Looking after personal data

Email sent to all staff from Jennifer Sewel, University Secretary, on Monday 9 January

Dear colleagues

The University has a duty to protect personal data. Both your personal data and that of others who come into contact with the University. Personal data is information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual. This includes information such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Our duties are set out in GDPR

The General Data Protection Regulation (GDPR) provides a legal framework for keeping everyone's personal data safe by requiring organisations to have robust processes in place for the handling and storing of personal data. 

Under GDPR, the University must be able to provide evidence of actions taken to meet its requirements for personal data held in all locations, including digital file storage. Failure to comply with GDPR would leave the University exposed to risk of non-compliance which might incur sanctions from the Information Commissioner’s Office (ICO). 

The sanctions we might be subject to include receiving warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries, a risk of the University losing the ability to carry out research projects that require access to personal data. There is also the significant reputational risk that any fine or sanction would affect public confidence in the University’s ability to handle personal information. We might also face the risk of financial claims for compensation.  

Why does this matter to me?

Data protection regulations, and the University’s own data retention guidelines, state that personal data can only be retained where a legitimate reason exists and for a specified period of time. We are currently running a project to validate how many data files are held by the University containing material that is no longer required.  The overarching aim for the project is to consolidate our systems to ensure ongoing GDPR compliance across the University, particularly with regards to data held in our systems, applications, and shared storage.

Personal data as part of academic and clinical research is treated separately and will not be the subject of the current validation project. The data retention rules for research are covered here.

Further Information

To ensure compliance with both GDPR and University policy, please read through the following links for your reference which will provide further guidance:
•    Data Protection Code of Practice
•    GDPR Top Tips
•    Information Protection Policy

Please also make sure that your Information Governance Training is up to date (to be completed annually).
If you have any queries about any of this information, please contact either:

Alice Temple (Data Protection Officer): a.c.temple@leeds.ac.uk
David Laing (Business Compliance Officer): d.laing@leeds.ac.uk

With best wishes,

Jennifer Sewel
University Secretary

Posted in: