Information Governance

The Information Governance Unit (IGU) is the department within the Coventry University Group responsible for providing advice and monitoring compliance with General Data Protection Regulation 2016 (GDPR), Data Protection Act 2018 (DPA), Privacy and Electronic Communications Regulation 2003 (PECR), Freedom of Information Act 2000 (FOIA) and any other related legislation.

If you have any questions about the processing of personal data you should raise this with the IGU at the following address enquiry.igu@coventry.ac.uk

Tasks of the IGU

Some of the tasks the IGU are responsible for are listed below:

  • Act as a contact point for data subjects and responding to queries and requests including Data Subject Rights Requests
  • Act as a contact point for Freedom of Information Requests
  • Act as a contact point for supervisory authority, Information Commissioners Office
  • Investigating and reporting data breaches to the Information Commissioners Office
  • Failure to comply with regulatory deadlines for FOIA and DPA
  • Assess risks associated with processing operations involving personal data and providing assistance with completing Data Protection Impact Assessments (DPIA)
  • Raise awareness and provide data protection training, guidance and advice
  • Develop/review privacy notices, privacy policies and consent forms
  • Conduct assessments to identify gaps and provide remedial guidance to ensure compliance with the data protection legislation
  • Disclosure of information to third parties such as the Police

The IGU is here to help so please do feel free to get in contact if you need our assistance.

You can also visit the IGU’s staff and student portals, which provide further guidance and useful resources.

Under the General Data Protection Regulation (the “GDPR”) in the event of a personal data breach the Coventry University Group (“the University”) must report the breach to the Information Commissioner’s Office (the “ICO”) without undue delay and in any event within 72 hours of becoming aware of the breach.

The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to the data subjects in question. Where there is a likelihood of a high risk to people’s rights and freedoms, the University will also need to report the breach to the data subjects who have been affected. A high risk situation will include whether a data subject will potentially suffer a significant detrimental effect such as financial loss, discrimination or damage to reputation.

Report a Data Breach

What is a personal data breach?

A personal data breach is defined in the GDPR as being “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This is therefore wider than simply a loss of personal data and can include:

  • unauthorised access
  • loss of mobile devices, laptop or paper copies
  • sending personal data to the wrong person
  • disclosure to third party; and
  • the unauthorised alteration of data and the deletion of personal data.

When does the University need to report a breach to the ICO?

When a personal data breach occurs an assessment of whether such breach will have any impact upon the data subjects’ rights or freedoms must be carried out. If it’s likely that there will be a risk to a subject’s rights or freedoms then the University must notify the ICO. The GDPR details some of the negative consequences of a data breach that will impact upon a data subject’s rights or freedoms and these are as follows:

  • loss of control over their personal data
  • discrimination
  • identity theft or fraud
  • financial loss
  • unauthorised reversal of pseudonymisation
  • damage to reputation
  • loss of confidentiality of personal data protected by professional secrecy
  • any other significant economic or social disadvantage.

Where University notifies ICO of the breach, the ICO will conduct an investigation to the nature and seriousness of the breach and the adequacy of any remedial actions taken by the University and will determine further course actions, which may be;

  • Record the breach and take no further action, or
  • Investigate the circumstances of the breach and any remedial action which could lead to:
  • No further action;
  • A requirement on the University to undertake a course of action to prevent further breaches;
  • Formal enforcement action turning such a requirement into a legal obligation; or
  • Where the evidence of a serious breach of GDPR, whether deliberate or negligent, the serving of the monetary penalty notice requiring the organisation to pay a monetary penalty of an amount determined by the Commissioner up to the value of €20mil or 4% global turnover whichever is higher.

If personal data has been made essentially anonymised and unintelligible to unauthorised parties and a copy exists, a breach may not need to be notified to the ICO as there is little risk to the rights and freedoms of a data subject. If there is no backup then this breach will need to be reported as the lack of availability of this data may pose a risk to a data subject.

When does the University have to report a breach to a data subject?

If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the University must inform the data subjects concerned as soon as possible. A high risk to the rights and freedoms of the individual is a higher threshold than the risk needed to report the breach to the ICO. High risk is likely to mean that the impact of the breach is more severe and that the consequences of the breach are greater.

The GDPR sets out 3 conditions that, if met, remove the requirement to notify individuals of a breach. The first is that the University has in place measures which cause personal data accessed without authorisation to be unintelligible, such as by encryption. The second condition is that, following the breach, the University immediately takes steps to ensure that the high risk does not materialise. The third condition is where informing the data subjects directly would involve a disproportionate effort in which case a public communication will suffice.

On some occasions where informing the data subject directly would involve a disproportionate effort then a public communication regarding the breach may be issued.

How long does the University have to report a breach?

The University must report the breach to the ICO without undue delay and in any event within 72 hours of becoming aware of the breach. It is likely that the University will be seen as being aware when there is a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. The University will be allowed a short period of time in which to conduct an initial investigation to establish whether or not a breach has in fact occurred, but will then be seen as being aware of the breach and the 72 hour deadline to notify will begin.

An example of this is where a student receives an email containing personal data they have provided to the University from someone falsely purporting to be representing the University. The implication here is that a third party has stolen this information from the University. The University then conducts a short investigation and finds evidence that there has been unauthorised access to its databases. At this point the University is aware and must report the breach within 72 hours (if it judges the breach will have any impact upon the data subjects rights or freedoms).What to do if you suspect that there has been a data breach and when to do it

1. Immediately report the breach to the Information Governance Unit (the “IGU”). The responsibility for reporting the breach lies with the person who discovered the breach. Please do not hesitate to do this. No matter how serious the breach is, it is far easier to mitigate any potential consequences when we know about it as soon as possible;

In the event of a personal data breach it must be reported immediately by the person that discovered the breach by telephoning the IT Service Desk number +44 (0) 24 7765 7777 or you can email databreach.igu@coventry.ac.uk

2. The IGU when deemed necessary, will decide whether there is enough information to establish that a breach of personal data has occurred;

3. The IGU will assess the breach and determine whether such breach meets the threshold of whether an incident needs to be reported to the ICO;

4. If not enough information is available to allow the IGU to establish whether there has been a data breach then a brief investigation will be conducted. Such investigation is likely to involve other departments within the University;

5. If the IGU determines that there has been a breach of personal data which impacts upon the data subjects rights or freedoms then the IGU will report the breach to the ICO within 72 hours;

6. If the IGU determines that there has been no data breach or that the breach will not impact upon the data subject’s rights or freedoms then no report to the ICO will be necessary;

7. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the IGU must inform the data subjects concerned directly and without undue delay; and

8. Regardless of whether the breach was reported to the ICO, the IGU will require that action is taken to ensure that such a breach does not happen again. This may involve the introduction of new policies or procedures or new security measures. Action will also need to be taken to mitigate the consequences of any breach.

Further information

If you would like any further information or have any queries relation you can contact the Information Governance Unit by email enquiry.igu@coventry.ac.uk

Further information can be found on the Information Commissioner’s website at www.ico.org.uk or via their helpline on 0303 123 1113

The data protection laws provide individual’s with increased control over their personal data and who it is shared with. This includes the staff and students of the University.

Respect must be maintained for the individuals rights under the data protection laws at all times and personal data must not be disclosed to third parties, including family members, friends, local authorities, government bodies or the police unless the individual has consented or there is another lawful basis for doing so.

It is important that whenever a third party requests information about a member of staff or student that request is carefully scrutinised so as to understand exactly what is being requested and why. If the person making the enquiry has a genuine requirement for the information then you should consider whether its disclosure would be fair, reasonable and lawful.

As a general rule personal information should not be given out in response to telephone calls due to the difficulty in verifying the identity of the caller.

Details of who the University share personal data of their employees with can be found in Employee, Staff and Contractors Fair Processing Notice.

Details of who the University share personal data of their students with can be found in the Fair processing Notice for students.

Except where the University is legally obliged to provide personal information, it should be remembered that even where the data protection laws permit disclosure the University is not required to provide any requested information and if in any doubt information should not be provided. If you are in any doubt as to whether information should be provided in relation to any request you should contact the Information Governance Unit at enquiry.igu@coventry.ac.uk

Sharing a colleagues personal information internally

Where an employee of the University requests any information about one of your colleagues the information should only be provided if it is required for that employee’s proper performance of their duties or where permission has been given by a senior member of staff.

Disclosure of personal information to third parties such as employment agencies or prospective employers at the individual’s request.

It is important to ensure that any such request is genuine, that the person requesting the information is who they say they are and that the individual concerned has requested that they contact you for such information. If you are in any doubt you should refuse to provide the information.

All requests for information from such third parties should be made in writing and should ideally be accompanied by written confirmation from the individual that you are permitted to provide the requested information.

Disclosure to the police and other third party casual enquiries

No personal information should be provided in response to casual enquiries whether made by the police, a family member or any other third party. This includes confirmation of the individual’s employment or student status and/or whereabouts without the consent of the individual.

Where you receive such an enquiry you should take contact details without confirming if the individual is a member of staff and pass it on to the individual to respond to as they see fit.

Where the police require personal information in pursuance of one of their official functions they should be asked to put that request in writing so that it can be considered by the Information Governance Unit.

Fraud enquiries

In cases where the University is asked to confirm if an individual is or has been a student or employee of the University and the University has never had a relationship with the individual this fact can be confirmed (as the University does not hold any personal data to disclose). If however the University has had a relationship with the individual the University must consider if it has a lawful basis for disclosing such information. In accordance with the University’s fair processing notices information may be provided where it is in the legitimate interests of the University to do so including in relation to fraud prevention or where there is a statutory obligation on the University to do so (such as a HESA requirement).

Exam results, examination scripts, assessments, results, comments on those papers by examiners and examination marks are all types of personal data. Accordingly, they must be handed in accordance with the data protection laws.

Examination scripts

Examination scripts are expressly exempted from the normal data subject access rules by the Data Protection Act 2018. This means that the University is under no obligation to allow students to have access either to their original scripts or copies of the scripts.

Examiner’s comments and assessments

An individual can request access to an examiners comments and assessments, whether made on a script or on a separate document. However, the time period for responding to such a request is five months from the date of receipt of the request or 40 days after the announcement of the result whichever is the earlier.

Examination marks

For the purposes of the data protection legislation examination marks are treated in exactly the same way as examiner’s comments with the same time scales applying.

Examination board minutes

Minutes of examination boards that contain discussion of specific individuals are subject to the normal rules on data subject access. Accordingly a data subject access request can be made and must be considered in line with the general principles for dealing with such a request.

Results

A students examination results constitute their personal data. Therefore care should be taken back when issuing results to make sure that the students’ rights are protected and their personal data is not shared with any third party including other students.

It is generally expected that tutors and senior members of staff will provide references for both students and their colleagues. Giving a reference will inevitably involve the disclosure of personal data in the form of both facts and opinions.

Whilst the data protection laws give individuals a general right to access their information there are a number of exemptions including an exemption for confidential references in the hands of the ‘giver’ but not necessarily in the hands of the party receiving that reference.

It is therefore important to bear in mind that the individual may ultimately obtain access to the reference and to ensure that it is drafted in such a way as to minimise the risk of any complaint.

Guidance on writing and obtaining references can be obtained from the People team.

All references, both those written and obtained should be retained in accordance with the University’s established data retention periods.

The Freedom of Information Act 2000 (FOIA) provides the general public with the right of access to recorded information held by public authorities. Public authorities as defined in the Act include central government departments, local government, the police, the National Health Service, and schools, colleges and universities.

Do I have to give a student or employee a copy of the references I have written or received about them?

The starting point should always be that references are confidential. However, as a general rule the student or employee should be able to obtain a copy of that reference from the person who receives it.

Where references are expressly stated to be ‘In confidence’ it may be possible in certain circumstances to withhold them from the person to whom they relate should they make an access request. However, this is not straightforward and the advice of the Information Protection Unit should be sought in advance.

Where you have provided a reference to a third party at an individual’s request and are happy to give a copy to the individual then there is no reason you are not prohibited from doing so.