Records Management and Data Protection Checklist 1. Beforehand At the start of any project the following conditions must be met: - Any third parties with access to University data are aware of their security obligations and contracted to comply. - Any third parties with access to personal data have signed a data processor agreement. - Access to university data by third parties and staff involved in the project is limited to that which is necessary to fulfil their purposes. 2. Process/System Requirements Any new process or system should meet the following conditions: a. Data Protection (applicable to any project which involves personal data of any kind) - Access to personal data is limited on a strict need to know basis with access to sensitive personal data treated as an exception - There is a system/process for ensuring that personal data is kept accurate and up to date - If personal data is being collected a privacy notice is provided outlining how it will be used - We can suspend processing data about a particular individual if they ask us to do so - If the project involves processing personal data in a significantly new or different way (e.g. provision of a University Credit Card), the Records Manager has been informed to update the University’s Data Protection Notification. b. Security - The data held in the system is limited to only that which is necessary to fulfil its purpose. - Where possible access has been limited both to the information available and the actions available (read/write access, no printing, no downloading etc) to different user groups - Measures are in place to track who changed the data, when and what the changes were. - Technical advice on the security of information has been obtained from the Information Security Team c. Retention - Data can be identified and deleted when no longer required. - There is a process in place for ensuring that information is retained for a specified time in line with a Records Retention Schedules meeting legal, operational and historical needs. - Where possible, consideration has been given to ensuring the continued access to information which may be of long-term historical value. If you have any questions about the issues raised above please contact recordsmanagement@exeter.ac.uk Further information of Information Security can be obtained from P.R.G.Sandy@exeter.ac.uk March 2011 CHD Glossary Data Processor Agreement A Data processor is an organisation or person who processors personal data on behalf of the University, the University remains responsible for the processing. We must ensure that an agreement is in place that obliges the processor to comply with the Data Protection Act, a standard agreement is available from the records manager and the legal office can obtain advice for more complex cases. Data Protection Notification Under the Data Protection Act the University is required to register annually with the Information Commissioner’s Office and notify them of the purposes for which the University processes personal data. Where these purposes change the Notification must be amended. Personal Data Any information/data which relates to a living individual who can be identified from those data, or from those data and other information held by the University and includes any expression of opinion about the individual. Privacy Notice A notice provided to individuals, normally at the time personal data is collected, outlining the personal data will be used. Records Retention Schedule A schedule providing the recommended retention periods for specific types of information, used to ensure compliance with legal, operational and historical needs. Sensitive Personal data Any personal data relating to an individuals’ ethnicity, political opinions, religious beliefs, membership of a trade union, physical or mental health, sexual life, actual or alleged criminal offences. March 2011 CHD