Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Checklist - University of Exeter

advertisement 
Records Management and Data Protection Checklist
1. Beforehand
At the start of any project the following conditions must be met:
- Any third parties with access to University data are aware of their security obligations and contracted to
comply.
- Any third parties with access to personal data have signed a data processor agreement.
- Access to university data by third parties and staff involved in the project is limited to that which is necessary to
fulfil their purposes.
2. Process/System Requirements
Any new process or system should meet the following conditions:
a. Data Protection (applicable to any project which involves personal data of any kind)
- Access to personal data is limited on a strict need to know basis with access to sensitive personal data
treated as an exception
- There is a system/process for ensuring that personal data is kept accurate and up to date
- If personal data is being collected a privacy notice is provided outlining how it will be used
- We can suspend processing data about a particular individual if they ask us to do so
- If the project involves processing personal data in a significantly new or different way (e.g. provision of a
University Credit Card), the Records Manager has been informed to update the University’s Data Protection
Notification.
b. Security
- The data held in the system is limited to only that which is necessary to fulfil its purpose.
- Where possible access has been limited both to the information available and the actions available
(read/write access, no printing, no downloading etc) to different user groups
- Measures are in place to track who changed the data, when and what the changes were.
- Technical advice on the security of information has been obtained from the Information Security Team
c. Retention
- Data can be identified and deleted when no longer required.
- There is a process in place for ensuring that information is retained for a specified time in line with a
Records Retention Schedules meeting legal, operational and historical needs.
- Where possible, consideration has been given to ensuring the continued access to information which may
be of long-term historical value.
If you have any questions about the issues raised above please contact recordsmanagement@exeter.ac.uk
Further information of Information Security can be obtained from P.R.G.Sandy@exeter.ac.uk
March 2011
CHD
Glossary
Data Processor Agreement
A Data processor is an organisation or person who processors personal data on behalf of the University, the
University remains responsible for the processing. We must ensure that an agreement is in place that obliges the
processor to comply with the Data Protection Act, a standard agreement is available from the records manager
and the legal office can obtain advice for more complex cases.
Data Protection Notification
Under the Data Protection Act the University is required to register annually with the Information Commissioner’s
Office and notify them of the purposes for which the University processes personal data. Where these purposes
change the Notification must be amended.
Personal Data
Any information/data which relates to a living individual who can be identified from those data, or from those data
and other information held by the University and includes any expression of opinion about the individual.
Privacy Notice
A notice provided to individuals, normally at the time personal data is collected, outlining the personal data will be
used.
Records Retention Schedule
A schedule providing the recommended retention periods for specific types of information, used to ensure
compliance with legal, operational and historical needs.
Sensitive Personal data
Any personal data relating to an individuals’ ethnicity, political opinions, religious beliefs, membership of a trade
union, physical or mental health, sexual life, actual or alleged criminal offences.
March 2011
CHD
Related documents
Records Retention and Disposition Schedule (Page 1)
Records Retention and Disposition Schedule (Page 1)
Lec1Ch1
Lec1Ch1
Executive-Assistant-2015
Executive-Assistant-2015
Student Development Committees 2014
Student Development Committees 2014
ass1
ass1
Analog Devices Training
Analog Devices Training
Membership Engagement & Retention Director
Membership Engagement & Retention Director
IN THE EVENT OF AN EMERGENCY, PLEASE NOTIFY THE
IN THE EVENT OF AN EMERGENCY, PLEASE NOTIFY THE
Chapter 14 slides
Chapter 14 slides
Name - rdmmedia
Name - rdmmedia
Practical(word)
Practical(word)
CH. 4 THE COMPONENTS OF THE SYSTEM UNIT
CH. 4 THE COMPONENTS OF THE SYSTEM UNIT
- How to Use the BOOTP-DHCP Server to Set the IP Address of a
- How to Use the BOOTP-DHCP Server to Set the IP Address of a
ESE355: VLSI System Design
ESE355: VLSI System Design
MS Word - NCSU COE People
MS Word - NCSU COE People
Efficient architecture for Computer Hardware Based on RISC
Efficient architecture for Computer Hardware Based on RISC
IBM System p 570 Model 9117-MMA
IBM System p 570 Model 9117-MMA
With thanks to: Obstetrics & Gynecology
With thanks to: Obstetrics & Gynecology
IMPLEMENTATION OF CRYPTOGRAPHIC ALGORITHMS USING A
IMPLEMENTATION OF CRYPTOGRAPHIC ALGORITHMS USING A
Chapter 2 - Cal State LA - Instructional Web Server
Chapter 2 - Cal State LA - Instructional Web Server
Linux Programming
Linux Programming
DOC Multi-Core Processor Licensing
DOC Multi-Core Processor Licensing
Download
advertisement