How we comply with data protection laws
The information presented on this page are some of the things the University has put in place to demonstrate compliance with the Accountability Principle.
Data Protection Officer
The University has appointed a Data Protection Officer (DPO). Some of the tasks the DPO undertakes are:
- Informing employees about their obligations to comply with data protections legislation and raise awareness of data protection issues, for example, through training;
- Monitoring compliance with data protection legislation;
- Advising on and monitoring data protection impact assessments;
- Acting as the contact point for the Information Commissioner’s Office and for individuals whose personal data the University processes.
Data Protection Impact Assessments (DPIAs)
A Data Protection Impact Assessment (‘DPIA’) is a process to help the University to identify, manage and minimise data protection risks to individuals.
A DPIA is only required in certain circumstances, such as where the processing is likely to result in a risk to the rights and freedoms if indviduals. Risk in this context is about the potential for any significant physical, material or non-material harm to individuals.
There are some circumstances which automatically require a DPIA to be completed:
- Systematic and extensive profiling with significant effects;
- Large scale use of special category data or criminal offence or conviction data;
- Public monitoring.
To help the University identify and manage data protection risks, the University has updated processes. This is to ensure that the completion of a DPIA is considered at an early stage in the lifecycle of a project or activity that will include the use of personal data, which may be considered high risk. Some examples of University activites when the completion of DPIAs are considered:
- developing new IT systems, services, products and processes that involve processing personal data;
- developing organisational policies, processes, business practices and/or strategies that have privacy implications;p
- physical design;
- embarking on data sharing initiatives;
- research projects
- using personal data for new purposes; or
- making changes to existing arrangements
The University uses screening questions based on guidance provided by the Information Commissioners Office to help determine if a DPIA is required.
Training and awareness
The University recognises the importance of ensuring that all employees are provided with data protection training, so that data is handled in a responsible and compliant manner.
To assist with this all employees are required to undertake data protection and information security induction training, when they join the University and, mandatory annual refresher training.
Additional support includes:
- Data Hub – dedicated resource with lots of information and guidance to support Data Protection and Information Security compliance.
- Specialised training (for example research or direct marketing) or refresher training is also provided and ad hoc training can be requested by completing training request form located on the Data hub.
- A network of Data Protection and Information Security Champions (DISCs) has been established to help raise awareness of data protection and information security requirements and assist with monitoring compliance.
Sometimes the University will need to share personal data about employees or students with external organisations or suppliers to provide our services.
In these circumstances, the University will put in place a legal agreement to ensure that adequate protection to protect the rights and freedoms of individuals and help the University comply with data protection laws.
The agreement will set out each party’s responsibilities and liabilities to include specific terms as a minimum, such as requiring an organisation to take appropriate measures to ensure the security of processing and obliging it to assist the University in allowing individuals to exercise their rights under data protection legislation.
Due diligence of external suppliers is also undertaken to provide the University with assurance that personal data will be kept safe and secure.
Records of Processing Activities
To comply with its obligations under the UK GDPR, the University maintains Record of Processing Activities. This documents things like the type of data we collect, the purpose we use the data for, the individuals about whom the data is about and who we share the data with to include any transfers of data outside of the UK.
International Data Transfers
Sometimes the University’s arrangements with external organisations or suppliers require us to share personal data with countries outside of the UK, which can include both EEA countries and those outside of both the UK and the EEA. Some countries have adequacy decisions. These are countries, which offer an adequate level of data protection, which allow us to transfer personal data without any further safeguard being necessary.
Where an adequacy decision does not exist, the University’s Legal Services team will put in place an appropriate safeguard, for example a legal agreement. This will ensure that both the University and the receiver of the data transfer are legally required to protect individuals’ rights and freedoms for their personal data and also set out each party’s responsibilities and liabilities.
The University takes information security extremely seriously, and we are committed to supporting the University and protecting data and information at every step. The University has a dedicated information security team (The Office of Information Security) and the University is both Cyber Essentials and Cyber Essentials Plus certified.
Policies and Procedures
To help with complying with the Data Protection Act 2018 and the UK GDPR The University has a Group Data Protection Policy, which sets out controls that are supported by data protection and information securityStandards.