What is/are the GDPR regulations?

GDPR stands for General Data Protection Regulation. The law is relatively new and applies to all countries currently within the EU. Despite the forthcoming transition period where the UK will leave the EU on the 31^st January 2020. A key issue for the users of BREO is the processing and use of personal data – for both staff and students.

GDPR and Digital Learning

If the University, and its staff members, fail to follow the principles of GDPR then this could result in a data breach. If there is a data breach, the Information Commissioners Office (ICO, the body that regulates data protection within the UK) can issue penalties up to €20 million or 4% of annual turnover. The University may also decide to take disciplinary action depending upon the circumstances.

Personal data

The term personal data will be used throughout the rest of this guide, in the context of Digital Learning we define it as:

• Any information that can identify a living person (the ‘data subject’) and would include a name or identification number
• Two examples of where it is inappropriate to share details might include: listing grades for all students in a unit, allowing students to see each other’s’ summative assignment submissions, or details of students who have mitigating circumstances.

In some cases it is helpful to share information between students: such as setting up groups, or allowing students to indicate a preference for an appointment via a sign-up sheet. This is fine as it ensures units run efficiently and it is part of the pedagogy employed by colleagues.

Principles of handling personal data

During the course of your duties, you may come across or have access to other staff or students’ personal data – the GDPR legislation obliges all of us to handle such data in a confidential, professional and responsible manner.

If you have access to staff or students’ personal information then you are expected to keep this confidential and you should only use the information in the course of your duties (e.g. marking of assessments, communicating grades with external examiners).

You should not go out of your way to look for/at personal data, where you are not entitled to do so.

Data breaches and problems in BREO

The GDPR regulations describe a data breach in the following general terms: access by an unauthorised third party; deliberate or accidental action (or inaction) by a person handling or controlling data; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alteration of personal data without permission; and loss of availability of personal data.

When you notice or think there may be a problem – alert Digital Learning team immediately at BREOSupport@beds.ac.uk – marked as urgent and copy david.pike@beds.ac.uk.  Please include as much information as possible: the unit code (or a link to the unit), where the problem content is, and how the problem was discovered. The team will then make the necessary adjustments to the item or items that are causing the problem, and we may need your help when making a report to the DPO (Data Protection Officer).

​Dealing with GDPR related enquiries from students, staff, members of the public, ex-students, and ex-employees​

Requests from students should be dealt with in the form of an SAR (Subject Access Request). Students will need to lodge this with the University’s legal office. Details of the process are available from https://www.beds.ac.uk/about-us/our-university/public-information/data-protection