Data protection by design

The University must identify and reduce data protection risks before processing (e.g., collected, organised, altered, stored, used, shared, disposed of) personal data.

When planning:

to use existing personal data for new purposes;
to gather new or additional personal data to support new or existing business activities;
to introduce new IT platforms that process personal data or develop/rollout functionality within existing systems that process personal data;
to enter into collaborative projects that involve the exchange of personal data with third parties e.g., other Universities;
to develop or update policies, processes and business practices that have privacy implications.

You must:

screen against the Data Protection Impact Assessment Screening Tool to see if an assessment is required;
gather the minimum amount of personal data necessary for the intended purpose/s;
pseudonymise or anonymise personal data wherever possible (e.g., at point of collection or analysis) as a privacy enhancing measure;
share data internally on a need-to-know basis only;
put in place appropriate agreements with third parties to ensure external data sharing is compliant;
ensure data is held securely and in accordance with University IT standards. Where new systems are to be introduced or existing systems modified, the University’s IT Outsourcing and Cloud Computing Policy must be followed;
develop, where appropriate, standard operating procedures to ensure data handling arrangements are documented and fully understood;
retain personal data for no longer than necessary. For further information contact the University’s Records Manager or review the University’s Records Retention Schedule; and

put the rights of individuals first by providing them with appropriate privacy notices and ensuring their rights are supported.