gdpr 05 step by step guide aru v1 - web.anglia.ac.uk protection/gdpr... · completing the...

GDPR 05 Step by step guide ARU v1.6 FINAL 30/01/2018 of 14

Completing the Information Risk Assessment Tool (IRAT) Spreadsheet A Step by Step Guide for Staff

Contents

Introduction ....................................................................................................................................................... 2

What is GDPR? ................................................................................................................................................... 3

Risk profile worksheet guidance ........................................................................................................................ 3

What is an information flow? ............................................................................................................................ 4

What is personal data? ...................................................................................................................................... 4

What personal data do we need to record on the spreadsheet? ..................................................................... 5

Which information flows should be mapped? .................................................................................................. 5

What is a data item? .......................................................................................................................................... 5

How do I complete the spreadsheet? ................................................................................................................ 6

Glossary of terms used for access control ......................................................................................................... 9

Data items worksheet guidance ...................................................................................................................... 12

Metadata worksheet guidance ........................................................................................................................ 12

3rd Party Companies & Software ...................................................................................................................... 13

Definitions work sheet guidance ..................................................................................................................... 14

Lawful basis work sheet guidance ................................................................................................................... 14

Internal mapping work sheet guidance ........................................................................................................... 14


Introduction

We are in the process of complying with the requirements of the General Data Protection Regulation

(GDPR), this places a legal obligation on us to identify all transfers of personal data in and outside of the

organisation.

The purpose of this exercise is to gain an understanding of the information security controls currently in

place and to assess if they are sufficient to protect the personal data being transferred. This will ensure

that the controls we deploy are consistent in the way personal information is handled. We must assess the

potential risks to the many transfers of personal data for which we are responsible.

To carry out this exercise we require your cooperation to help us identify the data flows within each

operational area of ARU that is processing personal data. This is important as it enables us to understand

how data is transferred to, from and with ARU, and helps us make sure that measures are in place to

ensure data is secure in transit and at rest, and that it reaches its destination promptly and safely.

We are writing to you, as the person responsible, within your operational area, to ask you to complete the

attached spreadsheet. There are clear step by step instructions on how to do this below.

If you have any queries regarding this or require further information, please contact:

[email protected]

mailto:[email protected]


What is GDPR? On 25 May 2018, new General Data Protection Regulation (GDPR) will come into force across the European

Union, including the UK, enhancing the rights of individuals and giving them more control over the data

held on them by organisations.

As an institution holding and processing the personal details of many individuals, Anglia Ruskin University

will need to be compliant with the new legislation in a number of ways. We will need to develop efficient

business processes for dealing with requests from individuals to see the information held about them, as

well as having the technical solutions to manage that information. We will need to develop clear privacy

statements and data retention policies to demonstrate compliance. We will also need to demonstrate an

effective approach to training all staff in data protection responsibilities.

The new regulations make it the responsibility of everybody to protect personal information, so being

aware of how this affects you is important.

Risk profile worksheet guidance

Key message

Upon opening the workbook DO NOT Enable Content.

The spreadsheet is designed to be used within ARU for follow up exercises in the future. It is essential

that you retain a copy of the spreadsheet.


What is an information flow? An information flow is when person identifiable data is transferred by any of the following:

Email

Fax

Post – hard-copy or electronic media

Text Message

Manual – e.g. USB stick, laptop

Automatic system transfer

Manual upload to system

The following should be excluded from a data mapping flow:

Phone calls

Accessing a shared drive

For the avoidance of doubt data being exported from ASTRA or other systems and stored on a personal

or shared drive is being transferred from its source location and stored somewhere else so must be

recorded.

What is personal data? Personal data is any information that identifies a living person, or in conjunction with any other

information is capable of identifying an individual. An example of this would be a staff member’s name and

their address information from a HR system, or even quasi-identifier’s from a research project when

combined with other information could re-identify an individual.

We also process sensitive personal data and this may include personal data that consists of information on

genetic, biometric, racial or ethnic origin, political, religious or philosophical beliefs, trade union

membership, physical and mental health, sex life or sexual orientation.

An example of sensitive personal data could be a research study involving student names, identifying

disability and ethnicity.


What personal data do we need to record on the spreadsheet? The transfer of personal data for students, staff and research participants. Examples include:

pseudonymised data held in a research study.

name, student number (SID), telephone number email to Student Advice Services

Which information flows should be mapped? Person-identifiable information that:

Flows between Faculties/Professional Services

Flows between sub areas in the same Faculty/Professional Service

Flows in/out of ARU

Flows from a central server to a desktop

Examples are personal data on staff being released to HMRC for tax purposes or student application

personal data being provided from UCAS.

Please include manual/digital flows relating to original and back up/copy data.

Do not map flows of information:

Within sub areas unless you are transferring from one data asset type or data asset location to

another

What is a data item? A data item is a piece of personal data, or a document containing personal data which is transferred from

one location to another. Examples would be a P45 that is sent to a former employee or financial

information on a student including their name, provided to the Student Loans Company or the University

will provide student personal data such as their name and contact details to ARU Students Union for

management of its membership. For further prompts on data items please see the Data items work sheet.

Please use local terminology to describe the data item.


How do I complete the spreadsheet? Ensure that your faculty/professional service area details are correctly identified. Please ensure that that

you have included your name (column P2), job title (S2) and Ext. details (Q3).

After entering these details you should select View and select cell B8 and Freeze Panes. This will make it

easier to work with the spreadsheet.

For the purpose of this exercise you are required to complete the Risk Profile work sheet columns A to Z

only. Columns AA to AP will auto fill and must not be overtyped.

Please return by email the completed spreadsheets to: [email protected]

Please find detailed below a “step-by-step” guide to completion of the “Risk profile” work sheet. The

column headers have comment boxes that provide you with advice on how to fill in the required

information to complete the spreadsheet.

mailto:[email protected]


Reference No (Column A)

You will need to allocate a unique reference number for each data flow. Each faculty/professional service

has a unique code as identified in the table below.

Faculty or Professional Service Code

Arts, Law & Social Sciences 00

Lord Ashcroft International Business School 01

Health, Social Care & Education 02

Science & Technology 03

Medical Science 04

IT Services 05

Academic Registry 06

Corporate Marketing 07

Research Development & Commercial Services 08

International Office 09

Learning Development Services 10

Human Resources Services 11

University Library 12

Student Services 13

Estates & Facilities Services 14

Financial Services 15

University Secretary’s Office 16

Vice Chancellors’ Office 17

Area Not Covered 18

Sub area code – Please see Internal mapping work sheet, column C for your Sub area code.

Data flow code (4th to 6th digits) are 000 through 999

Each flow of data identified will be numbered consecutively i.e. 11F001, 11F002.


Faculty or Professional Service (Column B)

Please select the appropriate area from the drop down list

Sub-Department of Faculty or Professional Service (Column C)

Please select the appropriate sub-department or professional service area, this is contained in the Sub

Area code on the Internal Mapping Work sheet

CMT Ownership

Please select the appropriate member from the CMT Ownership list who is responsible for the completion

of the spreadsheet. If the work is delegated to another colleague such as the Operational Lead, the named

CMT member will still hold ultimate responsibility for co-ordination and collation of the data required.

Data Item (Column E)

You can select from the list, see the Data items tab or alternatively describe the data item using

terminology that is in local use.

Data Asset Type (Column F)

Data Asset Type: Select from the drop-down list.

Data Asset Location (Column G)

Data Asset Location: select from the drop-down list.

Where is the data held originally and specifically (i.e. paper record, J: Drive, SITS, etc.) Column H

Please select from the drop down list.

Key message

If you select “other” then you must provide further details in column Z. This applies

to the selection of “other” in any subsequent drop down list.

Is there access control? i.e., password protected /role specific access. (Column I)



Glossary of terms used for access control

Term Definition

Access Control Typically a user login and password to access data such as HR system or Agresso

Password protected The data is protected by a single password e.g. A Word or Excel document

User specific access (ASTRA) 'The users require specialized access for their role as specifically requested by their line manager (http://web.anglia.ac.uk/it/software/studentdata/astra.phtml)

Specific login required Rights and privileges are allocated through the login

External website/User specific login and password required

The website has a requirement that to access data and/or content, you must provide a unique user login and password

User specific access (Non ASTRA, example SharePoint J: Drive)

The users require specific access for their role on this specific system to be assigned by IT Services or the Software Package.

Other (Please specify in “Other Relevant Information”)

If none of the above apply enter a free text description in column Z

Is data downloaded from secure systems to less secure systems? (i.e., ASTRA to J:/) (Column J)


Confirm flow of data (Inbound or Outbound) (Column K)

Confirm whether you are sending this data item out of your faculty/professional service area (Outbound)

or whether your faculty/professional service area has received it (Inbound).

Recipients or sender details (Column L)

Please indicate the faculty/professional service area, external organisation that receives the data. If the

information is transferred by email please indicate the type of email address e.g. various email addresses

at HEI’s e.g. xxx.ac.uk.

The faculty/professional service area or organisation who will receive (if the Data Item is Outbound)/ or

the faculty/professional service area or organisation who has sent the Data Item (if the Data Item is

Inbound). Make it clear whether the recipient/sender is within ARU, or outside of ARU.

http://web.anglia.ac.uk/it/software/studentdata/astra.phtml


Destination of Transfer (Column M)

You must specify the destination of the data from the drop-down list. If the data is received select N/A.

Key message

If you send data to different geographic locations such as within the UK and

outside the EEA this means a separate data flow must be completed for those

flows within the UK and those outside the EEA.

What purpose do we hold the data for? (Column N)

What is the purpose of the transfer? Why is it necessary? Is it mandatory? e.g., Health & Safety, research,

audit etc. If there is a statutory obligation please indicate this and the Act and relevant clause if known.

GDPR Legal Justification (Column O)

Please see the Lawful Basis worksheet for further information and then select from the drop down list.

Type of content of transfer (Column P)

Please give a brief summary of the content of the transfer, e.g. student name, student number (SID), DOB,

bank details and address.

Content type (Column Q)

Confirm whether the Data Item contains address details, other Personal Identifiable Data relating to

staff/students or other types of individuals or very sensitive information (as defined in accordance with the

Data Protection Act 1998).

Normal = data in the public domain

Personal = includes personal data that can identify an individual

Sensitive personal = includes sensitive personal data (e.g., ethnicity, trade union membership, healthcare

data)


Format (column R):

Select from the drop-down list. Other may include microfiche, x rays or other output such as visual

materials not held electronically.

Number of Records transferred: (Column S)

Select from the drop-down list. This is the total number of individual records contained in a typical data

flow. Any transfers involving more than 50 records are treated as a bulk transfer and represent a higher

risk.

Confirm the frequency of the transfer: (Column T)

Select from the drop-down list. If a specific time-period is not covered please select “other”.

Method used for transfer (Column U)

Select from the drop-down list.

Key message

Using different methods means a separate data flow for each method of transfer.

How is the information protected? (Column V)

Please select from the drop-down list

Key message

Using different protection methods means a separate data flow for each protection

method of transfer.

For how long do we store the data? [Please check Record Retention Schedule] (Column W)

The detail may be available in the “Retention Years” column.


Why is the data held for that time period? [Please check Record Retention Schedule] (Column X)

This may be a legal obligation, if so please indicate the relevant Act and Section if known. Alternatively,

there may be no specific legal obligation but the retention period is based upon a business requirement. If

that is the case please provide a brief synopsis.

What measures are in place for the secure disposal and/or destruction of personal data that are no longer

required? [Please check Record Retention Schedule] (Column Y)

Please select the most appropriate method from the drop down list.

Other relevant information/General Risks/Impacts/Concerns (Column Z)

This is particularly important if you have selected “other” from any of the drop-down lists. We are

expecting an explanation but please keep the level of information brief. On a similar basis if you are aware

of any associated risks, impacts or concerns, please identify them here.

Data items worksheet guidance The data items sheet is for information purposes only and contains some of the more commonly used data

items within the HEI sector. The Data items sheet is an aid memoire to assist completion of the Risk profile

work sheet.

Metadata worksheet guidance This contains details utilised for the drop down lists and calculations of the risk. There is no need for you to

alter this work sheet.


3rd Party Companies & Software Team

Enter the team or relevant operational area.

Individual

Enter the name of the individual responsible for the business relationship or who sends the data to the

third party.

Third party company

Confirm the name of the third party company

Controller or Processor

Confirm whether the company is a controller or processor as defined in the “Definitions” work sheet.

Data shared & reasons why. Is any data sharing agreement in place already? Bespoke software in use?

Explain why the data is shared and if there is a data sharing agreement, or not. Does the data sharing

agreement cover any sub processor, or not? Is there bespoke software in use? If yes, then we will need to

follow up and obtain assurances that the software is GDPR compliant and includes the ability to provide

appropriate levels of security and can satisfy the rights of data subjects.

Name of sub processor

If there is a known sub processor please confirm their name. We will need to follow up and ensure that

contracts are in place that adequately protect the interests of the University and individuals.


Definitions work sheet guidance Self-explanatory work sheet detailing the definitions contained in GDPR that will assist your understanding

of the terminology being used.

Lawful basis work sheet guidance Outlines the various lawful bases for data processing and can be used for additional information when

completing GDPR Legal justification in the Risk Profile work sheet.

Internal mapping work sheet guidance Provided for information purposes only, that assists with the completion of the Risk profile work sheet.

gdpr 05 step by step guide aru v1 - web.anglia.ac.uk protection/gdpr... · completing the...

Documents