GDPR Compliance Checklist
GDPR Compliance Checklist
For Advisers of Studies
The General Data Protection Regulation (GDPR) is concerned with the processing of personal and special category data about a living individual. Personal data may be any information on any document from which a living individual can be identified from that data where:
- the individual is the focus of a document,
- the data includes significant biographical facts, opinions and intentions,
- the processing of the data affects the individual’s privacy.
The document may be in any format on any media. Special category personal data includes issues relating to the sexuality, mental & physical health, ethnicity, and political and religious affiliations of an individual.
Access to records by students
- Students have the right, under the Right of Access provisions of the GDPR, to request access to all documents held by the University that contain personal data about themselves. Such documents are not restricted to paper documents but also include data stored in IT systems such as email and file-store. Advisers must beware the retention of inappropriate or 'subjective' comments in a student's file as these will have to be released to a student under the Right of Access provisions.
Authorisation to handle personal data
- When entering into the student contract during the registration process, the student is made aware that the University will process personal data to manage their time at the University. This includes the handling, sharing, and disclosing of student personal data by authorised support staff, such as Advisers of Studies, when necessary.
- The extent of the authorised handling is detailed in the personal data section of the University Regulations.
- Some specialised services within the University, such as the Student Disability Service and the Student Counselling and Advisory Service, require explicit consent from the student when he/she seeks to use that Service.
- If/when a student volunteers personal or special category data to the University, such as in support of a Good Cause claim, he/she is consenting to the processing of that personal data.
Sharing of personal data
- The Adviser of Studies need not seek additional consent to share personal data with authorised colleagues and authorised support staff. See previous section on authorisation to handle personal data.
- The authorisation includes sharing the data with staff of another institutions where the course is joint or in collaboration with that other institution. Before you share the data, confirm that an appropriate agreement for sharing data is in place.
- In some cases, to avoid misunderstanding, it may be prudent to advise a student that personal data will be shared for an agreed action to be carried out. For example, the Adviser of Studies may need to pass personal data to another department or School/Institute in the University.
- Special category personal data, such as disability or impairment information, must not be publicly displayed.
- The University has no direct responsibility to parents or guardians and must respect the privacy of its students. Therefore, the Adviser must not reveal or confirm the presence of an individual as a student at the University, nor disclose any information about the student without the consent of the student. The Adviser must inform the parent of the requirements of the GDPR such that information cannot be disclosed.
Security of personal data
- Student files must be kept secure in locked filing cabinet(s) in a locked office.
- Only authorised persons must have access to an Adviser's office and to the contents of relevant filing cabinets.
All Advisers should seek advice from their local IT support or from the IT Services HelpDesk to ensure the following arrangements were operational:
- The Adviser to have a unique user-ids/passwords that must be used to access both local and central MIS/corporate systems where personal data is stored;
- The Adviser's PC's to have a password protected screen saver, or other similar facility, to ensure information displayed on a screen is protected from casual sight by unauthorised persons;
- Advisers to save personal data files and E-mail messages to a secure network drive/server, and not to a local disk drive in the Adviser's PC, to protect against information disclosure and/or loss in the event of theft/damage;
- All Advisers' and support staff PCs to run anti-virus software with the software updated at regular intervals;
- Access to the personal data files on the network drive/server to only be available to the Adviser and to authorised support staff;
- The secure network drive/server to be backed-up on a daily basis to protect against total loss of personal data in the event of fire/damage/failure;
- Advisers must be careful with the cc & bcc facility available in e-mail systems as it can lead to the accidental disclosure of email addresses. In cases where email recipients (particularly external recipients) have no need to know who else will receive the e-mail, or where it is not clear whether they are aware that others might be given their contact details, Advisers must use the bcc facility to ensure there is no accidental disclosure.
- Advisers, when communicating with students via e-mail, must use the student's University e-mail address.
Retention & disposal of personal data
- Documents containing personal and special category data must not be retained for longer than is necessary.
- Personal data may be found in email messages, the contents of spreadsheets, databases, and other resources held on IT systems. Electronic and paper-based documents must be considered as one logical set of records applicable to an individual student.
- Advisers must be conscious of the retention of inappropriate or 'subjective' comments in a student's file, as students have a right of access to all documents held by the University that contain personal data about themselves.
- Advisers must use secure disposal procedures, such as shredding, for manual personal data.
- Advisers must seek advice from their local IT support or IT Services HelpDesk when an Adviser's PC is identified for reallocation or disposal. The University's Disposal of IT equipment policy must be followed.
The advice below is general and applies whether the reference is written by an Adviser, tutor, lecturer, examiner, or other member of staff, or from consulting the individual's record.
- A reference must state whether it is written on behalf of the University or in a personal capacity, and whether the individual is known to the Referee.
- Advisers should indicate to students whether they will (a) provide a reference based on the factual record in the individual's file, or (b) only provide a reference when the student seeks the Adviser's prior permission.
- A reference that is very brief or overly enthusiastic may invalidate the reference in the eyes of the recipient.
- A reference originating from the University is exempt from a Right of Access request submitted direct to the University, though the recipient of the reference may release the document at his/her own discretion. There is no requirement by the recipient to seek the Referee's consent.
- A reference received by the University would normally have to be released under the Right of Access rules.
- A reference must be factually correct as far as is practical and state within what parameters the reference is given - as an Adviser, tutor, lecturer, examiner, or other member of staff, or from consulting the individual's record.
- Any evaluative comment in a reference must be clearly identified as such.
- An opinion, within a reference, about a individual's suitability must be based on facts available to the Referee.
- A reference must not be ambiguous, use coded language, nor allude to issues that cannot be mentioned in a written reference.
- A reference must not provide any special category data, such as health information, without the explicit consent in writing of the student. If necessary a response such as "I am not in a position to comment regarding X's health/sickness/etc" is acceptable.
- If an Adviser is not able or willing to provide a reference then the refusal must be neutral and not imply a negative reference.
- A copy of a reference should be retained for one year.