Closure Report

Project Summary

 

The General Data Protection Regulation (GDPR) is an EU regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union.   The new legislation came into force in May 2018. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

 

This project aimed to address the immediate concerns to enable the University to demonstrate that student systems are in compliance, or are moving towards compliance, with the General Data Protection Register (GDPR) for  May 2018.  The project team worked closely with the University Data Protection Officer to ensure any communications are co-ordinated with the wider University requirements.

 

In the expectation that not all requirements for full GDPR compliance could be met in 17/18,  and that a further project would be initiated in 18/19, the scope and deliverables were reviewed after the Analysis stage when the requirements identified were prioritised.

Scope

 

The scope was  limited to address the elements within the student systems:

 

Review and update of  Student Record privacy statements

  • ensuring updated student record privacy statement is easily available to students

Removal of Special Category data within the stipulated timescale.

Plan to prioritise and schedule removal of  other student data

Review and update of Data Processing Register

  • The data processing register is maintained by Rena Gertz on behalf of the University.

Review and update of existing Data Retention Schedule

  • including any new process required for compliance with GDPR

Identification of  systems internal and external to the university which consume  data from SITS

Review and update data protection/data sharing agreements with owners of systems that use the student data

  • including system owners external to the university (such as  external organisations who use student personal data to deliver surveys)

A  business case for legitimate interest for Student Surveys

  • Scope to be restricted to surveys administered by Student Systems. 

Review if there is a requirement for a new process to  enable students to opt in or out of providing personal data to university where appropriate

 

 

Analysis of Resource Usage:

Staff Usage Estimate: 158 days

Staff Usage Actual: 100  days

Staff Usage Variance: -30%

 

Explanation for Variance

 

1. The project budget was reduced  twice, from 158 to 130 days and then from 130 to 110 days 

2. The budget was reduced due to the impact of conflict for BA resource,  ( Issues 5, 9, 10 which meant that the original plans to tackle more deletion processes could not be achieved and the IS effort had to be reduced.

 

Outcome

 

The success criteria were all achieved.

  1. Students can easily access a GDPR-compliant privacy statement
  2. Protected characteristics have been deleted from SITS in line with GDPR guidance.
  3. Student systems have identified data which should be deleted to ensure GDPR compliance and have a schedule to remove that data.
  4. Student systems have established the business case for legitimate interest for student surveys,
  5. Successful engagement with owners of downstream systems has been achieved.
  6. Owners of downstream systems are informed in a timely fashion of any relevant data changes in SITS which is likely to require them to take action for their own GDPR compliance.
  7. Completed DPIA
  8. Analysis allows  aims of follow-on project to be planned and prioritised

 

 

 

  

Objectives and Deliverables   Priority  Achieved  Notes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
O1 Removal of applicant and application data for those who apply but never come      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M Y  
D2 Process to allow deletion of  uncompleted applications M  Y                                                                                                                                                                                                                                                                                                                                                                           A repeatable, documented process delivered  allowing uncompleted applications to be deleted 31 days after start of programme for which application was not completed. This has not yet been handed over as a BAU process  as the operations team has not yet decided when, and how often, it should be run. Handover will be completed under the follow-on project.
D3  Process to delete unsuccessful applications C N This will be carried out in a follow-on project, most likely the GDPR2 project scheduled to begin in January 2019
O2  Removal of Special Category data within the stipulated timescale      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M Y This has not yet been handed over as a BAU process.  Handover will be completed under the follow-on project.
D2 Removal of out-of-retention-period Special Category Data  M Y Special category data outwith the retention period was deleted  using a repeatable, documented  process.
O3   Updating Privacy Statement(s)      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M Y  
D2 Updated student privacy statement M Y Student surveys  covered by the single student privacy statement. The privacy statement is available on the main university website.
D3 Agreed BAU process to update privacy statement in future S ?  
O4 Process to allow existing and continuing students to opt-out of providing data not essential for university business.      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M NA Analysis has  confirmed that the legal basis for holding student data  does not require consent. Requests from a data subject for their data to be removed under the "right to be forgotten" will be dealt with manually as a support task.
O5 Updated Data Processing Register and Data Retention Schedule      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M Y  
D2 Review of data held by student systems and legal basis for the retention of data and the retention period. M Y Reviewed with all data users and made available to users as appendix to privacy statement.
O6 Review data protection/data sharing agreements with owners systems that use the student data, including owners of systems external to the university      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M Y This task will be repeated annually as part of student systems business as usual processes.
O7  Privacy Statements for Surveys and a business case for legitimate interest.     Separate privacy statement for surveys not required - covered by student privacy statement
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M Y  
D2 Business case establishing legitimate interest for student surveys M Y Approved by Gavin Douglas
O8 Capture of key data in anonymised universes prior to deletion from SITS      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised M Y  
D2 Updates to STUDMI, ADMISMI and DIRECTMI such that users can report without requirement to join pseudonomised universes and non-pseudonymised universes. M Y

1. Removal of UUNs (and other personal identifiers)  from STUDMI, ADMISMI and DIRECTMI has been delayed as some other areas of university cannot join their data unless UUN is still available in those universes.

 

See JIRA-18

See: Programme risk 50

D3 Updates to reports ensuring only psudononymised data is used S Partially
  •  100 reports which combined pseudonymised and non-pseudonymised data have been rewritten so that only pseudonymised data is used.
    •  An estimated 52 reports remain ( half  are owned by SSP, half are owned by business partners)
  • 150 reports which used only pseudonymised data but which used UUNs have been rewritten so that UUNs are no longer used
    • 1200 reports which use only pseudonymised universes but which use UUNs have not been rewritten - many of these are believed to be obsolete.

The work on these reports has been stopped while the UUNs issue is resolved and should be taken up by the follow-on project

 

O9 Removal of failed applications for student funding      
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised C N Deferred to follow-on project
O10 Analysis of anonymisation of historic  spreadsheet data held for Postgraduate Taught Student Survey (PTES) and Postgraduate Research Student Survey (PRES)        
D1 Analysis of requirements and risks, list of stakeholders and estimate to deliver requirements allowing delivery of requirements to be planned and prioritised C N Deferred to follow-on project
O11 A plan for future work required to achieve full GDPR compliance      
D1 Analysis of future steps required, with suggested priorities for next steps, allowing prioritisation for follow-on projects S Y  

 

 

 

 

 

Additional deliverables

 

The refresh process was reviewed to ensure that data removed from non-production environments is not refreshed fro LIVE.  A procedure has been established to prevent sensitive data (including Protected Characteristic data) held as text in the production system being  refreshed into non-production systems. Data includes notes between Disability advisors and students, personal statements for scholarships and bursaries, and special circumstances.”

 

Key Learning Points

 

Conflict for resources

Resourcing the BA role was challenging for this project. It is important  that we are able to resource all key roles in the project team consistently.

 

DPIA for future SSP projects

Under GDPR all projects will now need to do the following in respect of all new data processing delivered by the project:

- define and record the legal basis for processing the data

- define and record the retention period for the data

- review and where appropriate update privacy statements

- define and develop processes for deletion of the data on reaching the end of its retention period

 

Guidance for Deployments to EUCLID and EUGEX

The guidance needs to be updated and agreed between ISG and Student Systems

  •  Discussions are now underway between SSP (Brandi Headon and Defeng Ma) and IS Applications (Suran Perera and Morna Findlay)

 

Cooperation with university stakeholders

  • University staff who are required to participate in the decision making process were not always fully aware of their responsibilities under the GDPR or  of the impacts of decisions and therefore required additional support. This should be considered when planning BA actions in future projects.

Lack of familiarity with GDPR

  • As the whole sector responding to the GDPR for the first time, unexpected requirements appeared consistently. While potentially out of scope,  capturing these as programme  risks  should be agreed with the Programme Owner so that  future projects can address these.

 

Estimation

  • Project size was hard to estimate and with three strands of work, an invested project team in regular communication was very important.  Key resources should be secured  in advance of a follow-on project.

 

Outstanding Issues

 

1. UUNs and personal identifiers remain in non-pseudonymised universes: JIRA-18

  • This is to be taken forward by the Head of Student Systems via the data governance group.

 

2. There remains a substantial number of BI reports which may have to be rewritten once the issue of UUNs is resolved.

 

3. BAU processes  for updates to the privacy statement, updates to data retention periods and for deletions of data should be agreed with the operations team as part of the follow-on project. This will require the operations team to consider when, and how often data is likely to be deleted. https://www.jira.is.ed.ac.uk/browse/SAC064-27

 

4. Requirement to remove collection of details about criminal convictions will be undertaken as a support task: https://www.jira.is.ed.ac.uk/browse/SAC064-25

 

 

 

 

 

Project Info

Project
GDPR for Student Systems
Code
SAC064
Programme
Student Systems Partnership SSP
Management Office
ISG PMO
Project Manager
Morna Findlay
Project Sponsor
Lisa Dawson
Current Stage
Close
Status
Closed
Project Classification
Run
Start Date
07-Aug-2017
Planning Date
29-Sep-2017
Delivery Date
28-May-2018
Close Date
05-Oct-2018
Programme Priority
2
Overall Priority
Normal
Category
Compliance

Documentation

Close