Cookies

We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Information Governance

Guidance for Employees

"I have no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route. But we will back this up by tough action where necessary; hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law.

Report to us, engage with us. Show us effective accountability measures. Doing so will be a factor when we consider any regulatory action."

ICO Commissioner, IAPP Europe Data Protection Intensive 2018, London, 18 April 2018

The Information Governance Unit produces policy, guidance and training content to help employees implement data protection practices in line with the GDPR.

Guidance and templates are available through the sidebar navigation. Refer to these pages for information on specific topics.

Process-oriented FAQs have been developed that provide guidance on key activities and links to related content. If a link is not present in an FAQ the content is likely to be in development.

+Do I understand my role and responsibilities?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Read and understand the mandatory documentation.
  • Complete the GDPR Training.
  • Reading the guidance is recommended.
  • Determine any additional support and training required by staff.
  • Identify and manage data protection risks.
  • Line Managers to ensure staff have completed personal data protection training prior to permitting access to personal data.

+Why do I want to collect Personal Data?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Determine reason for collecting and document.
  • Complete DPIA screening questions (Step 1 of DPIA template) or, for Research, a Data Management Plan.

+Should I collect Personal Data?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Determine and document lawful basis for processing.
  • Identify all points at which Personal Data is collected.
  • Identify any services provided directly to children.
  • Identify any Personal Data used for Direct Marketing.
  • Determine how consents shall be sought, recorded and maintained.
  • Develop local processes to ensure that Personal Data collected are accurate, adequate, relevant and not excessive.
  • Plan to undertake routine weeding of Personal Data.

+What Personal Data will I be collecting?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Undertake an Information Survey.
  • Complete the Information Asset Register (or review and update the existing IAR) and return to IGU.
  • Use Information Asset Register as basis for managing Personal Data assets in line with the other steps.

+Who will the Personal Data be shared with?

Mandatory for Employees

Internal Guidance

External Guidance

  • Personal Data Sharing Decision Log
  • Arms Length Bodies

Activities:

  • Identify other Data Controllers with whom you share Personal Data or are joint Data Controller.
  • Identify Data Processors.
  • Ensure that a contract with appropriate clauses or data processing agreement is in place.
  • Develop and manage local processes to ensure compliance with Contracts guidance.
  • Set up and implement a process to monitor compliance of data processors.

+How will the data subject be informed about how we will process their data?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Identify every point at which Personal Data is collected.
  • Ensure Privacy Notice prepared based on Privacy Notice Template covering all Personal Data processing (i.e. one per business unit) and is accessible at each point of collection.
  • Develop and manage local processes to ensure compliance with use of Privacy Notices.

+Will the Personal Data be processed securely?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Complete Data Protection Impact Assessment (DPIA) and implement controls to ensure Privacy by Design.
  • Implement or initiate controls to manage risks identified in DPIA, escalating where appropriate.
  • Develop and manage local processes to ensure compliance with the use of DPIAs.
  • Develop and manage local processes to ensure compliance with Information Classification and Handling Standard and guidance on Secure Storage and Secure Areas.
  • Develop and manage local processes to ensure compliance with requirements on providing Services direct to Children.
  • Develop and manage local processes to ensure compliance with requirements on Direct Marketing.
  • Ensure access to personal data is controlled.
  • If data is processed outside CIS-managed environments by a third party, initiate a supplier due diligence process to identify data privacy and security risks. For existing contracts, consider the contract duration and potential expiry prior to conducting this. Ensure review outputs are addressed.
  • Ensure security controls are managed.

+How will I uphold Individual Rights?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Develop and manage local processes to ensure compliance with Subject Access procedures.
  • Provide information for or respond to Subject Access Requests in timely manner.
  • Where ‘Consent’ forms basis for processing, ensure that opt-ing out mechanism is available to data subject and is supported by process.
  • Understand impact on data retention and processing where consent is removed.
  • Determine mechanisms and processes to support data subject in updating or correcting data.
  • Where data is obtained from third parties, ensure such data is obtained lawfully and is validated.
  • Identify where automated decision making or profiling is carried out and document.
  • Develop and manage local processes to ensure compliance with Individual Rights.

+How should I document my Personal Data processing activities?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Document your data processing activities in line with the guidance. Use the templates where provided or ensure local processes and documentation are sufficient.
  • Ensure these are stored in a secure shared environment.

+When and how should I dispose of Personal Data?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Dispose of Personal Data for which no lawful basis can be determined, including Personal Data held by third parties.
  • Review the contract terms to determine whether there are special requirements for disposing or transferring records.
  • Develop and manage local processes to ensure compliance with the University Records Retention Schedule.
  • Dispose of Personal Data which should not be held, following the University Records Retention Schedule.
  • Undertake routing weeding.

+What should I do if there is a data breach or suspected breach?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Ensure that reporting lines are understood, documented and communicated, particularly with regard to external third parties.
  • Report actual or suspected loss or breach of data.
  • Comply with any investigation and provide evidence where required.

+How will the University monitor and report on compliance?

Mandatory for Employees

Internal Guidance

External Guidance

Activities:

  • Monitor compliance with mandatory training.
  • Report against Key Performance Indicators as required.
  • Report or escalate risks to Information Asset Owners or Senior Information Asset Owners, as appropriate.