Sciences Po Logo

Digital uses

Home>Security & Data protection>General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Mastering the basics of data protection

Definitions

The term ‘data’ refers to all information and documents containing personal or non-personal information. Some may be considered essential to Sciences Po, others confidential, and others still public.

It is essential that you indicate in your documents whether they are confidential or not.

‘Personal data’ refers to any information that directly or indirectly identifies a natural person (e.g. name, registration number, telephone number, photograph, date of birth, place of residence, fingerprint, etc.).

data processing” refers to any operation, or set of operations, relating to confidential information, regardless of the method used (collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, etc.).

Data protection’ refers to the set of principles and legal obligations to be observed when collecting, processing, disseminating and storing data.

Is my data processing lawful?

See Article 9 of the General Data Protection Regulation on special categories of personal data (“GDPR”)

The processing of sensitive personal data is subject to authorisation

List of categories of sensitive or special categories of personal data within the meaning of the GDPR:

  • Racial or ethnic origin,
  • Political opinions,
  • Religious or philosophical beliefs,
  • Trade union membership,
  • Genetic data,
  • Biometric data,
  • Data concerning health,
  • Data concerning sex life or sexual orientation.

The processing of such data may be permitted if

  1. the data subject has given their written consent,
  2. the processing is necessary for the purposes of labour law, social security and social protection,
  3. the processing is necessary to safeguard the vital interests of the data subject,
  4. the processing is carried out by a foundation, an association or any other non-profit organisation pursuing a political, philosophical, religious or trade union purposes, provided that such processing relates exclusively to members or former members of that body or to persons maintaining regular contact with it in connection with its purposes, and that personal data are not disclosed outside that body without the consent of the data subjects,
  5. the processing relates to data made public by the data subject,
  6. the processing is necessary for the establishment, exercise or defence of legal claims,
  7. the processing is necessary for reasons of substantial public interest, provided that it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject;
  8. the processing is necessary for preventive medicine or occupational medicine, for the assessment of the worker’s fitness for work, for medical diagnosis, for the provision of health or social care, or for the management of health care or social protection systems and services. Such data must be processed by a healthcare professional subject to a duty of professional secrecy,
  9. the processing is necessary for reasons of public interest in the area of public health, or for the purposes of ensuring high standards of quality and safety of healthcare and medicines or medical devices, provided that professional secrecy is ensured,
  10. the processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.

What do I need to do in terms of paperwork and permits?

It is my personal responsibility to initiate the necessary compliance procedures prior to any collection of personal data and associated processing, in consultation with my Data Protection Officer, and to obtain the appropriate authorisations.

I must:

  • declare my data processing activities in the institutional register: see the Data Protection page on the intranet for Sciences Po staff, or the CNIL website for all other individuals,
  • inform individuals (legal notices and privacy policy),
  • obtain their consent (tick boxes, authorisations, transfer of rights),
  • obtain the appropriate authorisations, where necessary.

How can sensitive or confidential data be protected?

  • Use a strong password and never share it with anyone, or write it down
  • Only share sensitive or confidential data with specifically selected and authorised individuals
  • Never share the URL link via email
  • Encrypt your data if it is sensitive

How do you encrypt it?

The 7-Zip tool allows you to compress and encrypt documents. It meets the need for secure data transfer to third parties. It is therefore recommended when you need to send data files (Excel, PDF, Word, etc.) containing confidential, sensitive or personal data.

Documentation: Data encryption with 7-Zip

If you have any questions: Contact the helpdesk

Find out more

 

 

Documents to dowload

Digital security guidelines (PDF, 829 Ko)

Charter for the use of Science Po's information systems (PDF, 129 Ko)