European Union – do your activities involve EU residents?
If your activities involve the collection or processing of information about any residents of the European Union, please email the Legal and Risk Branch before 1 May 2018. New data protection regulations commence on 25 May 2018 and will impact on how you must collect and manage that data. The Legal and Risk Branch can help you assess the scope and nature of the activity and any compliance response needed.
New, legally enforceable obligations under the General Data Protection Regulations apply to the personal data of EU residents regardless of where that data is held. This could include data collected as a part of student recruitment activities (exchanges or online courses), provision of services or research activities.
The EU regulations are more stringent that those that usually apply in Australia. To comply with the new regulatory requirements, you may need to consider:
The nature of the consent you obtain to collect data
- Consent must be a specific, informed and unambiguous indication signifying the individual’s agreement to the processing of their personal data
- Silence, pre-ticked boxes and inactivity does not constitute consent
- Individuals can withdraw consent at any time and data held must be deleted
The reasons you provide for collecting or processing information
- “Profiling” activities must be transparent and explain the purpose of gathering the information
- You should only hold and process data that is absolutely necessary for the completion of the activity
- Access to personal information must be limited to personnel who need it to administer the activity
Whether individuals from the EU are able to
- Request a copy of the personal data, free of charge, in an electronic format
- Exercise their “right to be forgotten” by having their data erased and, if this is not possible, they must be provided with a public interest rationale for retaining the data.
How secure is the data, databases and record systems
- Take all necessary steps taken to reduce any risk of that data could be compromised
- Ensure personally identifiable information (PII) is securely held and access is limited
- In the event of a breach of data you need to be prepared to notify those affected within 72 hours.
Please contact the Legal and Risk Branch for further advice on what you can do to avoid being in breach of the new Regulations.