Information for staff - updated for the GDPR
The Development Office (DO) have arranged several GDPR Q&A sessions. These were initially for advice on processing Alumni data but the DO have kindly expanded these sessions to cover all GDPR considerations, with assistance from Information Compliance.
New Information Custodian Network
Each school or department will have one or more Information Custodians (ICs) as we form an Information Custodian Network (ICN). The ICs will be the primary contacts for the Information Compliance team as we look to improve our protection of personal data in accordance with the GDPR. The list of ICs will be published here.
The Information Compliance Team are developing tools to be used by schools and departments to assist with the GDPR. The ICs will be the primary contact for the implementation of these but input from other staff in the School or Department is also likely be needed.
Tools for GDPR compliance
Information Asset Register (IAR)
A tool to help identify, risk assess and monitor manual or electronic collections of personal data. The IAR is under development but ICs and/or supporting staff should create a list of information assets owned by the service in order to answer the following questions:
- Does the asset have a privacy notice or policy (aka 'How we use your information')?
- Has the asset been assessed for security risks?
For example, IS Requirements check security when they help implement new software.
- Does the asset involve high risk processing of personal data? (See DPIAs below)
- What is the source of the personal data and who is it shared with?
- Does the asset have a retention policy?
The University's primary source of DP training is the mandatory online training module. There is now a new course to enrol on entitled Data Protection (GDPR). The main purpose of the training is to remind staff of what personal data is and the importance of taking care of it. This is the same under GDPR as it has always been under the DPA.
The old course ‘Data Protection and Freedom of Information’ is still available to enable staff to check how recently they have completed Data Protection training.
The online training should be appropriate for all desk-based staff. If you are responsible for staff who are not based at a desk then please contact the Information Compliance Team to discuss alternative solutions.
Information Security Incident Management (data breaches)
Staff need to be aware of the importance of a swift response to any data breaches in accordance with our procedure. Under GDPR it is mandatory to report serious breaches to the Information Commissioner's Office within 72 hours..
At the heart of GDPR is a greater transparency of our personal data processing activities. One of the ways this is achieved is through privacy policies, sometimes called privacy notices or simply 'How we use your information'. Kent has one main privacy notice which students sign up to as part of enrolment, then many more 'smaller' notices as we look to collect and use their information during and after their programme of study. A draft of the new GDPR enrolment notice will be available so that Information Custodians can evaluate their own notices as we look to bring them all together on the Information Compliance site.
Data Protection Impact Assessments (DPIAs)
Assessing information risk is a key part of compliance. DPIAs are mandatory for high risk processing of personal data. The Article 29 Working Party have defined what sort of processing should be considered high risk in their Guidelines on Data Protection Impact Assessment (see pages 7 to 10).
Our guidance includes a template to help your assessment. IS Requirements also have a DPIA template to use as part of their implementations. Both are fine to use, Information Compliance will look to standardise a new template in the near future.
Third party contracts - Organisations that process personal data on our behalf
Documents to be updated in accordance with the GDPR: