- For the University
- For external organisations
- What’s on
- Contact us
This page provides an overview of data protection topics and links to sources of further information.
Data protection legislation sets out rules and standards for the use and handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’) by organisations (‘data controllers’). It is based around the notions of principles, rights and accountability obligations.
The law applies to organisations in all sectors, both public and private. It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.
Since 1 January 2021, the principal legislation has been the UK version of the General Data Protection Regulation (the ‘UK GDPR’), coupled with the Data Protection Act 2018 (DPA 2018) that supplements the UK GDPR in specific ways. The UK GDPR is almost identical to the EU-wide GDPR that applied from 25 May 2018 to 31 December 2020, with minor technical changes to allow its provisions to work within a UK-only context.
The EU GDPR itself replaced the Data Protection Act 1998 (DPA 1998) and the numerous Statutory Instruments issued pursuant to it. There is also supplementary data protection legislation covering specific topics, such as direct marketing. The legislation is regulated in the UK by the Information Commissioner’s Office (ICO) as well as the courts. The DPA 2018 delineates the regulatory powers of the ICO as well as introducing various criminal offences.
Data controllers processing personal data must follow – and be able to demonstrate that they are following – the data protection principles.
Under the GDPR, there are six principles. Personal data must be processed following these principles so that the data are:
Under the DPA 1998 there were eight principles but two of these (about the rights of data subjects and transfers of personal data outside the European Economic Area) are covered in different ways in the GDPR. Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including academic research.
An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information – through documents variously known as ‘privacy notices’, ‘data protection statements’, ‘data collection notices’, ‘privacy policies’ and numerous other interchangeable terms – takes place in numerous targeted ways depending on the context of the interaction with the individual.
Under the GDPR, data subjects are given various rights:
The right to be informed of how their personal data are being used – this right is usually fulfilled by the provision of ‘privacy notices’ as described above
A response to a rights request needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions (for example, nearly all the rights do not apply if the personal data are being processed solely in an academic research context). These rights build upon and strengthen rights given to data subjects under the DPA 1998.
Data protection legislation imposes certain accountability obligations on all data controllers. Under the GDPR, the main obligations for large data controllers include:
One of the most important accountability obligations concerns personal data breaches – that is, personal data held by Cambridge Enterprise that is lost, stolen, inadvertently disclosed to an external party, or accidentally published.
If a personal data breach occurs, this should be reported immediately by emailing email@example.com with the Subject heading ‘Data Protection’. The Deputy Director of Cambridge Enterprise will then lead an investigation into the data breach.
Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a short timeframe.
Cambridge Enterprise’s Data Protection Policy was approved by the Cambridge Enterprise Senior Management Team on 16 May 2018, and last reviewed on 21 May 2020.
More detailed guidance for Cambridge Enterprise staff on data protection is published:
As stated in the Legislation section of this webpage, from 1 January 2021 (ie the end of the Brexit transition period), all substantive provisions of the EU-wide GDPR (as supplemented by the DPA 2018) about principles, rights and obligations continue to apply in the UK through the UK GDPR.
On 28 June 2001, the UK was granted a data protection ‘adequacy decision’ from the European Commission, meaning that personal data transfers from EEA-based organisations to UK-based organisations can continue without any additional safeguards. (This formal decision followed ‘bridging’ provisions in the December 2020 EU-UK Trade and Cooperation Agreement that had the same effect for the first six months of 2021.) In practice, this means that the University or Cambridge Enterprise should not be asked to enter into contractual variations with EEA-based organisations to facilitate the continuation of incoming personal data flows.
Wider information on the topic has been published by: