Overview

Background

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).  This regulation becomes enforceable from 25 May 2018.

Edinburgh University have appointed a Data Protection Officer(DPO) to ensure the standards for compliance are met within the Legislative timeline of 25th May 2018.   

Following the DPO review of the Records Management team procedures and systems, it has been identified that there is a need to implement changes to the Freedom of Information(FOI) Publication Scheme Database to ensure compliance of GDPR. The element of change pertains to the Request Monitor functionality in relation to how this information is requested, logged, monitored, managed and published.

In order to accommodate GDPR Subject(subject can be described as anyone, either internal to the organisation, a previous student or anyone who believes that Edinburgh University have any personal information about them) Access Requests, and GDPR Right to request, correct, erase, object and restrict data requests, then changes will involve the creation of two new request types and the redundancy of two existing request types within the Request Monitor.  There is a need to ensure that the current and 'to be' redundant categories run concurrently for a two week period in support of Business needs and from 8th June, that the redundant categories are searchable for auditory and reporting business functions.

As this Project is legislative, all key project documentation will be updated to ensure that key stakeholders,  are informed due to the feedback from the relevant compliance programme to the GDPR Regulatory body.

 

Scope

In Scope

  • Introduction of two request type categories  for GDPR  by 25th May 2018.
  • Facility to maintain existing categories and new categories for a two week period during 'cutover' to accommodate 'delayed' requests, until 8th June.
  • Redundancy of two of the existing request type categories 8th June 2018.
  •  'Search request ONLY 'functionality for the two categories that GDPR will replace, for historical and auditory purposes.
  • Some guidance to Record Management team in support of their UAT for each deliverable.
Requirement Current Request Types New Request Types

25th May to 8th June - Concurrent use of ALL categories

8th June Onwards -

New GDPR Categories and search only of 'redundant' categories

New GDPR request type categories

Concurrent use of ALL categories for 2 weeks

Redundancy of 'old' categories.

Search facility of 'old' categories for reporting.

  • Environment Information
  • Freedom of Information
  • Section 10 Data protection request
  • Subject Access
  • GDPR Subject Access Request
  • GDPR Right to correct/erase/object/restrict data
  • Environment Information
  • Freedom of Information
  • Section 10 Data protection request 
  • Subject Access 
  • GDPR Subject Access Request
  • GDPR Right to correct/erase/object/restrict data
  • Environment Information
  • Freedom of Information
  • GDPR Subject Access Request
  • GDPR Right to correct/erase/object/restrict data

Search only 

  • Section 10 Data protection request 
  • Subject Access 
         

Out of Scope

  • Fixing of any known issues.

  • Replacement of the FOI Publication scheme Database.
  • Update of business Processes and procedures to be completed by Records Management Team.
  • UAT to be performed by Record management Team.

 

Objectives and Deliverables

 
Phase No Description

Priority

(MoSCoW

Owner
  O1 To ensure compliance of GDPR Subject Access Requests and 'GDPR right to correct/erase/object/restrict data, within Freedom of Information(FOI) Publication Scheme Database, for the Records management team by 25th May2018. Must Sara Cranston
  O1D1 Add New GDPR Subject access requests type Option, within Freedom of Information(FOI) Publication Scheme Database, allowing for calendar days and working days. Must Development Services/Production Management
  O1D2 Add NEW GDPR functionality request type - GDPR right to correct/erase/object/restrict data, within Freedom of Information(FOI) Publication Scheme Database. Must Development Services/Production Management
  O1D3 To provide the administrative option to control whether the period is calendar or working days.   Development Services/Production Management
  O1D4 Support Records management team with UAT that will incorporate the new functionality and phases. Must Development Services/Production management
  O2 To ensure pre-GDPR categories can be searched and reported on enable  for redundant requests in support of management Reporting and auditory purposes. Must Development Services/production Management
  O2D1

To Provide facility to search and report facility on non GDPR categories.

Must Development Services
         

Given the number of GDPR related Projects within the Programme Portfolio, we Propose an Agile approach, to ensure the key compliance work is Developed well in advance.  This will prevent risk of delays from key Project and Development resources within Project Services and of Records Management Team resource issues, as defined in Project Risk Log.

Benefits

The benefit to this project are:

  • Compliance of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
  • Edinburgh University registered as a GDPR compliant organisation.
  • The Records management team will be able to demonstrate their compliance to the requesting subjects and regulator bodies.

Success Criteria

The following are the success criteria for this project:

  • The Records management team can respond to the subject's GDPR requests.
  • Add New GDPR Subject access requests within Freedom of Information(FOI) Publication Scheme Database, for the Records management team, with option for Business to select option for response times in calendar days or working days.
  • All categories can be selected as active or inactive, are searchable and can be reported by the Records management Team.

Project Milestones

Target Datesort descending Previous Date Title Stage Complete  
12-Jan-2018 15-Dec-2017 Planning complete Plan Yes

 view

19-Jan-2018 No date available Requirements Sign-off Analyse No

 view

02-Feb-2018 No date available Design sign-off Milestone Execute No

 view

02-Mar-2018 No date available Build Solution Build No

 view

16-Mar-2018 No date available User Acceptance Testing Accept No

 view

23-Mar-2018 No date available Integration Complete Integrate No

 view

02-Apr-2018 No date available End of Delivery Sign-off Milestone Deliver No

 view

16-Apr-2018 No date available End of Project Closure Stage Close No

 view

Project Info

Project
Freedom of Information GDPR Updates
Code
STU259
Programme
Student Services (STU)
Management Office
ISG PMO
Project Manager
Morna Findlay
Project Sponsor
Sara Cranston
Current Stage
Close
Status
Closed
Start Date
31-Oct-2017
Planning Date
n/a
Delivery Date
n/a
Close Date
01-Jun-2018
Programme Priority
3
Overall Priority
Higher
Category
Compliance