The General Data Protection Regulations (GDPR) will be incorporated into the new Data Protection law in the UK in May 2018. The new law will impact on some data collection, use and storage practices across the institution. Please see the ICO guidance.
The University has developed a Compliance Plan which is being overseen by the University’s Information Protection Group and implemented by a sub-group comprising representation from the Secretariat, IT, the Student Education Service, Human Resources, the research community and the Library. For most staff, changes brought about by the new Regulations will not be radical, but staff will need to think about changing their personal data management practices e.g. safely destroying personal data when it is no longer needed and making extra sure that personal data is securely kept. More information will be provided on this page and further briefings will follow through relevant channels.
The main elements of the University's Compliance Plan:
- Generating a comprehensive record and understanding of the personal data the University holds.
- Ensuring all staff and students understand how to collect, use and store personal data according to the new Regulations.
- Ensuring that the people whose data we collect know their rights, and are confident that we are using their data responsibly and within the confines of the law.
- Ensuring that we are able to respond efficiently to requests from individuals whose data we hold.
- Developing a rapid and effective process to respond to any loss of personal data.
- Building in protection so that compliancy with the Regulations is “designed in”.
Data protection training relating to research will continue to be provided through OD&PL (details of which are accessible here). There will be an online video available on this website in February relating to research and data protection (incorporating GDPR).
As a reminder, all staff are required to complete the compulsory online information security essentials training.
To help colleagues, we have filmed a workshop that introduces the main elements of the GDPR together with further information on the data audit exercise that is taking place.
The videos, which have been split into 3 sections, are set out below:
We will, through this website, be publicising further supporting documents with guidance to support data protection activities. Please keep looking at this website.
Data Processing Agreement
Where the University is looking to engage others in processing personal data for it, there should be in place a Data Processing Agreement. A typical situation would be where you may be asking another provider to send out communications for you using contact details that you have provided. Alternatively you might be doing a research project in a consortium and it is the role of one of the consortium members to process personal data for you. Please see here for the University template which has been drafted to be GDPR compliant.
If you have any general questions relating to data protection, please contact Rebecca Messenger-Clark (email@example.com) or Adrian Slater (firstname.lastname@example.org) in the Secretariat.