Facilitating world-class research
In policy terms, data protection law aims to strike a balance between:
(a) the privacy interests of individuals, and
(b) the needs of organisations to make fair and reasonable use of information relating to those individuals in their operations.
It does not mean that researchers cannot make use of such information, or that they must always have an individual’s consent to do so, but it does impose controls and restrictions which must be complied with.
Technology has made it possible to collect and use increasing amounts of information about individuals in ever more diverse ways. The GDPR will introduce a new framework to safeguard the rights of those individuals.
Compliance with the GDPR is a legal requirement. Breaches of data protection law may result in investigations, significant fines, adverse publicity, and civil or criminal liability.
Enforcement action may be taken by the Information Commissioner’s Office (the 'ICO'), which has the power to issue fines or require changes in an organisation’s policies and procedures. If the University fails to comply with its legal obligations, such an action could be taken against the University and published on the ICO’s website, resulting in reputational damage.
Individuals have extensive rights under the GDPR, which they may exercise by submitting requests to organisations using their data (see GDPR exemptions for further information). If they are dissatisfied with the University’s response, they may complain to the ICO. Individuals may also bring legal claims for damage or distress.
More generally, the University is committed to responsible processing of information relating to individuals and to respecting their rights to data privacy. Although the consideration of data protection law may seem like an additional burden, much of it is plain common sense and, indeed, oftentimes consistent with the ethical requirements of many research projects.