GDPR - Policy

• Data protection policy - GDPR
• University activities – basis for lawful processing of personal data
• Major systems storing and using personal data

Data Protection Officer

The Head of Information Governance acts as the University's Data Protection Officer. In that role they have access to the University Secretary & COO directly. They may also refer to the Principal and/or the lay Chair of the Audit Committee where appropriate.

 

GDPR - Information for individuals

The notices below provide general information concerning the University’s use of personal data from different stakeholder groups.

• Privacy notice - students - 2017_18
• Privacy notice - applicants for study
• Privacy notice - alumni
• Privacy notice - staff
• Privacy notice - applicants for employment
• Privacy notice - professional contact information
• Information on how the University deploys cookies on its website
• HESA privacy information - The University, like all universities, must provide information to HESA each year. Their websits sets out how they use information concerning students and staff.

These notices provide information on how personal data is used in key services within the University.

• Privacy notice - Academic and Corporate Governance/University Executive Office‌
• ‌Privacy notice - Estates and Campus Services
• Privacy notice – External Relations – Marketing and Recruitment
• Privacy notice – External Relations – Public Engagement and Major Events
• Privacy notice - Finance
• Privacy notice - Human Resources - Occupational Health
• Privacy notice – Institute of Sport and Exercise (ISE)
• Privacy notice - Library and Learning and Culture and Information
• Privacy notice - Research and Innovation Services
• Privacy notice – Student Services – Careers Service – Employers
• Privacy notice – Student Services – Careers Service – Students
• Privacy notice – Student Services – Counselling Services
• Privacy notice – Student Services – Disability Services
• Privacy notice – Student Services – Health Service
• Privacy notice – Student Services – Registry

Individual rights

• Notes on how to exercise your rights under GDPR

GDPR Toolkit

Tools and templates for use by University staff.

Standard Operating Procedures

• Managing requests for information
• Data incident management
• Information security classification - guidance to help University staff consider the sensitivity of information and the most appropriate means of storage and transmission
• Requests for personal data from external agencies

Templates

The templates linked below include notes on their use. MS Word versions of these files are available from Information Governance.

a. Privacy notice - A privacy notice provides information to individuals concerning our use of their personal data. It explains why that use is fair, lawful and proportionate. Privacy notices are fundamental to the University demonstrating to people how personal data is used and must be provided when personal data is collected and used.

• Template privacy notice

b. Data Protection Impact Assessment - A Data Protection Impact Assessment should be completed for all new or modified uses of personal data. Data Protection Impact Assessments are mandatory for all high-risk or high-volume processing of personal data, for the introduction of any new systems or for monitoring and/or surveillance systems (such as CCTV).

• Template data protection impact assessment

c. Consent - Consent under GDPR must be freely given, specific, informed, unambiguous and demonstrable. The template below provides a starting point for seeking informed consent. Information Governance can provide suport in its use.

• Template for securing consent

Data agreements are required when working with partners and suppliers and processing personal data. Standard agreements are maintained by Legal. Please contact legalteam@dundee.ac.uk for assistance in this domain.

The University’s retention practices are informed by sectoral guidance from JISC, available online here - http://bcs.jiscinfonet.ac.uk/he/default.asp. The JISC business classification scheme also provides the basis for the matrix detailing University activities and why they are lawful (linked above).

The University differs from the JISC model as follows:

• The trigger for each retention period is normally 'end of the academic session in which' rather than 'last action';
• Commercial contract information will be retained for 10 years after the end of the session in which the contract closed;
• Information compliance case files (data subject access requests, freedom of information and environmental information request) will be retained for three years after close of session in which the file was closed;
• Copies of summatively assessed work will normally be destroyed one year after marks are confirmed at examinations board unless: a. professional body requirements mandate that they are retained for longer than that; b. the assessment contributes to final degree award where it will normally be retained for one year after the final examinations board; or c. the discipline maintains copies of dissertations or similar work for reference.

The University will vary retention periods as required to meet statutory obligations, for example those required by UK Visas and Immigration.

Training may be requested by any School, Professional Service or team at any time by emailing dataprotection@dundee.ac.uk.

The University issued a leaflet to all staff concerning GDPR in May 2018 - GDPR leaflet, University of Dundee staff.

A network of champions has been established to provide a local contact on data protection matters in each School and Professional Service. To find who your local champion is, please see this file - GDPR Champions.