Skip to main content

Data protection

We are committed to protecting the personal data of everybody who uses our website and we will comply with all key legislation in this area. 

General data protection regulations (GDPR)

On 25 May 2018, the EU General Data Protection Regulations (GDPR) came into force. GDPR replaces the Data Protection Act (1998) and ensures that individuals and organisations are held accountable for the personal data they collect, store and use. 

Key points of GDPR  

  • The Information Commissioner's Office (ICO) defines personal data as 'any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier', which includes: 
    • names 
    • addresses
    • dates of birth
    • phone numbers 
    • email addresses
    • National Insurance numbers
    • photographs, videos and voice recordings.
  • Organisations must keep records of what personal data they hold and document why it is held, how it is collected and used, when it will be deleted or anonymised, and who can access it. 
  • The regulations cover the personal data of all individuals, including: 
    • students 
    • staff 
    • visitors 
    • customers 
    • alumni 
    • donors 
    • supporters 
    • employers 
    • governors. 
  • Users must opt in and give explicit permission for us to hold their data (rather than the present 'opt-out' approach). 
  • Data must be held securely - there will be high fines for data breaches. 
  • Individual rights will include: 
    • the right to be informed (privacy statements will need to be expanded to explain the new responsibilities)
    • the right to be forgotten (data subjects can request that their data is deleted)
    • the right of access (subject access requests will have the £10 fee removed). 
  • Data must be shown to be processed lawfully, and privacy statements must explain how. 

Contracting with third parties

  • Birkbeck, like many other organisations, contracts with third parties and exchanges personal data with them for a variety of reasons. 
  • For the purposes of data protection legislation, these third parties are deemed to be either 'data processors' or 'data controllers'. 
    • Data processors, such as Microsoft or Eventbrite, act entirely under our instructions. 
    • Data controllers, such as partner institutions, make autonomous decisions about the use of the data they control. 

Data breaches

Essential information for Birkbeck staff  

  • Any staff member who asks for personal information and records it somewhere - even if you don't act on it - is processing personal data and, hence, required to comply with the law. 
  • Ideally, you should not hold local records of personal information. If it is necessary, then you should use encryption and password protection (Word and Excel documents can be password protected). 
  • You should not use locally held/maintained email lists and, when emailing a list, don't put email addresses in the To or CC (carbon copy) fields - use BCC (blind carbon copy) instead (this hides individual email addresses from recipients). Read our advice on bulk emailing
  • You should not set up systems for collecting or storing personal information on behalf of the College, either in locally developed infrastructure or cloud-hosted online services (eg Survey Monkey, Google Forms, Type Form). Use Online Surveys instead. 
  • Regularly check for, and delete, files that contain personal information that is no longer required. 
  • You should protect your account details and stay vigilant against attacks, such as email phishing. This includes setting a strong password. 
  • If you have any queries, please before acting. 

Event booking using Eventbrite

  • Some staff members currently manage event booking using Eventbrite - an external platform. Birkbeck does not have a contract with Eventbrite and Eventbrite is not engaged as a data processor on Birkbeck's behalf.
  • If you use Eventbrite to organise events, you must make participants aware that if they put their data into the Eventbrite website they are sharing it with Eventbrite under Eventbrite’s privacy notice. You should also direct participants to the relevant Birkbeck privacy notice, which covers our processing of this data when we retrieve it from Eventbrite. There are standard privacy notices for applicants and students, staff, friends and donors and enquirers/prospective students. You should provide an alternative (e.g. direct email) for people who don’t want to put their data into Eventbrite.
  • Suggested text (both for event listings and confirmation emails): 'Bookings for [event name] are being taken via Eventbrite [link to the event]. Eventbrite is a privately run platform for event booking. By completing this booking, you will become an Eventbrite user, and your data will be processed by them as described in their privacy policy. Any data you provide will be passed from Eventbrite to Birkbeck and processed in line with our privacy notice [link].' 
  • We have developed features within our events system for staff to manage bookings, payments and waiting lists through My Birkbeck for staff, which is fully GDPR-compliant. We recommend that you use the events system whenever possible.

Scheduling meetings using Doodle

  • Doodle is a commonly used tool for 'polling' people for suitable slots for meetings and events. It is a free-to-use, advertising-funded service. View a video tutorial on using Doodle. 
  • Birkbeck does not have a contractual arrangement with Doodle, and therefore Doodle is not an acceptable location for the processing of personal data. In most cases, it is more efficient and carries less data protection risk to arrange meetings using your Microsoft Exchange calendar, though Doodle is useful where attendees are outside Birkbeck.
  • If you do use Doodle, please follow the following guidelines:
    • Send any invitations from your personal email account, making clear what they are for.
    • Don't enter the data of others into Doodle on their behalf.
    • Ask for the minimum data to identify attendees, and specify that what is entered will be stored and processed under Doodle's privacy policy.
    • Give attendees an alternative, such as email.

Further information