• RMIGO home
• Records Management
• Freedom of Information
• Data Protection
  • What is personal data?
  • Principles
  • Privacy by design
  • Data Privacy Impact Assessments
  • Your information
  • Individuals' rights
  • Data security
  • Data breaches
  • Guidance
  • Training
  • Glossary
  • External resources
• ePrivacy
• Copyright
• University Archive
• Contact us

Data protection by design 

Background

Under UK GDPR, the University is required to identify and mitigate data protection risks before processing personal data (e.g., collecting it, storing it, using it, sharing it). This means, data protection compliance must be a primary consideration when planning:

• to use existing personal data for new purposes;
• to gather additional personal data to support new or existing business activities;
• to introduce new IT platforms to process personal data or develop/rollout functionality within existing systems that process personal data;
• to enter into collaborative projects that involve the exchange of personal data with third parties e.g., other Universities;
• to develop or update policies, processes and business practices that have privacy implications.

Key requirements

When planning to introduce a new processing arrangement, you must:  

1. screen proposed processing activities against the Data Protection Impact Assessment Screening Tool to see if an assessment is required;
2. gather the minimum amount of personal data necessary for the intended purpose/s;
3. pseudonymise or anonymise personal data wherever possible e.g., at point of collection or at point of analysis;
4. share data internally on a need-to-know basis only;
5. ensure data is held securely and in accordance with University IT standards. Where new systems are to be introduced or existing systems modified, the University’s IT Outsourcing and Cloud Computing Policy must be followed;
6. put in place appropriate agreements with third parties to ensure data sharing is compliant;
7. develop, where appropriate, standard operating procedures to ensure data handling arrangements are documented and fully understood;
8. retain personal data for no longer than necessary. For further information see the University’s Records Retention Schedule; 
9. put the rights of individuals first i.e., provide them with appropriate privacy notices and ensure their subject rights are supported.