Purpose of Document

Contents

Purpose of Document

Terminology

Purpose of Working Group

Objectives

Deliverables

Pre-requisites

Scope

Membership

Interfaces to other groups

Meetings

Agenda

Reporting

Annexe 1 – Glossary of Terms

Purpose of Document

This document defines the terms of reference for the GeneralData Protection Regulation (GDPR) Working Group.

Terminology

Some of the terms used in this document have a specific meaning in the context of the regulation. Where this is the case the reader is referred to Annexe A for a definition of the term.

Purpose of Working Group

The working group constitutes a source of cross-departmental authority and expertise such that all matters affecting the achievement of GDPR compliance on the part of University of Roehampton can be resolved through reference to and action by the group. As such the group has the accountability and authority to take the decisions, formulate and drive the actions and to secure the resources necessary to achieve compliance.

Objectives

The working group has the following objectives:

1. Ensure all university policies, processes, procedures and standardsthat refer to the acquisition, processing, storage, retention, loss and accessing of personal data (see Annexe A) guide, specify and/or constrain these activities such that they are compliant with the regulation.
2. Ensure all personal data processed by or on behalf of UoR are defined and categorised as per the requirements of the regulation under Article 30.
3. Ensure all contractual relationships with third parties and all processes defining or pertaining to the movement of personal data between UoR and third parties are compliant with the regulation.
4. Ensure that the information to be provided to data subjects (see Annexe A) by UoR at the time of personal data acquisition, including legal basis and the purpose(s) of the processing, is defined for each personal data subject area.
5. Ensure all individuals, whether directly employed by, or working under contract to UoR who have access to personal data (data handlers) have knowledge of and access to policies, processes, procedures and standards sufficient to enable them to comply with the regulation.
6. Ensure all technology used either to process or to prevent unauthorised access to, amendment or destruction of personal data is fit for purpose within the terms of the regulation.
7. Ensure that adequate data governance arrangements are made within the University under the terms of the regulation.
8. Ensure that a risk based approach is taken to achieving compliance, and that any issues of non-compliance are appropriately mitigated by the date the regulation comes into force

Deliverables

The working group will deliver the following:

1. Re-drafted policies, processes, procedures and standards where re-drafting is necessary to enable UoR to meet the requirements of the regulation, or else evidence that existing versions of such documents are sufficient to meet the requirements.
2. Re-drafted contracts with third parties, where re-drafting is necessary to enable UoR to meet the requirements of the regulation, or else evidence that existing versions of such documents are sufficient to meet the requirements.
3. Re-drafted policies, processes, procedures, standards and third party contracts in force.
4. Records of personal data processing activities as specified in Article 30 of the regulation.
5. Documented specifications of the information to be provided to data subjects at the time of personal data acquisition and specifications of the nature and content of the communications to be used for the transmission of such information.
6. Training and briefing materials crafted and delivered to data handlers such that they are able to execute and/or comply with any re-drafted policies, processes, procedures, standards or third party contracts as specified under deliverables 1 and 2, and are able to communicate necessary information to data subjects as specified under deliverable 5.
7. Changes to personal data processing scripts, user interfaces, automated data access security policies, data security software and associated databases, hardware and physical infrastructure where technology does not conform to the requirements of the regulation, and documented statements to the effect that technology conforms to the requirements where it does.
8. Arrangements for adequate data governance within the University under the terms of the regulation.
9. Any issues of non-compliance are appropriately mitigated by the date the regulation comes into force.

Pre-requisites

The working group has the following pre-requisites

• Allocation of sufficient resource time to activities– all roles on the working group will be populated by individuals who will need to balance the related activities with the requirements of their day to day roles. The success of the working group will depend on this balance allowing for sufficient time to be allocated to working group activities.
• A Legal framework to service the Working Group
• Availability of budget to fund activities
• Availability of training resources to deliver training to data handlers

Scope

The following are within scope of the working group’s sphere of activity:

• Personal data subject areas – the following areas are in scope: Student, Research Participant, Alumnus/Donor, Customer, Partner, Pupil and Employee. (See linkfor a specification of each subject area).

• Processing activities - all activities performed by UoR or by third parties acting on its behalf involving the processing of personal data where UoR is acting either in the capacity of a data controller or of a data processor. (See Annexe A for a definition of the terms controller and processor.)
• Policies, processes, procedures and standards related to the processing of personal data by or on behalf of UoR.
• Legal bases for processing - all documents, for example contracts, whether physical or electronic, on which the legal bases for processing personal data by or on behalf of UoR are constituted.
• Data handlers – all individuals either employed by, working for UoR under contract, or working on research projects under the aegis of UoR who have access to personal data and/or are involved in processing the data.
• Technology–all personal data processing scripts, user interfaces, automated data access security policies, data security software and associated databases, hardware and physical infrastructure that enables or influences UoR’s processing, storage, retrieval or destruction of personal data.
• Risks and issues - all risks posed to or issues compromising UoR’s ability to comply with the regulation.

Membership

The working group has the following members:

Role / Incumbent
Project Manager/Chair / George Turner
GDPR Consultancy / David Harley (Civica)
Data Protection Officer / Alison Bainbridge
GDPR Comms. Office / Andrew Mowbray
Leah Bunn
Legal Counsel / Kim Small
Security & Risk / Michael Volkmer
IT/Business Analysis / Hiren Patel
Partner Manager / Jennifer Wilkinson
Customer Experience / Matt Wall
HR / Toby Beehan
Personal Data Business Owner (PDBO) – Student / Ranjit Sahota
Kelly McDonnell
PDBO – Research Participant / Valerie Horwood
PDBO – Alumnus / Eleanor Merrick
PDBO – Partner / Fiona Gardiner
Jennifer Wilkinson
PDBO – Pupil / Peter Flew (also representing Academic Departments)
PDBO – Employee / Toby Beehan
PDBO – Commercial and Business Admin / Baljit Kaur
PBDO – Planning / Emily Lodge
PDBO – Student Support / Aleata Alstad-Calkins

Also in attendance at the meetings are:

• Saladin Rospigliosi (Heythop College)
• Nadeem Ahmed (Heythrop College)

Mandate

The Working Group operates under a mandate from the Financial Strategy Group (FSG)

Interfaces to other groups

The working group has the following interfaces to other groups:

• Project Board – the board supervises and guides the working group. The working group reports progress against plan to the board and also raises to it risks and issues that require mitigation or resolution or decisions that need to be made at a level above the group’s authority.
• Audit Committee – thiscommittee of the University Council has responsibility for monitoring compliance and risk.
• Data Quality Working Group

Meetings

The working group will meet on the second Thursday of each month.

Agenda

The standing agenda of the working group is as follows:

• Review actions from previous meeting
• Review project risks and issues
• Review progress against plan
• Tabled agenda items
• Any other business

The agenda for the next meeting will be circulated to working group members by the first Thursday of each month.

Items can be tabled for the agenda by contacting George Turner at by the 1st of each month.

Reporting

The project manager will report the following to the Project Board each month on the following:

• Progress against planned activities
• Milestones achieved/missed
• Risks and issues, including risks that require mitigation or issues that require resolution by a higher authority than the working group
• Decisions required by Board
• Rate of budget consumption

Annexe 1 – Glossary of Terms

The table below defines some of the specific terms used in this document in the context of the regulation.

Term / Definition within terms of regulation
Personal Data / Information relating to an identified or identifiable natural person
Data Subject / The natural person identified by the data
Data Controller / Determines the purposes and means of the processing
Data Processor / Processes data on behalf of the controller