GDPR goes live this week
GDPR will be fully in force from this Friday - 25 May 2018. Over the last few months we have provided guidance on when we can use personal data; what we need to tell individuals about how we use their personal data; how we hold and then delete that data; and how quickly we need to respond in the event of a personal data breach.
Where possible use University managed devices (laptops/PCs/phones) and have your Windows 7 PGP encryption / Windows 10 and BitLocker encryption enabled. Smartphones should also be password protected. Do not share passwords for any devices. If you use a personal device it is your responsibility to ensure it is secure (remind yourself of the existing minimum mandatory working practices) and do not allow others to use your device.
Please remember that you need to make sure any personal data is kept securely. Ensure you use the Warwick email system for work purposes.
We will be publishing the University’s updated Data Protection Policy soon.
GDPR : Reporting Personal Data Breaches
The University is required to keep a record of all security incidents involving personal data. Reportable incidents must be reported to the Information Commissioner by the Data Protection Officer (DPO) of the University of Warwick, within 72 hours of detection, and without undue delay to individuals affected by the incident. It is vital that all staff report a personal data breach, however minor, as soon as possible after discovery so that we can use the 72 hours to establish what has happened, the size of the breach and whether it needs to be reported further.
Here is guidance on what a personal data breach is, what to do if you know (or suspect) there has been one and how the IDC Team will manage such breaches. Please find below the forms required:
GDPR - Records retention
One of the principles of the Data Protection Act 1998 and in the GDPR is that personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed (except in certain specific and limited instances as defined in Article 89 of the regulations).
The University’s Record Retention Schedule (RRS) is a tool that enables the University to transparently demonstrate to third parties (e.g. via the publication of the RRS on the internet) how the organisation complies with this data protection principle by making provision for the time periods for which common classes of records are retained by the University.
The disposal of information and records, as codified in the University RRS, also adheres to the practices that the Lord Chancellor’s Code of Practice on the management of records, issued under section 46 of the Freedom of Information Act 2000, sets out that it would be desirable for the relevant authorities to follow in connection with the keeping, management and destruction of their records.
The RRS is a living document and is subject to ongoing review and development at the University. If on accessing the RRS via the University’s records management internet page you find that a record that you are working with is not listed on the schedule then the Records Management page contains guidance and an accompanying quick guide on how to set a retention period for a record at the University of Warwick. If you require any further advice please contact the University Records Manager.