Your Data Responsibilities

Data and information security is integral to the University operating safely, securely and legally.

Your Responsibilities

It is the responsibility of each individual accessing any University reporting or analytics tool to ensure that there is a clear legal basis for processing any personal data that they may have access to. If you are unsure about the legal basis you have for performing a specific data access / processing activity, please contact your data protection champion.

Data Protection Champions List

You should also ensure the data access / processing activity is recorded on the Data Processing Register.

Please refer to the Data Protection Handbook

Mandatory Information Security and Data Protection courses

The University Executive has stipulated that all staff are required to complete information security and data protection training. Due to the nature of the information available within BI Tools, access will now be dependent on the successful completion of these mandatory courses.

BusinessObjects: To continue using BusinessObjects after July 31st 2018, both courses must be completed successfully. This applies to both existing and new users.

This does not currently apply to Power BI access

Security Essentials Course - Access Instructions
Data Protection Training - To access, click the link above and follow the instructions for accessing Learn, select 'Data Protection Training' in the My Learn tab

Reports containing personal information

Reports no longer required: If you have documents that contain pre-cached personal data which you no longer need – I.e. For which you have no identified legal basis for processing – then you must delete these as soon as is practicable.
Reports Required with a Legal Basis for Processing: You must ensure your document in SAP BI Suite is set to 'refresh on open', or in Power BI that your refresh schedule is appropriate for the report’s content so that no static data remains in the report when it is opened.

Exporting data

It is your responsibility to ensure that the handling and usage of exports is in line with data protection and information security standards.

For all content or documents you export, please review the export parameters with a view to ensuring that your exports only have the type and amount of personal information needed to support your business activity.

Wherever possible, you should also avoid sending personal information by email.

Exporting from Power BI

Since October 2018 Power BI report designers can choose if they want end users (report consumers) to have access to export the underlying data, aggregated data or be unable to export any data.

Details on how to change export options in Power BI

SAP BusinessObjects - Additional Security Responsibilities for Content Owners and Creators

Access to personal data objects in reports	Objects conveying personal data have been removed from commonly used universes.
Static data in reports	Issue: when opened, some public reports may display pre-stored personal or sensitive data that is not relevant to the user accessing the report. Resolution: content owners should set the report to 'refresh on open' so that no static data is displayed when it is opened. The report user should always be asked to select via prompts only the data that is pertinent to their intended, legal use.
Securing the report query	Issue: Advanced users can amend the report query to return different / more data than the report was intended to supply. Resolution: content owners can ensure that the query cannot be amended by report users, by setting the following option. Query Panel > Query Properties button > Untick "Allow other users to edit the query of this report".
Prevent sharing of reports	Issue: There is no way within the BI Launchpad for content creators to prevent the sharing and downloading of the reports a user has access to. Resolution: content owners can contact IS who can implement any desired restrictions on exporting content.
Exporting and downloading data	Issue: users are able to download reports, or schedule them to be sent to University email addresses. Resolution: we do not recommend downloading or emailing reports containing personal or sensitive data as this increases the likelihood of a data breach, since the exported content can't be easily tracked once 'off-system'. Consider the following alternatives: Ask: does the report need to be taken out of BusinessObjects in order to be used in your business process? If the answer is yes, because you need to blend universe data with local data you hold on your PC, then please consider the alternative option: you can upload your local data (xlsx, txt, csv) into BusinessObjects, where you can create reports with it in combination with other data sets. <link to video> If you don't want to send by email, but you want to ensure the recipient can only see the data you have prepared for them, consider scheduling the report to be sent to their BI Inbox in Excel or PDF format.

More Information

Information Security Regulations and Policies
For more information on Data Protection, please consult the Data Protection Handbook.
If you have any questions about these policies as they apply to SAP BusinessObjects, please write to reporting-analytics@ed.ac.uk.
If you have questions regarding Power BI then please use the contact form.

This article was published on 14 Aug, 2020