Getting ready for GDPR
The University Secretary has written to all staff about the General Data Protection Regulation (GDPR):
Dear colleague,
On 25 May this year, new data protection law will come into force, the General Data Protection Regulation (GDPR) supplemented by a new Data Protection Act. The new law covers personal data – information about people, for example, names, addresses, dates of birth, payroll numbers and student ID numbers.
You may have seen a lot of publicity around GDPR and the potentially significant impact that the new regulations could have. We have carefully considered what the new law means for the University and, whilst there will be some change needed, we will always try to provide workable, practical solutions that we believe everybody will be able to implement.
What does this mean for you?
Every one of us has a part to play in ensuring compliance with Data Protection law. We all have to think carefully about how we manage personal data. To this end you must:
- do the data protection related training* that the University has provided and
- familiarise yourself with, and act upon, guidance and policies provided by the University.
[* This link takes you to your own Minerva log in, where you can search for and complete the Information Security Essentials training and if appropriate, the Advanced training.]
In particular, please see the new electronic housekeeping tips, which provide easy and sensible advice on how to manage things like your emails.
Key areas to consider are:
1) Making sure we keep personal data (whether in paper or electronic form) safe and secure – for example, by using locked filing cabinets and by making sure that laptops are encrypted.
2) Deleting personal data when they are no longer needed – for example, information that we no longer need on students or staff who have left the University: see the retention schedule.
3) Making sure that, when we share information about individuals externally, we have the right to do so and that proper safeguarding arrangements in place, which usually means written data sharing agreements. Further information on data processing and data sharing agreements.
4) Keeping data to a minimum, anonymising personal data wherever possible. For example, when sending spreadsheets which identify people, check that there are no extraneous tabs; in conducting research, always anonymise or pseudonymise data unless there are compelling reasons why you can’t.
5) Immediately reporting any security breaches involving personal data to the IT help desk during normal office hours and to security outside those hours. This applies in particular to the loss or theft of a laptop with personal data, and when, for example, papers (like CVs) are left on public transport.
Like most organisations, the University finds that the bulk of data protection problems arise from simple human error, for example by sending the wrong email to the wrong person, or by sending spreadsheets containing personal information that is not needed for the task in hand. Being mindful of the key principles above can help to reduce the likelihood of information going astray.
What is the University doing?
- The University is introducing new training, which is compulsory.
- The University is providing practical advice that you can assimilate into your day to day working practices.
- Data Champions have been appointed who will act as local points of contact where you can go for further information and assistance.
- If you are concerned about any of the above, or you want more general information, please see in the first instance the University's Data Protection website.
Kind regards
Roger Gair
University Secretary
Posted in: University news