Records Management

Compliance checklist

Data protection and information compliance considerations for University staff designing a new project, process or procedure, or assessing an existing one

To ensure that data protection, freedom of information and records management requirements are met for any project, process, system or procedure, you should consider the following key issues:

Specific issues

If relevant you should also consider the following specific issues:

Cloud software and services

International transfers


Data protection impact assessment

In some cases you will be required to carry out a data protection impact assessement. You must carry out a data protection impact assessement if you are are doing any of the following:

  • Starting a new project involving the collection of personal data;
  • Introducing new IT systems for storing and accessing personal information;
  • Participating in a new data-sharing initiative with other organisations;
  • Initiating actions based on identifying particular demographics;
  • Using existing data for a “new and unexpected or more intrusive purpose”.

How to conduct a data protection impact assessment (DPIA)


Ensure you obtain the appropriate approvals for your project, process, system or procedure. This must include agreement from the business steward or owner of personal data, for example if your project involves sharing personal data about students from EUCLID it should be approved by the Director of Student Systems.

List of Data Stewards [University login required]

If your project involves a contractual or quasi-contractual arrangement refer to the University's Delegated Authority Schedule for information about who is required to sign any contract. 

Powers of Delegation

Legal Services have useful guidance on who you should contact for different kinds of contracts. 

Legal Services contracts guidance

Record keeping

You must ensure you keep a record of the decision making process, in the appropriate place in your department's filing scheme.