The data protection landscape is made up of several pieces of legislation including the General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (Legislation).
Compliance with the privacy principles
As a university, we support the aims of the legislation to strengthen the rights of individuals in respect of their personal data and we place a high importance on protecting the data we hold. As such, we commit to the principles of the legislation in that we will:
- Process all personal data fairly and lawfully
- Only process personal data for specified and lawful purposes
- Endeavor to hold relevant and accurate personal data, and where practical, we will keep it up to date
- Not keep personal data for longer than is necessary
- Keep personal data secure and employ a “data protection by design” approach to systems engineering and projects that promotes and incorporates privacy and data protection considerations from the outset
- Review our range of governance and privacy policies to ensure they are kept up to date
- Undertake training and awareness raising activities for staff and students so that they understand their obligations
- Ensure that we only share personal data where we have appropriate data sharing agreements in place with third parties
- Only work with companies for data processing services that are data protection compliant and which enter into appropriate data processing agreements
- Endeavour to ensure that personal data is not transferred to countries outside of the European Economic Area (EEA) without adequate protection.
What steps are we taking?
We have undertaken extensive work towards our compliance and continue to take steps to ensure that our processing of personal data complies with the legislation. In particular, we have:
- Undertaken a systematic audit of the personal data that we collect and process
- Implemented an asset repository to assist in keeping data assets continuing personal data up to date
- Conducted data mapping of our main processes involving personal data
- Kept a log of our compliance activities
- Assessed our lawful bases for processing data to ensure all personal data is processed lawfully, fairly and transparently
- Reviewed and are currently updating our online induction data protection training for new staff
- Provided training and guidance to staff on the Legislation
- Instigated campaigns to raise staff and student awareness across the University
- Updated our Data Protection Policy (PDF)
- Introduced and improved dedicated processes for managing subject rights and data breaches to ensure that timeframes are better met
- Identified suppliers who process personal data on our behalf and ensure that new suppliers are compliant with the legislation
- Ensured that our contracts contain compliant clauses
- Appointed a Data Protection Officer.