Skip to content Skip to main navigation Skip to footer

BAFTA Nucleus and GDPR

1. Introduction

1.1. About Nucleus

In 2013 BAFTA started work on a system for collecting and administering entries for the various BAFTA awards. This stemmed from BAFTA’s need for a single system which was flexible enough to handle the different data and eligibility requirements collected for their numerous awards whilst still being scalable and easy to use.

The system proved to be a great success and was quickly adopted more widely within BAFTA, first for managing ticket sales and then for managing applications for membership and scholarship schemes, as well as a variety of other uses.

In 2015 BAFTA was approached by another awards body whose staff had used the system when submitting an entry to one of BAFTA’s awards. Soon after this, an agreement was reached on the licensing of the system to them.

Since 2015 the system, now named “BAFTA Nucleus”, has been licensed to 16 UK organisations and processed 36K entries. 

1.2. Nucleus and GDPR

On 25th May 2018 the EU General Data Protection Regulation came into force. This sets out the safeguards which must be used by companies processing the personal data of EU citizens, together with the rights they have in relation to how companies use their data.

The BAFTA Nucleus awards entry system can be used to store and process personal data of individuals. BAFTA provides the Nucleus software to facilitate data collection, storage and associated workflow. Nucleus is designed to be highly flexible and configurable, and it is up to each client to decide exactly how they use the software. Using Nucleus in and of itself will not guarantee compliance. Each Nucleus customer is responsible for reviewing their own use of Nucleus and any other systems or software they use to ensure compliance.

BAFTA provide clients with a licence to use the Nucleus software on a server belonging to the client. Once the software is installed on the client’s server, BAFTA provide an ongoing support and maintenance service for the client’s server. As with any other software, Nucleus can be used in a variety of ways for a variety of purposes. It is possible to use Nucleus to store and process data in a GDPR-compliant way – it is equally possible that Nucleus could be used in a non-compliant way. The software itself cannot make you compliant on its own – it must be used in conjunction with other corporate policies and procedures to achieve compliance. It is up to each client to take their own steps to ensure that the way they use Nucleus to collect and store personal data is compliant.

This document provides Nucleus clients with details of how Nucleus can help them to comply with their obligations under GDPR and highlights some of the areas where clients might need to put new processes in place to ensure compliance. This document does not provide legal advice – rather it offers hints and tips which can be used in conjunction with other processes and systems. It is up to each client to validate with their own legal advisers that their particular systems and way of working are fully compliant with GDPR.

1.3. Processor and Controller

The GDPR defines the concepts of data processors and a data controller. The definition of processing, and therefore that of a processor, is very broad and includes any of these activities: “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

In order to provide support to clients, BAFTA’s software engineers and technical support staff have administrative access to the client’s Nucleus server and the data on it. This level of access is essential for us to be able to maintain the server and also investigate any problems that might arise. We never remove the data from the client’s server or perform any kind of manipulation of the data, however our reading of the regulation is that BAFTA, by virtue of having access to the data, is considered a processor.

BAFTA fulfils all of its obligations under the GDPR as a data processor but it is important to bear in mind that the controller must still fulfil their obligations in how they use the Nucleus system, how they communicate with users and in their internal processes and policies.

1.4. The Text of The Regulation

The authoritative source for information on GDPR is here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

A more easily navigable copy of the regulation is available here: https://gdpr-info.eu/

N.B. This is not the authoritative source for the Regulation – it is up to clients to verify that this faithfully reflects the current regulation at any given point in time.

2. Lawful Basis for Processing

GDPR requires that there is always a Lawful Basis for Processing (see Article 6). BAFTA Nucleus is designed as a system for the administration of awards entries, or other application processes and that all communication with the user will be solely that which is required for managing their application. As such, we envisage that most client’s use of Nucleus will fall under clause 1(b) of Article 6:

“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

However, the flexibility of the system means that it is possible to use it for other purposes, or that some clients might wish to seek the consent of entrants to use their data for other purposes (such as keeping them informed of future news and events). Each customer will need to assess for themselves whether their use of the system falls under this clause.

Nucleus includes functionality to ask users three “data protection” checkboxes on registration (which the user can always access and change on their settings page). Customers seeking to rely on Article 6(1).a (“consent to the processing of … personal data for one or more specific purposes”), should contact BAFTA to request enabling of this functionality (at no cost) and will need to ensure that they have included appropriate text in the Content Management System to inform the user and elicit their active consent via these checkboxes. Any wording requesting consent should be crafted to ensure compliance with Article 7 of the GDPR – in particular, consent must be opt-in, not opt-out.

3. Children’s Data

Article 8 of the GDPR sets out special measures which need to be put in place when storing data relating to children. If Nucleus is going to be used to collect data relating to children under the age of 16, then customers should consult with BAFTA first to ensure that suitable measures can be put in place to gain consent from the parent or guardian. 

4. Sensitive Data

BAFTA Nucleus is not designed for the collection or storage of sensitive data in any of the following categories:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • The processing of genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person’s sex life or sexual orientation
  • Criminal convictions and offences or related security measures

Articles 9 and 10 set out special precautions required when handling any of these categories of sensitive data.

Please contact BAFTA before using Nucleus to store any data in any of these categories as extra measures may need to be put in place to ensure compliance.

5. Rights of the Data Subject

Chapter 3 (Articles 12-23) of the GDPR sets out the rights afforded to data subjects by the regulation. These are explored in more detail below.

5.1. Communicating and Exercising Rights

Article 12 sets out how and when the data controller should communicate to the data subject details of how and why their data will be stored and what their rights are under the regulation. The exact wording of these communications will vary from one Nucleus client to another. It is, therefore, the responsibility of the client to determine how best to communicate with their end users, and what mechanisms should be put in place to allow end users to exercise these rights.

There is no specific mechanism built into Nucleus to allow end users to make requests relating to exercising their various rights under GDPR. However, if clients wish to provide users with an online process for doing this, then the existing form building and submission functionality at the heart of Nucleus provides an ideal way of collecting and managing these. Indeed Nucleus customers may find Nucleus to be a useful tool in managing rights requests from data subjects relating to other systems they maintain.

Clients should take care when designing forms in Nucleus that they use the existing help and commentary fields functionality to provide all necessary information to users as described in Article 13 of the Regulation. 

5.2. Data Entered by Third Parties

Nucleus is often used to collect data about third parties. For instance, an entry form filled in by an entrant might ask for the name and contact details of the actors, producers, or crew of the production being entered. When using Nucleus in this way you should be mindful of the rights of the third party to be made aware that their data is being stored and be informed of their rights in relation to this. These rights are set out in Article 14 of the regulation.

We envisage that most Nucleus customers will not want to take on the responsibility of informing these third parties, but will rather seek to pass this responsibility on to the entrant. You may, therefore, want to consider including a question on the entry form asking the entrant to validate that they have obtained consent from the third party for their data to be stored and processed. This could be combined with conditional logic which prevents the user from filling in the fields relating to third parties until they have confirmed this.

Such a question might be accompanied by wording along these lines:

If you have not told these people when you collected their data, that you will be sharing their details with [awards body name] for the purpose of entering the [award name] awards, then you should contact them to obtain their consent before providing their details.

When gaining their consent to store and process their data you should be mindful of the obligations set out in Article 13 of the GDPR, in particular making them aware of your intention to pass their data, on to [awards body name] and that this data may in turn be accessed by BAFTA Media Technology who provide the entry website software only in so far as this is required to provide technical support for the software. If they request erasure/correction of their data then it is your responsibility to remove/update the information on your entry form as appropriate unless the entry form has been submitted, after which point you will need to forward the request us to ask that we make the necessary changes to the entry.

5.3. Right to Access

As with the UK Data Protection Act before it, Article 15 of the GDPR gives data subjects the right to access (i.e. see a copy of) data relating to them.

In Nucleus, data stored about people will include the following:

  • Any details collected about them on any entry form
  • Name and address details collected when they register as a user of the system
  • Logs of actions they have taken when they are logged into the system

Some of this data is already available to the user through the web interface. If the user has lost access to their account, then they can use the forgotten password system to gain access, or request that the site administrator reset their password. This is true for most form data and the data the user enters when they register for an account. Some data is not directly available to the user but is available to the site administrators. In this case, the administrator of the site will need to do the following when complying with a subject access request:

5.3.1. Action Logs

These are available via the “Misc” section of the administrative web interface. The filters on the “Action Log” page can be used (once the user ID for the user in question has been ascertained from the user list page) to generate a list of the action log data for the user concerned. This can then be downloaded as an Excel file.

5.3.2. Entry Form Admin-only Data

Any entry forms which contain data about the user should be scrutinised by an administrator to check for any admin-only fields which are not visible to the entrant, but which contain data about them. These would need to be cut-and-pasted into a document to send to the requestor.

Every form also includes an “admin comments” field at the bottom of the form. This will also need to be checked to see if any data relating to the individual has been included in this field. If so then the relevant data will need to be cut-and-pasted out of this field and sent to the requestor.

5.4. Right to Rectification

Article 16 of the regulation sets out the data subject’s right to request that any errors in data relating to them are corrected. Once again, right to rectification already existed under DPA. As mentioned above under “Right to Access”, most data relating to individuals held in Nucleus can be updated by the user themselves through the web interface. The only areas where this is not true is admin-only fields in the entry form. If these require updating, then this can be done by system administrators.

There is no mechanism for correcting of action logs – however, it is hard to envisage how these could require rectification. If this should become necessary then BAFTA support staff can remove or correct this data in the underlying database on the client’s Nucleus server.

5.5. Right to Erasure

Article 17 of the GDPR gives data subjects the right to request that data held about them be erased. This is also known as the right to be forgotten.

Nucleus administrators have access to all of the areas of the system where personal data is stored (except for backups as discussed below). This means that Nucleus customers can do most of the work required without input from BAFTA. There are a few technical considerations:

  • Some records are marked as deleted first then actually wiped later. In the case of entry forms, the data is wiped from the database one year after it is marked as deleted. This allows for un-deletion when a record is accidentally deleted, but in the case of a “right to be forgotten” request this could be problematic. In these instances the entry form must be edited and any personal data replaced (e.g. with dashes) and the entry form re-saved – this will result in the immediate removal of the data from the database – the record can then be deleted as usual. This approach also mitigates against the risk of the underlying database software using the same ‘mark as deleted’ approach, but not removing the data from the disk.
  • There is an additional ‘Shred’ option for Users and Entries data. This differs from the standard deletion in that it will permanently delete all data associated with the given user/entry from the database and will not be possible to restore. Note, this will not remove the data from previous backups (see below).
  • Backups of the database present a challenge as data about individuals will persist here. The only way to remove personal data from these will be to restore each backup in turn (there is one backup per day, and these are currently kept indefinitely), edit the restored database to remove the details of the individual and re-save the backups. Given the volume of data involved this would be a mammoth task. The simplest solution here will be to reduce the retention period down to match the timescale for responding to requests (i.e. one month). This step is relatively simple and can be taken at any time. Rather than do this preemptively we feel that it is best to see how the legislation beds down and how frequent these requests are.

In summary, if you receive a “right to be forgotten” request you should:

  1. Let the BAFTA support team know immediately so that backups of your server older than 30 days can be deleted and the retention period dropped to 30 days – this means that if you delete the individual’s data as described below from the live database, after 30 days (within the required timescale) the data will be removed from the backups.
  2. Edit the organisation, user and any entries where the individual’s data may occur, replacing personal data with dashes, then saving the changes.

Please note that this approach will result in ALL backed-up data older than 30 days being deleted – not just data relating to the individual who has made the request.

Where the client has an active support contract with BAFTA this work will be performed at no charge.

5.5.1. Automated Deletion of Personal Data

To significantly reduce the workload involved in a ‘right to be forgotten’ request, Nucleus administrators can automate deletion of personal data collected on Nucleus forms. When building the forms, any question type that potentially allows for the inclusion of personal data (eg, text box could ask for names, date question could ask for date of birth, upload could ask for CV) can be marked for automated deletion. 

On any question that asks for personal data, within the Options section of the question set-up page, make sure the ‘answer includes personal data’ dropdown is set to ‘Yes’. This will indicate to the system that anything entered into the given question on the form should be treated as personal data and automatically deleted at the time scheduled in the award settings.

To set a date when the data entered into these fields will be automatically deleted, administrators will to edit the relevant award, and add a date to the ‘delete personal data on’ field. The date must be at least two weeks in the future.

5.6. Right to Restriction of Processing

This a new right introduced by GDPR (see Article 18). A data subject will be able to request that the data controller retains their data but does not process it. For the most part, Nucleus does not actually do any processing of data – rather it is focussed on storage and retrieval.

The main concern here would be avoiding the user’s data being retrieved from Nucleus and used in some other off-line process, e.g. being submitted to a judging panel. There is also the risk that the user’s data might be deleted accidentally by an administrator, or automatically by one of the processes which clear down old and unused accounts.

To avoid this, the data can be side-lined, i.e. stored on the system, but not in the database used by the web interface. There is currently no mechanism to trigger this via the administrative web interface. This can, however, be done in the underlying MySQL database. If such a request is encountered, the client should contact BAFTA support who can perform the database commands necessary to move the data to a separate area of the database where it cannot be readily accessed or deleted. Where the client has an active support contract with BAFTA this work will be performed at no charge.

5.7. Right to Data Portability

This new right enshrined in the GDPR (see Article 20) extends the right to access by requiring controllers to provide data in a “structured, commonly used and machine-readable format”. The regulation does not specify a particular format, but .csv or .xls files should fulfil these requirements.

Entry data can already be exported from Nucleus in .xls format. This is currently only possible in bulk, i.e. all entries for an award. However, the specific user record can be selected in Excel and cut-and-pasted into a new Excel file containing just this single row. Administrators should use this cut-and-paste approach as opposed to deleting all other data from the export, as this avoids the risk of other people’s data being accidentally left in the file or the possibility of the recipient being able to “undo” the delete action to retrieve the data relating to other users. 

Administrators should take care to agree a suitable encryption technology with the data subject when sending the data to them. Simply attaching the unencrypted data to an email puts the data at risk of being intercepted in transit. The BAFTA support team can provide suggestions of potential encryption approaches, but it is up to the data subject and the data controller to agree and implement a suitable exchange mechanism.

6. Automated Individual Decision-Making

GDPR introduces a new right for data subjects not to be subject to a decision based solely on automated processing. The only area where Nucleus is capable of anything which might be considered to be “automated decision-making” is the application of category eligibility rules.

Some clients do not use this feature at all. If it is used, then, where Nucleus is being used for awards entry, we anticipate that the decision-making will be used to enforce the published rules for the categorisation of entries and as such will come under the exclusion listed in Article 22(2).a namely it is…

necessary for entering into, or performance of, a contract between the data subject and a data controller;

Nucleus administrators should note however that if this functionality is used that even when the exclusion mentioned above is in force, the Regulation still requires that the data controller…

implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Nucleus administrators should take care to inform entrants of these rights and how to exercise them. This can usually be achieved by adding suitable text on the entry form as part of the form design.

7. Processor and Controller

BAFTA provide, install and manage the Nucleus software for clients to run on their own server infrastructure (in AWS). The customer is entirely responsible for determining the purposes and means of the processing of personal data. BAFTA supplies the software which runs on the client’s infrastructure but performs neither the role of controller nor processor in respect of the data stored on the clients’ server. It is the responsibility of the client to ensure that they comply with Article 30 of the GDPR in recording all of their processing activities – within Nucleus and in any other data processing systems they use. This makes the form of an information asset register.

8. Security

Article 32 sets out the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Nucleus has been designed to employ industry best-practice security tools and techniques to provide comprehensive protection of all of the data stored in the system. These are covered in more detail in the “BAFTA Nucleus Security Overview“ document which is available on request.

8.1. Security Breach Procedures

In the event of BAFTA becoming aware of a security breach or vulnerability affecting Nucleus, then BAFTA will inform the affected client(s) within 48 hours as described in the Security Overview. It is the responsibility of the client to comply with Article 33 of the regulation including informing the relevant authorities in the event of a breach affecting personal data.

In the event of a security breach, BAFTA will provide details, to the extent technically possible, of which users’ data might have been put at risk to assist the client in complying with Article 34 of the regulation. BAFTA will provide suggested text to be used when informing users of any breach, but it is the responsibility of the client to review and send any such communication to the affected users.

If the breach is as a result of a security failing in Nucleus then BAFTA staff will work with the client to urgently address the issue and mitigate any further damage.

9. Privacy Impact Assessments

Where the use of Nucleus forms part of a new project then the client should, in line with Article 35, perform a data protection impact assessment. BAFTA can assist clients with this process for projects which will be using Nucleus, but this will be on a paid consultancy basis.

10. Transfers of Data

Apart from the Salesforce Integration option (this is only enabled on customer request), Nucleus does not transfer any data on to third parties for processing.

The processing systems and all Nucleus data reside in Amazon Web Services in the availability zone (i.e. country) of the client’s choosing. In most cases, this is the Dublin availability zone.

11. Video Data

Where BAFTA Electron is used in conjunction with BAFTA Nucleus, it should be noted that Electron is not built with personally identifiable data in mind. It is primarily a video delivery platform and is designed around the assumption that it will not be used to store or process personal data. Thus some of the systems required to make Electron suitable for handling personally identifiable data have not been put in place (e.g. support for secure erasure of individual users’ data).

Please contact BAFTA before using Electron for storing any personally identifiable data.