Corporate Services

Search site

 

Secretariat

GDPR data protection

 

New GDPR

The General Data Protection Regulations (GDPR) will be incorporated into the new Data Protection law in the UK in May 2018.  The new law will impact on some data collection, use and storage practices across the institution.  Please see the ICO guidance.

The University has developed a Compliance Plan which is being overseen by the University’s Information Protection Group and implemented by a sub-group comprising representation from the Secretariat, IT, the Student Education Service, Human Resources, the research community and the Library. For most staff, changes brought about by the new Regulations will not be radical, but staff will need to think about changing their personal data management practices e.g. safely destroying personal data when it is no longer needed and making extra sure that personal data is securely kept. More information will be provided on this page and further briefings will follow through relevant channels.

The main elements of the University's Compliance Plan:

  • Generating a comprehensive record and understanding of the personal data the University holds.
  • Ensuring all staff and students understand how to collect, use and store personal data according to the new Regulations.
  • Ensuring that the people whose data we collect know their rights, and are confident that we are using their data responsibly and within the confines of the law.
  • Ensuring that we are able to respond efficiently to requests from individuals whose data we hold.
  • Developing a rapid and effective process to respond to any loss of personal data.
  • Building in protection so that compliancy with the Regulations is “designed in”.   

Training

Data protection training relating to research will continue to be provided through OD&PL (details of which are accessible here). A copy of a PowerPoint presentation (including handouts) relating to research and data protection (incorporating GDPR) delivered in January 2018 is available here. (A video recording of the presentation is available here.) Further information relating to GDPR and research activities is available here.

As a reminder, all staff are required to complete the compulsory online information security essentials training.

To help colleagues, we have filmed a workshop that introduces the main elements of the GDPR together with further information on the data audit exercise that is taking place.

The videos, which have been split into 3 sections, are set out below:

Introduction to the GDPR (part 1) - Adrian Slater
Introduction to the GDPR (part 2)
Data audit exercise - Rebecca Messenger-Clark

Supporting documents

We will, through this website, be publicising further supporting documents with guidance to support data protection activities. Please keep looking at this website.

Data Processing Agreement

Where the University is looking to engage others in processing personal data for it, there should be in place a Data Processing Agreement. A typical situation would be where you may be asking another provider to send out communications for you using contact details that you have provided. Alternatively you might be doing a research project in a consortium and it is the role of one of the consortium members to process personal data for you. There are three GDPR compliant templates for DPA as follows:

- The 'Lightweight' template is a basic DPA which does not specify any technical controls. This is intended for Data Processors which are not hosting our data on websites, or providing access to our data through websites;

- The 'Technical Controls' template specifies the technical controls that we need to be satisfied are in place for Data Processors which are hosting our data on websites, or providing access to our data through websites;

- There is another template agreement for data processing that is associated with card payment transactions involving our data. If you require such an agreement, you will need to contact the University's IT Assurance Team in the first instance.

Data Sharing Agreement

Where the University is looking to share personal data with another "data controller" there should be in place a Data Sharing Agreement. If you are not sure if the University or the other party with whom the data is to be shared is acting in a data controller capacity, please see the ICO guidance. Please see here for the University template which has been drafted to be GDPR compliant.

 

Further information

Data Champions have been appointed who will act as local points of contact where you can go for further information and assistance. The list of data champions and their contact details is available here.

If you have any general questions relating to data protection, please contact Rebecca Messenger-Clark (r.messenger-clark@adm.leeds.ac.uk) or Adrian Slater (a.j.slater@adm.leeds.ac.uk) in the Secretariat.

 

25.5.2018 (HJP)