Skip to main content

GDPR Advice

Welcome to this advice and information page for staff in CLL

The General Data Protection Regulation (GDPR) is legislation related to how we treat personal data. It comes into force on 25th May 2018. Penalties for violation are severe and Institutional accountability is much higher than before.

Please note this page and any advice is offered to support and supplement the main University of Warwick GDPR page. Please use the central university page as the authoritative source of information and advice.

This page is under development. For advice about safe practice and for support using university tools and technology please contact eLearning Manager Jim Judges.

Tips and advice for working safely with sensitive and personal data

1. Only use University of Warwick systems for storing and sharing files.
  • Your personal H: Drive (personal storage) & departmental M: Drive (shared storage) can be accessed from your computer drive or remotely via
    Although please note depending on your folder permissions all CLL staff may be able to access files stored in the M: Drive.
  • If you need to share large files or files with users who do not have access to the shared M: Drive then consider using Files.Warwick you can use this to share content with a named individual.
  • Avoid USB drives - they are easily lost. They can be password protected but best to avoid using them if you can.
  • Do not use external file stores (e.g. DropBox, Google Drive)
  • One Drive for Business is another alternative and can be accessed at click the applications icon in the top left of the screen, then click OneDrive. You may also be able to access this through your computer directly - see "Favorites". This could be useful for securely sharing files or folders with named individuals or small teams. However Sharepoint may be a better option for teams and special projects - seek advice if you want to consider using this or see here.
2. Take care when using Email, especially if the email contains personal and sensitive data.
  • You should only use your approved Warwick email account (your address).
    Do not auto-forward email to external providers such as Hotmail or Gmail.
  • Email addresses do count as personal data. Consider if the people you are forwarding an email to already have access to this data. For Warwick staff the answer is likely to be yes, for students or members of the public the answer is likely to be no. If the answer is no you may need to delete previous recipients names & contact details before you send.
  • When forwarding an email check the contents of the previous email exchange, only send what needs to be sent, delete anything else. Do not include any personal information about anybody unless it is required for the task being caried out.
  • Consider who you copy into emails, and whether explicit consent has been given when sharing sensitive information. If you are unsure, seek permission before sending on such information.
  • Consider if using email attachments is the best and safest option? The answer may be no if the file contains personal or sensitive data. Under these circumstances you may be better sharing the file in a secure drive (see item 1. above)
  • Remember that personal data also includes a person’s physical, physiological, mental, economic, cultural or social identity and includes data from which a living individual can be identified whether directly or indirectly. Therefore avoid or remove descriptions or hints about a persons identity unless permission has been granted to share this information.
  • Be aware that individuals can request to see all personal data held on them - which includes informal comments (including emails).
  • Consider if email is the best option?
  • See central university advice for information on Email & Data Protection
3. Security of your device
  • Devices should have a password enabled.
  • If you are away from your PC or device make sure it is locked or you have logged off (use Windows + L).
  • Close the lid of your laptop when not in use.
  • Consider setting a timed screensaver. When your computer has been inactive for the set amount of time the scrensaver automatically displays and your password is required to start using the computer again.
  • If you are using an unmanaged or personal device then you must manage the risks associated with any activity involving university information. Please see here for advice from ITS
4. A key focus of the GDPR is data minimisation and avoiding duplication of data sets.
  • Any necessary student data should only be held by central systems or the Administrative team on the relevant university systems.
  • Review your electronic files and ensure any student data is deleted.
  • Ensure no other personal student data is held on electronic devices (computers, laptops, tablets etc.).
  • If you are unsure of whether the department holds a copy of what you are going to delete or dispose of, please do check with a member of the administrative team first.
  • Only hold data about individuals when it is necessary and for no longer than is necessary
5. Your physical workspace
  • Take care with documents, forms, assignments letters and other paper documents. Either store necessary documents securely (only if needed and for as short a time as is needed) or dispose of using confidential waste sacks
  • Lock your computer every time you leave it unattended
  • Take care when Photocopying, printing, scanning and saving
    - Do you need to copy, print or scan sensitive information?
    - Where are you saving sensitive data, on what device and why?
    - Don't leave papers on the photocopier
6. What is a data breach?
  • A personal data breach is an incident that involves the unauthorised viewing, access, retrieval or deletion of data by anyone without permission to do so. e.g. this might involve loss or theft of equipment on which data is stored; or an email containing personal data being sent to the wrong recipient.
  • If you think that a data breach has occurred inform your line manager and the central GDPR team:

Where can I find out more?

Thanks & Feedback
The information on this page has been compiled from a range of sources. Thanks to Daz Kittendorf (IT Manager PAIS) and Elaine Moore (CLL) for their contributions. If you spot something that doesn't look right or have any ideas on how this page could be improved please contact Jim Judges.

All staff should complete
the GDPR Training
Resource in Moodle

University GDPR Pages

GDPR Updates


  • Only use university systems & tools for storage and sharing
  • Never share your password
  • Use Windows + L to lock your machine
  • Take extra care with any personal or sensitive information in emails
  • Ask - do you have permission to share?
  • Keep a tidy desk free of visible information
  • Only hold data about individuals when it is necessary and for no longer than is necessary

View or print the mini-guide to
Confidentiality & handling
personal data in the workplace

Want to find out more?

Try the short Interactive
 Guide to GDPR
(15 mins)

Find this page again using