GDPR
Tags: Information_Governance_Category
Regulation
Latest Developments
Guidance
- Write up (GP Sysytem)
- NHS Digital
- ICO - Certainly the best. A good starting point for creating policies and SOPs. Contains templates and checklists.
- ICO Big Data and Machine Learning guidance
- GDPR Webinar
Work Requirements
Communicate with all Researchers
Documentation
Study Data Documentation
- Lawful basis for processing (probably only consent is applicable):
- Consent
- Contract with individual
- Legal obligation
- Vital interest (i.e., to protect someone's life)
- Public task (as directed by legislation)
- Legitimate interest
- Safeguards (Need to double check these):
- Data minimisation
- Pseudonymisation
- Limited period of identification
- Limited period of retention
- No distress or damage caused to individual
- Not used for personal decisions
- Policies are in place
- Informing the public
- Anonymisation:
- Anonymous
- Pseudonymised
- Identifiable
- Data type:
- Personal data
- Special category data
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for personal identification)
- Health data
- Sex life
- Sexual orientation
- Conditions for processing Special Category Data (requires link to actually description):
- Explicit consent
- Necessitated by employment, social security or social protection law.
- Necessary to protect vital interest of subject or other person and consent is not possible.
- Legitimate activities of a not-for-profit organisation with a direct contact to data subject.
- Data has been made public by the data subject
- For legal purposes
- For substantial public interest.
- For health provision
- For serious public health issues
- Archiving for historical or scientific research
- Archives
- Data retension timescales
- Data source
- Location of data
- Outputs and data sharing
Audits and Review Meetings
- Frequency
- Attendees
- Items to cover:
- Review of lawful basis
- Review of safeguarding
- Review user access list
Transfers, Processors and Data Sharing
- Organisations
- Contracts
- Anonymisation
- Data type
- Data processing agreements / Information sharing agreements
- Length of agreement
Data Protection Impact Assessment
Policies / SOPs / Mitigation
Rights of Data Subject
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to not be subject to automated decision-making, including profiling
Areas requiring Action
- Public communication:
- Web sites
- posters
- Withdrawal / Do not contact / erasure requests
- Data breach notification
- Data review meetings
- Anonymisation / Pseudonymisation
- Data transfer and encryption
- Authentication
- Request management:
- Access
- Recification
- Erasure
- Restrict processing
- Data portability
- Objections
Security
Last modified
7 years ago
Last modified on 12/27/17 16:56:43
Note:
See TracWiki
for help on using the wiki.