information MANAGEMENT data ASSESSMENT FORM
This form is a mandatory requirement for anyone proposing the use of a new third party supplier solution that will involve the use of University Data.
The effective management of information is essential in order to ensure we meet our obligations under the Data Protection Act 1998 (and the EU General Data Protection Regulations 2016). We are required under law to ensure that all processing of personal dataheld by the University, including that processed by third party suppliers (herein referred to as “solutions”), complies with requirements under this legislation. In respect of non-personal data, the University must also ensure that due diligence is given to terms of use, contractual obligations and other legal matters. The University adopts a Privacy by Design approach to new business initiatives that aims to identify and assess Data Protection requirements as early as possible. This in order to provide clarity on supplier requirements, inform any supplier selection processes, streamline the approval process, and facilitate timely and efficient stakeholder consultations where required.
Third Party Supplierswill include (but are not limited to):
Software as a service (SaaS) applicationsInfrastructure as a service (IaaS)
Applications (University wide or locally installed) Third party hosted Cloud storage
Externally hosted databases and data storage
Please complete the form below with as much detail as possible. Forms with incomplete or missing fields will be returned which could result in a delay to your project.
Please be advised that the below estimated timeframes will apply for approved initiatives. These will vary according to the nature of the solution proposed, potential volume and sensitivity of data involved, and subject to any contractual or legal requirements or negotiations. The signatory to this form will be responsible for liaising with the chosen supplier where necessary; the below do not account for possible delays accrued by your chosen supplier in respect of returning requested information to us.
High Risk (any of the below apply)Estimated approval timeframe4-6 weeks
University wide useData sub contracted by supplier
Sensitive Research DataPersonal data of in excess of 50+ individuals*
Data host outside the EEASensitive personal data of in excess of 5+ individuals**
Data provided to us by a third party subject to contractual terms
Medium Risk (and of the below apply)Estimated approval timeframe2-4weeks
Local use only (school/department)No subcontractors used by supplier
Non sensitive research dataData hosted in the UK
No sensitive personal data of individuals Personal Information of less than 49 individuals
Jointly proposed by any third party data supplier
Low RiskEstimated approval time1-3weeks
Restricted or pilot area use (project/working group/team)No research data
No personal informationOpen source data only
Data will remain hosted internally by UoRData wholly owned by UoR
Data not subject to any contractual terms
*includes emails addresses
**includes data pertaining tophysical or mental health or ethnicity,
1.Details of Request
1.1 REQUESTING PERSONS detailsName / Click here to enter text. /
Email / Click here to enter text. /
School/Department / Click here to enter text. /
Contact Number / Click here to enter text. /
Please be advised that as signatory, you will initially be assigned as the Information Asset Owner for data held within the requested solution and will have overall responsibility forthe security, management, and governance of that data, ensuring appropriate access controls and retention schedules are in place, reporting of changes in use or scope, data risk assessments, business continuity, and assisting the Information Management team with any enquires or issues that arise in respect of data held within the solution. Please contact for more information.
1.2 DETAILS of proposed solution
Name of proposed solution (e.g. SaaS, App, solution) / Click here to enter text. /
Company name/Supplier (if different to above) / Click here to enter text. /
Summary of purpose and intended use / Note: If already contained with a Business Case, please attach or provide relevant section
Click here to enter text.
Summary of data involved (select all that apply) / ☐No Personal Data ☐Personal data => 50 individuals ☐Personal data <= 49 individuals
☐No Sensitive Personal Data ☐ Sensitive Personal Data =>5 individuals
☐Research Data ☐Third party data ☐University data only
☐Pilot/project level/use ☐Local School/Dept. use ☐University wide Use
1.3 ADDITONAL INFORMATION
Has a business case for use been submitted and approved? / Choose an item. /
Have you checked if we already have a supplier that can provide what you need? / ☐No – Please visit theprocurement website, information for employees, for details of how to do this.
☐Yes – No suitable existing supplier
Have Procurement been consulted for spends above threshold? / Choose an item.
Conditions apply for spends above £10,000 (which includes thetotal of any individual payments you will make and for the full term of any contract/period of use entered into). This is to ensure the you get the most suitable items, the University achieves the best value, and we follow all necessary obligations to protect the University and yourself from any financial, legal or reputational risks.
You are required to consult with Procurement before this request can proceed any further. Please visit the procurement website, information for employees, for further details.
Once completed please return this form to your assigned IT Business Partner
Section 2: Office Use Only
4.2 IMPS OFFICE USE ONLYReceived on / Click here to enter a date. /
Request Reference Number / Click here to enter text. /
Copies of completed forms to be retained by IMPS.
©University of Reading 2018Tuesday 2 October 2018Page 1