Information Governance and Data Protection

The University takes all aspects of Data Protection very seriously.

We need to hold and process large amounts of personal data about students, employees, alumni, contractors, research subjects and other individuals in order to carry out all the University’s business and administrative functions. This data is subject to the Data Protection Act 1998 (and other legislation) and concerns all administrative and academic areas within the University. Data must be collected, stored, used and disposed of in accordance with the Data Protection laws. It is also essential to protect data to ensure commercial confidentiality and protect against fraud.

The University must comply fully with all the provisions of this legislation. All staff members, who work with personal data must familiarise themselves with the Act's data protection principles and our obligations. Failures or weaknesses in our processing of personal data can result in significant harm and distress to individuals who may be affected and may also cause significant reputational and financial damage to the University. If you believe that personal data has been lost, stolen or accidentally disclosed to third parties, this must be reported to the University’s Information Governance Office immediately. The loss or theft of computers, laptops, tablets, mobile phones or other hardware should also be reported to University Security.

How to report a data protection incident.

University Security Services.

Key points to remember

  • Individuals have the right to ask to see any information the University holds about them. We have 40 calendar days to respond. If someone asks to see information that you hold about them, contact the Records Management Office as soon as possible.
  • The University must tell individuals what you do with information regarding them, including to whom it is disclosed.
  • Data must be kept securely. Personal data must be kept on secure University network storage and not on PC hard drives or any kind of portable storage device (e.g. laptop, usb storage, removable hard drives) unless the file or device is encrypted.
  • If you pass personal data outside of the University, follow University policies and procedures. This includes publishing personal information on the internet, allowing contractors access to systems, and sharing personal data with government agencies and others.
  • Personal data should not be kept for longer than necessary in line with the University’s retention schedule.

Information Security Classification and Sensitive Personal Information

The Act imposes stricter rules for the special categories of personal data (often referred to as sensitive personal data). This includes information on a data subject’s racial or ethnic origin, political opinions, religious beliefs or philosophical opinions, trade union membership, processing of biometric or genetic data (a new category), health data and sexual life. Special category information (sensitive personal data) therefore includes sick notes and records (including emails) about sickness absence, ill-health retirement and maternity leave. Paper records with such information should be kept in a locked cabinet, while if a computer file or spreadsheet contains any special category (sensitive) personal data, it must be saved in a secure folder with restricted access, encryption and password protection.

Information Security Classification

The University’s Information Governance Office has issued policies on how data should be classified. There are three aspects to consider when classifying information: confidentiality, integrity and availability. The information security classification is determined by assessing the adverse impact or damage that would occur if there was a breach in the confidentiality, integrity or availability of the information.

The Information Security Classifications for Confidentiality are Highly Restricted (High Impact) Restricted (Medium Impact) and Unrestricted (Low Impact)

Integrity and Availability are classified as Critical (High Impact), Important (Medium Impact) and Low value (Low Impact)

For further information, see the Standard Operating Procedure for classification of University information assets.

The IGO has published some examples of information requiring restricted access. It is intended that these classifications will be used to help describe the security measures to protect information.

Further Information

Further information is available at the University's dedicated Data Protection website.

Guidance on how to respond to requests to disclose data is available.

If you require further advice on Information Governance or if you have concerns about disclosing any information, contact the Information Governance Office who are responsible for University-wide compliance with the Data Protection Act and, from 25 May 2018, the General Data Protection Regulation (GDPR).

The University’s Information Governance and Data Protection policies are on the Information Governance Office website.

Queries and concerns regarding data protection and information governance issues outside Finance should be raised with the Information Governance Guardian (IGG) for the area concerned. If that is not possible for any reason, please report the matter to the Information Governance Office.

Data Protection Training

All Finance staff are required to take and pass the online Data Protection course.

The current version of the course does not, as previously, produce an email confirming when it has been passed. Please take a screenshot of the Blackboard screen stating that the course has been completed, and forward it to your Data Protection Guardian. The Information Governance Guardian for Finance is Laurence Clarke.

Contact us