Skip to Content.

Celtic KnotThe School of Mathematics
Internal Website

GDPR website advice

In This Section

GDPR Website Advice

This guidance is for all websites that contain personal data.

Please note we have been advised that if information was online before GDPR legislation then we do not need to seek retrospective consent for any listed personal data. We do however need to ensure that current website content involving personal data is covered by a privacy notice and cookie consent. We must also ensure that proper consent is obtained for data added in the future based on an appropriate legal basis (see link in next paragraph).

For any personal data to be included in a site there must be an identifiable legal basis for storing and processing this data. If the website will contain photographs or videos the guidance on publishing photography should be consulted.

There is further useful advice on GDPR compliance guidance for websites on the University's support wiki.

Website categories

The following categories explain what GDPR processes are required for different website/web page configurations. They all assume that the site will contain personal data.

1. Website hosted on UoE infrastructure and managed by UoE employee

Examples of this setup are your official School web page based on the School template, your personal web page/site and research group sites such as EMPG and Hodge.  if your personal web page is hosted externally then see section 2 below.  Where websites are hosted on UoE infrastructure, UoE is the data controller.

Privacy Notices

There is no need for the employee managing the site to create a privacy notice because the appropriate University privacy notice can be used. If the website is managed via EdWeb, a privacy notice will automatically be applied. If the website is hosted on UoE infrastructure but not managed by EdWeb, you will have to create a link to the relevant privacy notice. This link should be placed on the front page.

The relevant privacy notice will almost always be the School of Mathematics privacy notice (see https://www.maths.ed.ac.uk/school-of-mathematics/privacy). This notice also links to the University-level notices that are specific to services delivered (see https://www.ed.ac.uk/records-management/guidance/checklist/privacy-notice/university).

If, however, you think the School privacy notice does not sufficiently cover the personal data used on the website or the processing taking place, please contact the School DP Champions for advice. For example, you may think it would also be helpful to link directly to one of the service-specific University-level notices rather than to the top-level privacy notice page if the website deals a lot with a particular type of data subject or University process such as:-

This is not an exhaustive list.

Cookies

If the website is managed via EdWeb then the University’s global cookie consent mechanism will automatically be applied via the University cookie consent banner so no action is required. If the website is hosted on UoE infrastructure but not managed by EdWeb, you will have to add a cookie consent mechanism. Please contact the DPO at DPO@ed.ac.uk for advice. If the website contains identifiable data relating to staff/students at other institutions then the legal basis for collecting and processing the data is likely to be legitimate interest. Examples of types of personal data that would typically fall under legitimate interest include information about:

  • Current and former PhD students
  • Speakers at conferences
  • Research collaborators
  • Publication co-authors

This is not an exhaustive list.

If you are unsure about any type of personal data on a website please:

  1. Check the legal basis and legitimate interest guidance links above
  2. If you are still unsure check with the School DP Champions or the DPO 

Note the particular requirements in relation to photographs and videos.

2. Website hosted on UoE infrastructure and managed by third-party company (e.g. Web developers such as Basestation)

Examples of this setup are the MIGSAA and Maxwell websites. In this case UoE is again the data controller and the third-party company is the data processor. A data processing agreement will need to be put in place (outlining what data you will give them and how they are to process the data). Please in this instance contact GDPR@maths.ed.ac.uk. Since the University remains the data controller, the University’s privacy and cookie arrangements can be used as required and as explained in (1) above. Particular attention should be paid by those not using Edweb as the content management system.

3. Website hosted externally and managed by UoE employee and/or third-party company

Examples of this setup are a personal teaching web page created outside Learn and the SMSTC website.

In this case the website owner is the data controller, not UoE, i.e. the UoE employee or the organisation for whom the website has been created. The hosting company must be GDPR compliant and the website owner must be able to provide documented proof that this is the case. A data processing agreement will also be needed for any other third party that will be managing the data (outlining what data you will give them and how they are to process the data). Please in this instance contact GDPR@maths.ed.ac.uk.

Since the site is hosted externally the website owner is legally obliged to create and set up privacy notices and a cookie consent mechanism. The UoE privacy notices cannot be used. Template privacy notices are available within the DPO guidance. Please contact the DPO at DPO@ed.ac.uk for advice about a cookie consent mechanism.

If the website relates to teaching and contains personal data, the legitimate interest is highly likely to be weak and therefore the School strongly discourages use of such sites. The website owner may be asked to take the site down on the basis of unnecessary data processing unless they can demonstrate that the same information cannot be hosted using UoE services.

4. Setting up a new website

Before setting up a new website, consider whether it is necessary. If it is, select the lowest risk setup that meets the business need as explained above in the various scenarios. If the website will contain any personal data, a data processing impact assessment (DPIA) needs to be completed before the website goes on-line.

Last direct edit: 14:27, Friday 19 July 2019, by Website administrator. (Feedback? Please contact the page owners)

This page can be read by: Public access, unrestricted (or: Specified users, but only if server config requested). [Help ?]
(This access control information does not currently work correctly for new changes, although the access controls are still applied correctly.
(On TODO list to fix at some point..))