GDPR has arrived
So the day has arrived – the General Data Protection Regulation (GDPR) comes into force, and the new Data Protection Act 2018 has also been passed.
If, like me, over the last month you have been receiving emails from all those company mailing lists you have signed up to (including those you had forgotten you have signed up to!) telling you how they protect and handle your personal data, then you will be aware that the GDPR was on the horizon for us all.
Here at the University we have been doing the same.
We have written to all prospective and current students, as well as our alumni, to inform them of the updated University’s Data Protection Policy and our Student Privacy Notice.
As a member of staff, we ask that you read our updated Staff Privacy Notice carefully as it contains important information on how and why we collect, store, use and share your personal data, your rights in relation to your personal data and who to contact in the event that you have a query or complaint.
The changes in data protection legislation are significant in bringing about a sea change in how people expect their data to be provided as well as the consequences, both financial and reputational, at an institutional level if it is breached. This involves a cultural change for us all, where protecting personal data is embedded in everything we think and do. Even though the risk is an institutional one, we all have a personal responsibility for keeping personal data safe. If you follow our Golden Rules, that is a good start. As a reminder:
• Don’t share your passwords
• Lock away your papers when you are away from your desk
• Lock your tablet/laptop/desktop whenever you leave it
• Be aware when sharing personal data - ask what, when and how
• Use the Warwick systems to access your emails and documents
• Don’t work with personal data on personal devices that are not encrypted
• Incidents happen! Tell us when personal data is lost, stolen or shared by mistake
• Use the reporting procedure – we can help you take the right action
• Don’t keep personal data longer than you need it – follow the Warwick retention guidance
• Dispose of personal data with care – record how and when
We currently have 5 live personal data breaches, 3 of these are down to devices not being secure and 2 relate to access controls not being used. We are realistic in knowing that data breaches will happen but I want to be assured that we have everything in place that we can (through systems and individual behaviours) to minimise personal data breaches and their inevitable impact. If you are aware of, or suspect, there has been a breach of personal data you must report the breach immediately on discovery, using GDPRbreach at warwick dot ac dot uk dot .
Remember there is a lot of information on our GDPR pages and if you have any concerns about your responsibilities relating to personal data or are aware of any risk to individuals’ rights or risk of contravening the GDPR, contact the IDC team. For your convenience, at the bottom of this message are a list of our existing policies you need to know about so please take the time to read (and comply with) them.
Finally, thanks go to all of you who have been involved in documenting the data we hold and those who have completed the online training course: for those of you who haven’t done the online training, please do ASAP and here is the link so you have no excuse....GDPR e-learning module.
Best wishes
Stuart
Stuart Croft
Vice-Chancellor
Established policies/training you should be familiar with:
• Information Security Framework
- Regulation 31 protect devices against unauthorised access, misuse and harm and promote effective and secure communication. For example we have had recent incidents of phishing emails, that is, hoax emails sent to staff email addresses aimed at getting hold of your personal details or money.
- Information Security Training - annual training providing an overview of information security risks, relevant legislation and practical tips on how to protect the University's and your information.
- Information Classification and Handling Procedure - University-wide scheme for classifying (describing) information and how it should be handled according to its requirements for confidentiality, integrity and availability.
• University’s Record Retention Schedule (RRS) provision for the time periods for which common classes of records are retained by the University.