Data protection and information compliance considerations for University staff designing a new project, process or procedure, or assessing an existing one
To ensure that data protection, freedom of information and records management requirements are met for any project, process, system or procedure, you should consider the following key issues:
- The legal basis for processing personal data
- Privacy notices
- Data sharing and data processor contracts
- Information security
- Retention and records management issues
- Training and procedures
If relevant you should also consider the following specific issues:
Data protection impact assessment
In some cases you will be required to carry out a data protection impact assessement. You must carry out a data protection impact assessement if you are are doing any of the following:
- Starting a new project involving the collection of personal data;
- Introducing new IT systems for storing and accessing personal information;
- Participating in a new data-sharing initiative with other organisations;
- Initiating actions based on identifying particular demographics;
- Using existing data for a “new and unexpected or more intrusive purpose”.
Ensure you obtain the appropriate approvals for your project, process, system or procedure. This must include agreement from the business steward or owner of personal data, for example if your project involves sharing personal data about students from EUCLID it should be approved by the Director of Student Systems.
If your project involves a contractual or quasi-contractual arrangement refer to the University's Delegated Authority Schedule for information about who is required to sign any contract.
Legal Services have useful guidance on who you should contact for different kinds of contracts.
You must ensure you keep a record of the decision making process, in the appropriate place in your department's filing scheme.