Closure Report
Project Summary
Within Finance there are multiple systems that contain personal data; eAuthorisations, eFinancials, eExpenses, eIT, eStores, eTime, FPM, Webfirst, Worktribe and Business Objects. Some of the systems don’t have an end date which would allow finance to know when personal data had reached the end of their retention period, they also don’t have a mechanism to delete the records when the retention period has been exceeded.
As of 25th May 2018 there was a requirement for The University of Edinburgh, including the Finance Department, to be compliant with the General Data Protection Regulation (GDPR).
Penalties for non-compliance is up to €20 million or 4% of annual global turnover – whichever is higher.
This project will consider all aspects of financial data across the portfolio of systems to ensure data held complies with GDPR requirements, and if not consider solution options for compliance within the current systems portfolio, then implement the chosen solutions.
Since July 2020 the scope of the project had changed dramatically. PICCL 14 in Mar 2020 changed and reduced the scope of the project. During the running of this project the scope of the project was decreased and made into a more manageable piece of work. By July 2020 the scope of the project had changed again; to identifying the Finance GDPRs, allocating them to the responsible person to work along with Data Protection to complete their GDPRs, and then with the closure to recommend where the other responsibilities lie to be followed up in the future.
Scope
In Scope:
- Liaising on approach with similar GDPR projects and programmes underway at UoE, e.g. HR Payroll/Pensions and SSP
- Data contained within the portfolio of Finance Systems (e.g. eFinancials, eAuthorisations and affected sub-systems) - which is identified as relevant to GDPR
- Data Protection Impact Assessments (DPIAs)
- Analysis of personal data as defined under GDPR – i.e. information that relates to an identified or identifiable individual
- Assessment of required changes to data in eFinancials, e.g. archiving and anonymising, incorporating requirements for core systems where known and reviewing the level of risk associated with retaining that data
- Assessment of required changes to data in eAuthorisations and affected sub-systems
- Solution options to comply with GDPR requirements (e.g. anonymisation and/or purging of data)
- Recommendation and Implementation Plan for required changes to affected systems (including identification of systems where GDPR is not relevant)
- Implementation of required changes to eFinancials
- Implementation of required changes to affected subsystems, where funded and feasible
- Data anonymising to identify and remove irrelevant and unnecessary data – e.g. where no legitimate business reason to retain, or beyond retention period
- Where funded and feasible, deployment of required changes into DEV and TEST environments
- User Acceptance Testing of DEV / TEST environments where deployed
- User Acceptance Testing of LIVE environments
- Deployment of changes into LIVE environments
- Communication to BI report owners distribution list about changes for GDPR
Out of Scope:
- Changes to retention periods
- Data cleansing to identify and remove data which is incorrect, incomplete or duplicated
- Refreshing and/or rewriting existing BI reports (this will be done by the report owners)
- Implementation of changes for Core Systems programme
- Implementation of GDPR changes to HR Payroll and Pensions, and Student Systems
- Anonymisation of data in LIVE environment
- Archiving and anonymising of sales ledgers – separate proposal submitted by Finance to run a Sales Ledger Review of systems, balances and archiving
Changes to scope since Brief
Removed from Scope - PICCL 14 (28 Feb 2020)
- Implementation of required changes to eFinancials [Note: changes for eFinancials are covered in the above scope in relation to DEV / TEST]
- Implementation of required changes to affected subsystems, where funded and feasible [Note: changes are covered in the above scope in relation to DEV / TEST]
- Data anonymising to identify and remove irrelevant and unnecessary data – e.g. where no legitimate business reason to retain, or beyond retention period
- User Acceptance Testing of LIVE environments
- Deployment of changes into LIVE environments
- Communication to BI report owners distribution list about changes for GDPR
Changes to scope - PICCL 18 (31-Aug-2020)
- Ensure all Finance Systems identified as relevant to GDPR have been identified
- Once identified assess the potential requirement for a DPIA
- Create required DPIAs and assign to relevant individual and/or team
- the identified individual and/or team will work together with Finance Business & Strategy Team and Data Protection Officer Renate Gertz to complete DPIA
- The identified individual and/or team will submit completed DPIA to Data Protection Office for review and approval
All other milestones are no longer relevant and should / will be withdrawn
Phase 1 and Phase 2 had already been completed and the future action left to complete is - the Revised Phase 2 only.
Objectives and Deliverables
|
Objectives and Deliverables |
Priority |
Owner(s) |
Achieved |
|
O1 To review financial data to ensure data held within systems complies with GDPR requirements |
|
|
|
| D1 Data Protection Impact Assessment | MUST | Finance, IS Applications | Y |
| D2 Analysis of financial data against GDPR requirements to identify gaps | MUST | Finance | Y |
| O2 To agree a plan for implementing/actioning the minimum required changes for GDPR | |||
| D3 Solution Options Document for current Finance system | MUST | Finance, IS Applications | Y held on the Sharepoint site |
| D4 Implementation Plan | MUST | Finance, IS Applications | Y held on the Sharepoint site |
|
O3 To implement the minimum required changes for GDPR |
|
|
|
| D5 Deploy changes to eFinancials in DEV and TEST environments | MUST | Finance, IS Applications | Y - Deployed and tested anonymisation functionality in DEV but deemed not feasible, hence not deployed to TEST or LIVE. (This only relates to eFinancials.) |
| D6 Deploy changes into eFinancials LIVE environments | MUST | Finance, IS Applications | N - was removed from scope (This only relates to eFinancials.) |
| O4 Scope change August 2020 | |||
| Ensure all relevant Finance Systems are risk assessed and required DPIAs are identified | MUST | Finance , Data Protection | Y |
| Once DPIAs identified and then assigned to the relevant team | MUST | Finance , Data Protection | Y |
| The identified team will work together with Finance and Data Protection Office to complete DPIA | MUST | Finance , Data Protection | Y - in progress, does not have to be completed in FIN127, but will be covered in BAU |
| The identified individual and/or team will submit completed DPIA to Data Protection Office for review and approval | MUST | Finance , Data Protection | Y - in progress, does not have to be completed in FIN127, but will be covered in BAU |
Benefits
| Benefits | Achieved |
| Using the DPIA for providing accountability, recording decision making and helping to eliminate data privacy risk | Y |
| Removes risk of incurring fines for non-compliance | Y |
| Enhanced security strategy and measures for protecting sensitive data | N |
| Improved management of personal data | N - removed from scope |
| Enhanced customer/employee trust in handling of personal data | Y |
| A means to defend any complaints to the Information Commissioner (ICo) | Y |
| Analysis that can be used by the Finance Transformation Programme and Core Systems Programme | Y |
|
Resolves existing data integrity issues to balance ledgers and balance accounts in system |
N |
| Additional Benefits | Achieved |
| All Finance DPIA's identified | Y |
| Once identified assigned to the relevant team | Y |
| The identified team will work together with Finance and Data Protection Office to complete DPIA | Y - in progress (9 out of 14 in November) |
| The identified individual and/or team will submit completed DPIA to Data Protection Office for review and approval | Y - in progress (9 out of 14 in November) |
Success Criteria
| Success Criteria | Achieved |
| GDPR data anonymisation/purging functionality running correctly | Y - Deployed and tested anonymisation functionality in DEV but deemed not feasible for large transaction volumes, hence not deployed to TEST or LIVE, however could be used for individuals (for eFinancials) |
| Able to proactively and reactively deal with requests from individuals about their personal data | Y - Deployed and tested anonymisation functionality in DEV but deemed not feasible for large transaction volumes, hence not deployed to TEST or LIVE, however could be used for individuals |
|
Documented GDPR data anonymisation/purging routines |
Y (for eFinancials) |
| Additional Success Criteria | Achieved |
| All Finance System DPIAs identified | Y |
| Once identified assigned to the relevant individual/team | Y |
| The individual/team will work together with Finance and Data Protection Office to complete DPIA | Y - in progress 9 of 14 completed in November, remaining will be completed by BAU |
| The identified individual and/or team will submit completed DPIA to Data Protection Office for review and approval | Y - in progress 9 of 14 completed in November, remaining will be completed by BAU |
Analysis of Resource Usage:
Staff Usage Estimate: 200 days - Proposal, 200 days-Brief (165 days, 145 days, 140 days, Last Approved Budget - 115 days)
Staff Usage Actual: 109 days
Other Resource Estimate: £-
Other Resource Actual: £-
Other Resource Variance: -%
Outcome
The project identified 80 finance related systems that required review and analysis to determine GDPR impact.
- Through the project this number decreased to 38 systems and once anticipated P&M (People and Money) system functionality was incorporated this reduced to 14 systems
- GDPR data anonymisation/purging functionality running correctly on DEV but deemed not feasible for large transaction volumes, hence not deployed to TEST or LIVE (applying to eFinancials )
- GDPR data anonymisation/purging functionality able to proactively and reactively deal with requests from individuals about their personal data (applying to eFinancials )
Observations & Recommendations Report available via SharePoint.
Explanation for variance
The scope of the project was amended a number of times which have been documented earlier
- Removed from Scope - PICCL 14 (28 Feb 2020) - see above
- Changes to scope - PICCL 18 (31-Aug-2020) - see above
The project budget was reduced a number of times including
- During 2018/19 - 55 days were transferred to FIN119 eInvoicing (PICCLs 10 and 11)
- as well as PICCLs 14, 17 and 20 have details of budget changes
Scope changes reduced what was required and deceased the budget accordingly. This resulted in identifying the DPIA's required for finance and completing them where possible, or agreeing who will complete them during BAU after the project is closed for any that have not been completed by 13-Nov
Key Learning Points
- Due to the complexity of the subject matter requirements took longer to gather than anticipated
- The system review and analysis process changed mid-project from only Finance department systems to all University systems containing finance related data
- A good working relationship was established from the outset enabling early guidance on tasks/activities
- Several changes to PM and BA roles took place due to the duration of the project
Outstanding Issues
- There are 5 outstanding DPIAs expected to be completed under BAU
- Functionality delivered via the eFinancials Anonymisation Routine was deemed impractical for use against high volumes of transactions
- Removal of user login ability recommended for all systems understood to be fully replaced by P&M asap post Go-Live
- System Decommissioning required for all systems understood to be fully replaced by P&M
- Controlled access should implemented asap for systems replaced by P&M but available in Read-Only view
- Access to eFinancials DEV and TEST environments should be removed asap pre/post P&M Go-Live
- eFinancials DEV and TEST databases should be cleared down asap pre/post P&M Go-Live
- It is recommended that a DPIA is undertaken on the selected Historic Data Store (HDS) solution
- It is recommended that a DPIA is undertaken on the People & Money system as well as a plan set out for how GDPR compliance will be managed in the People & Money system