to ensure transparency at both corporate (detailed in the general research privacy notice) and project level (details in the participant information sheet). Participants should clearly understand the research process and how their privacy will be protected. Being detailed, participants will understand the value of their data to the research endeavour, and have reassurance that their personal interests are being safeguarded.

Q5: Where can I get further advice?

When dealing with complex collaboration, it might not be obvious who the data controller is and who has a duty of lawfulness, fairness and transparency. Speak to the University’s data protection officer or the information governance office to work out who the data controller is for your study. It may not be obvious and you may have more than one. Advice is available from information.governance@manchester.ac.uk

Marketing

Q1: If I send electronic communication to an external database, do I need to get opt in consent?

When considering if you need to get people to opt in, first consider how you acquired their contact details in the first place and how long ago this was. If they asked to receive information from you, provided their contact details to you specifically for this purpose and they are only receiving what they expected they would receive from you, then it is likely that you already have their consent and you will not need to get opt in consent again.

However, you must ensure that you have an opt out in each communication you send and have processes to ensure that you can remove their details from your database if someone requests this. If their original consent was a long time ago (the exact period will vary according to the context of the communications but is unlikely to last more than five years) and they have not engaged with you since, then you should ask these people if they still wish to be contacted i.e. seek new opt-in consent. This should be repeated periodically.

Please note there is an exception to this in certain circumstances where the contact list relates to existing “customers”. If you are uncertain as to whether you need to rely on opt-in consent please seek additional guidance from your Information Governance Guardian or the Information Governance Office.

Q2: If an external person requested information previously, can we keep communicating with them?

No, if this was a one off enquiry the individual did not ask to be added to your mailing list. You will need to get opt in consent from the individual to continue emailing them and subsequently ensure that there is an opt out in all further communications. In the future, you may ask an enquirer when responding to them if they want to be added to your mailing list and then only add them if they have affirmatively responded that they do.

Q3: I sent an opt in email but not everyone replied, what do I need to do?

If they have not replied, you must delete their details and not email them again. You cannot keep their details and email them again at a later date after 25 May 2018.

Q4: What do I need to document when getting opt in consent?

You need to know the source of the contact details i.e. where did you get their details? E.g. they completed an online form.

You also need to record the date they requested to receive information from you and ensure that you document what it was they signed up to receive. It is a good idea to categorise your contacts to record engagement e.g. Active, Semi active and non-active.

Manage your non active contacts appropriately, if they have not engaged with you for a number of years (i.e. 5 years) you must either seek and secure a new opt-in from them or remove their contact details from your list.

Q5: My colleague has a list of external contacts, can I send them information about my initiative?

You need to check what the individuals on that list have agreed to receive and if your new communication is in line with this original purpose. You can use the list as long as you explain why it is they are receiving it and provide an opt out. If your use of their contact details is for a different purpose i.e. they would not expect to receive it, then you do not have valid consent to send the information to them.

Q6: I have acquired a list from a 3rd party organisation, what do I need to do when emailing them?

Consider if they have been made aware that they would be contacted by you.

If you received the contact list form a third party you will need to ensure that the individuals opted in to their details being shared with you and if you do not have this assurance you should not use the list of contacts.

If you do have the correct assurance you should still inform the recipients of your communication where you acquired their details from in the first message you send them and provide an opt out to stop future communications in every message.

Q7: My list of contact is historical, how long does consent last for?

Consent is not forever. If your contacts have been acquired more than five years ago and individuals have not engaged with you since, it is time to cleanse your mailing list and ensure that the people on it are still happy to receive communications from you. Please remember that no response means that you need to delete their details and you should not email them again.

Q8: When we hold events, we email attendants to ask for feedback, is this allowed?

Yes, it is allowed if it is genuine feedback, as long as you do not add information / marketing with a different purpose. If you do want to send them other promotional or marketing information then you must get opt in consent from them. The exception to this is where event has been paid for and at registration you explained that you would like to send further event related communications and offered an opt out at this time.

Q9: I share details of attendees with 3rd parties for events, is there anything I should know?

Check your terms and conditions or contract with them, they are processing the information on your behalf and they should follow your instructions. The third party must not use your list of contacts for their own purposes.

Q10: Individuals opt in to receiving information through a form on a webpage, what do I need to do?

The form should have a short Privacy notice detailing what they will be receiving from you. If it is an enquiry form and you will also add them to a mailing list, you will usually need to have an opt in rather than an opt out, if you are uncertain about what you need to do seek guidance from the Information Governance Office. You also need to ensure that you only collect the information that you need to fulfil your purpose, do not collect extra information just because it might be useful in future.

Q11: I use listserv to send out newsletters, do I need to send an opt in email to all recipients?

No, you do not. If you know that the individuals provided you with their contact details in order to receive this information from you and were not added to the list without their knowledge, or you have an existing relationship with the recipients (such as staff, students or those that you already work with), you are only sending them the material they were told they would receive; you have always offered a means of unsubscribing or opting out of future communications, then you do not need to get consent again.