Skip to main content

Data protection

We are committed to protecting the personal data of everybody who uses our website and we will comply with all key legislation in this area. 

General data protection regulations (GDPR)

On 25 May 2018, the EU General Data Protection Regulations (GDPR) came into force. GDPR replaces the Data Protection Act (1998) and ensures that individuals and organisations are held accountable for the personal data they collect, store and use. 

Key points of GDPR  

  • The Information Commissioner's Office (ICO) defines personal data as 'any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier', which includes: 
    • names 
    • addresses
    • dates of birth
    • phone numbers 
    • email addresses
    • National Insurance numbers
    • photographs, videos and voice recordings.
  • Organisations must keep records of what personal data they hold and document why it is held, how it is collected and used, when it will be deleted or anonymised, and who can access it. 
  • The regulations cover the personal data of all individuals, including: 
    • students 
    • staff 
    • visitors 
    • customers 
    • alumni 
    • donors 
    • supporters 
    • employers 
    • governors. 
  • Users must opt in and give explicit permission for us to hold their data (rather than the present 'opt-out' approach). 
  • Data must be held securely - there will be high fines for data breaches. 
  • Individual rights will include: 
    • the right to be informed (privacy statements will need to be expanded to explain the new responsibilities)
    • the right to be forgotten (data subjects can request that their data is deleted)
    • the right of access (subject access requests will have the £10 fee removed). 
  • Data must be shown to be processed lawfully, and privacy statements must explain how. 

Contracting with third parties

  • Birkbeck, like many other organisations, contracts with third parties and exchanges personal data with them for a variety of reasons. 
  • For the purposes of data protection legislation, these third parties are deemed to be either 'data processors' or 'data controllers'. 
    • Data processors, such as Microsoft or Google or Business World, act entirely under our instructions. 
    • Data controllers, such as partner institutions, make autonomous decisions about the use of the data they control. 

Data breaches

Essential information for Birkbeck staff  

  • Any staff member who asks for personal information and records it somewhere - even if you don't act on it - is processing personal data and, hence, required to comply with the law. 
  • Ideally, you should not hold local records of personal information. If it is necessary, then you should use encryption and password protection (Word and Excel documents can be password protected).
  • You should not use locally held/maintained email lists and, when emailing a list, don't put email addresses in the To or CC (carbon copy) fields - use BCC (blind carbon copy) instead (this hides individual email addresses from recipients). Read our advice on bulk emailing
  • You should not set up systems for collecting or storing personal information on behalf of the College, either in locally developed infrastructure or cloud-hosted online services (e.g. Survey Monkey, Google Forms, MailChimp, EventBrite, Type Form). Use Online Surveys or Microsoft Forms for surveys, and Outlook or Campaign Monitor in conjunction with interest mailing lists for bulk emails instead. 
  • Regularly check for, and delete, files that contain personal information that is no longer required. 
  • You should protect your account details and stay vigilant against attacks, such as email phishing. This includes setting a strong password. 
  • If you have any queries, please before acting. 

Scheduling meetings using Doodle

  • Doodle is a commonly used tool for 'polling' people for suitable slots for meetings and events. It is a free-to-use, advertising-funded service. View a video tutorial on using Doodle. 
  • Birkbeck does not have a contractual arrangement with Doodle, and therefore Doodle is not an acceptable location for the processing of personal data. In most cases, it is more efficient and carries less data protection risk to arrange meetings using your Microsoft Exchange calendar, though Doodle is useful where attendees are outside Birkbeck.
  • If you do use Doodle, please follow the following guidelines:
    • Send any invitations from your personal email account, making clear what they are for.
    • Don't enter the data of others into Doodle on their behalf.
    • Ask for the minimum data to identify attendees, and specify that what is entered will be stored and processed under Doodle's privacy policy.
    • Give attendees an alternative, such as email.

Further information