Data Quarantining GDPR
University Secretary Jennifer Sewel introduces the project ensuring University data files are GDPR compliant.
Dear colleagues
I want to update you on the current project to ensure the University’s data files are compliant with data protection regulations and our own data retention schedule. A project has been running to identify files which contain personally identifiable data and fail to meet these criteria. These files will be moved into quarantine, and you will need to request access to them if they are still needed.
Quarantining for the M: and N: drive will begin on 1 March 2023.
This email explains what data is affected and what it means for you, please read it carefully.
What data is affected?
Data protection regulations, which include General Data Protection Regulation (GDPR) and Payment Card Industry (PCI) standards, as well as the University’s own data retention schedule, state that personal data can only be retained with a lawful basis and for a specified time period.
Personally identifiable data (or personal data) is any data that can be used to identify an individual and can include:
Contact information (name, address, telephone number)
Financial information (bank account numbers, credit card information)
Personal characteristics (date of birth, age, gender)
Other sensitive information (political opinions, religious beliefs, sexual orientation)
In December 2021 the University installed a tool called Varonis to scan all of the University files on the M: and N: drives and SharePoint Online in order to identify where personal, credit card and password data is being held in files.
What is the quarantining process?
The Information Governance team have determined that files which meet the following criteria should be quarantined for security and data protection reasons:
Any file of any age that appears to contain credit card account numbers (PCI requirement).
Any file of any age that appears to contain passwords. That is character strings containing a mixture of upper case, lower case, numbers, and/or special characters indicative of being a password (University requirement).
Any file containing personally identifiable data that has not been modified in over seven years and not accessed in the last 120 days (GDPR requirement).
The software detects for the presence of data that meets these criteria but does not actively read or access identified files.
Any file that meets the above criteria will be moved to a secure quarantine location. The file will be held there for three months to allow individual appeals to take place if required. All files will also be backed up for a further nine months as an additional safeguard. If the appeal is approved after the file has been deleted (at the end of the initial three-month quarantine period) it can still be restored during this additional backup period.
What does this mean for me?
Quarantining for the M: and N: drives is due to commence on 1 March. Most of your files will be unaffected. If you do have a file which is quarantined, when you click on it you will be redirected to a SharePoint site; from there you will be able to submit a Microsoft form to request that the file be restored.
For further information on what quarantining means for you please access the IT website here. If you have any further questions please contact the Information Governance team via dpo@leeds.ac.uk.
With best wishes
Jennifer Sewel
University Secretary
Frequently asked questions about quarantine:
How do I request a quarantined file is restored?
Full details of how to request the restoration of a file will be on the Microsoft form which can be accessed from the message you are directed to when you click on a quarantined file.
For more information on the Appeals Process please click here.
What happens after l raise a request?
Once you have completed the request you will receive a confirmation email. If your appeal is successful, your file should be restored to its original location within five working days. If your appeal is unsuccessful then you will be notified via email of the outcome and the reason(s).
How long do I have to raise a request?
At the end of the initial three-month quarantine period, an appeal is still possible for a further nine-months. However the time to restore a file may be longer than five working days. At the end of this twelve-month period it is no longer possible to restore a file.
Posted in: University newsAll Staff Email