GDPR and UC – privacy practices: your need to know info

You may have heard about the EU’s General Data Protection Regulations (GDRP) come into effect today. The GDPR enshrines data protection principles for EU citizens, even if their data is being managed by a firm outside the EU. This will have far reaching implications for privacy practices across the globe, including some limited activities at UC.

The Information and Records Management Team has been working to bring UC practices into alignment with the requirements of the GDPR.  Currently, we operate under the Privacy Act 1993, and we are also expecting the changes in the current Privacy Bill. These changes will be incorporated into the University’s Privacy Policy, and to the Student Declaration.  

We have generated a brief FAQ for those who are concerned about how this will affect UC.

  • Who does this new regulation relate to?
    Technically, this will only apply to a small proportion of UC’s activities. This will relate to departments who seek or use the personal information of EU residents. If your department is likely to be specifically affected, the IRM team will contact you to provide guidance. Although the GDPR will not apply to most UC activities, the principles within it are something we should be aiming for, and we hope to apply them as much as is possible for all staff and students, regardless of their citizenship.
  • What are the risks to UC?
    There are few additional risks to UC. Most of the requirements of the GDPR have already been incorporated into UC practices either through the Privacy Bill, or independently as we seek to align ourselves with best practice. If you have any concerns about your specific activities, please contact the Records team at
  • What does this new legislation involve?
    The GDPR aligns with many of the principles already within our Privacy Act. Key differences include:
  • A strengthened requirement for organisations using personal information to demonstrate a lawful basis for this (such as contract, legal obligation or public interest) or consent of the individual
  • Clear regulations regarding seeking consent from individuals. Consent must be freely given, informed, specific and unambiguous, as well as clear and intelligible. Consent can also be withdrawn.
  • The right to be forgotten allows individuals the right to have their data erased in specific circumstances, including where the individual withdraws their consent. In New Zealand, this will be limited by other factors such as the Public Records Act.
  • Increased rights for individuals wishing to access or transfer their personal information.

For more information on the GDPR contents, the Privacy Commissioner has some guidance resources available on their site. If you would like more information or guidance as to how this will affect UC, please contact the IRM team.