The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). This regulation becomes enforceable from 25 May 2018.
Edinburgh University have appointed a Data Protection Officer(DPO) to ensure the standards for compliance are met within the Legislative timeline of 25th May 2018 are met.
Following the DPO review of the Records Management team procedures and systems, it has been identified that there is a need to implement changes to the Freedom of Information(FOI) Publication Scheme Database to ensure compliance of GDPR. The element of Project change pertains to the Subject Access Requests for information service. The current process within the Records Management Team is to "respond to the subject access request via the same channel that the request was received, wherever possible. Should the response be required electronically, and is large, this is saved and encrypted using Adobe Acrobat professional 256 AES, but otherwise, paper, CDROM and email are the usual routes. From 25th May, GDPR Legislation prevents any personal data response to be issued by any other means other than electronically with assured security.
Initial analysis has explored SharePoint as a solution to ensure compliance, whilst a strategic University solution is still under review. Further analysis and alternative solutions will form part of the Project Analysis stage of the Project and proposed to key stakeholders within the Records Management Team, UoE DPO and Information Services Group.
As this Project is legislative, all key project documentation will be updated to ensure that key stakeholders, such as UoE DPO are informed due to the feedback from the relevant compliance programme to the GDPR Regulatory body.
The project will deliver a method for providing information electronically and securely to requestors (including members of the public) making a request to the University, to satisfy the GDPR legislation(Article 15, section 3) "Where the data subject makes the request by electronic means, and, unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form".
- A simple, electronic data sharing provision, with a focus on SharePoint as a solution, that will share large files.
- Alternative electronic data transfer solution to be explored and proposed, should SharePoint be deemed insufficient.
- Confirmation that the existing Adobe Acrobat Professional, standard 256AES will suffice and if not, explore other alternatives.
- Encryption for internal university requests and external, confirm any differentiation.
- Some guidance to Record Management team in support of their UAT for each deliverable.
- Access limitations to be agreed for each request.
Out of Scope
Mapping of current K drive documentation to the new solution.
Replacement of the FOI Publication scheme Database.
- Existing operational support activities and service levels remain as the current.
Business Process changes and communications, such as requests via paper, email or spreadsheet.
- existing metadata and retention schedules remain.
- Basic solution that meets GDPR Legislation will be delivered.
- Verification procedures remain with existing Business Processes.
- User Guidance will be provided by the Records Management Team.
Objectives and Deliverables
|O1||To ensure compliance of GDPR Subject Access Requests within Freedom of Information(FOI) Publication Scheme Database, for the Records management team by providing an electronic solution to enable a response to the Subject.||Must||Sara Cranston|
|D1||Provide an electronic medium to facilitate the Records Management Team response to any Subject that has requested Sensitive personal information.||Must||Development Services|
|D2||Ensure data is encrypted and secure to meet the GDPR Legislation(Article15, section 3) standards.||Must||Development Services|
|D3||Support Records management team with UAT.||Must||Development Services/Production management/Business Analyst|
Given the number of GDPR related Projects within the Programme Portfolio, we Propose an Agile approach to delivery in order to prevent risk of delays of Records Management Team resource issues, as defined in Project Risk Log, together with any delays in decisions from the CIO or DPO. This method will allow the IT Development Resources to be allocated and progressed, albeit there may be a need to make some changes to ensure that the GDPR Legislative guidelines are met.
The benefit to this project are:
- Compliance of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
- Edinburgh University registered as a GDPR compliant organisation.
The following are the success criteria for this project:
- The Records management team can respond to the subject's GDPR Access request via an electronic and secure medium.
- Subject Access Data can be delivered electronically to subject requestor.
- Subject Access Data demonstrable encryprion of data.
|Target Date||Previous Date||Title||Stage||Complete|
|12-Jan-2018||15-Dec-2017||Planning complete - Review timescale||Plan||Yes|
|31-Jan-2018||No date available||Requirements Complete||Analyse||No|
|23-Feb-2018||No date available||Design sign-off complete||Design||No|
|26-Mar-2018||No date available||Build signoff review||Build||No|
|09-Apr-2018||No date available||Integration Complete||Integrate||No|
|14-May-2018||No date available||User Acceptance Testing Complete||Accept||No|
|21-May-2018||No date available||Acceptance Milestone Completion||Design||No|
|28-May-2018||No date available||Delivery||Deliver||No|
|11-Jun-2018||No date available||Deployment Sign-off - stage complete||Execute||No|
|25-Jun-2018||No date available||Closure complete||Close||No|
|Ref||Title||Initial Risk||Current Risk||Status||Management Approach||Risk Owner||Date of Last Review|
|1||Availability of Applications Division Resources||GREEN||GREEN||Open||Reduce||Morna Findlay||13-Dec-2017|
|2||HR digitisation Project||GREEN||GREEN||Open||Reduce||Morna Findlay||13-Dec-2017|
|3||SharePoint as a Strategic Technical Solution may not be viable for GDPR||AMBER||GREEN||Open||Reduce||Morna Findlay||21-Dec-2017|
|4||Need for increased Budget||AMBER||GREEN||Open||Reduce||Martin Jones||14-Dec-2017|
|5||Scope creep||GREEN||GREEN||Open||Reduce||Morna Findlay|
|6||Solution may not be GDPR compliant||GREEN||GREEN||Open||Avoid||Renate Gertz|
|7||Volumes may not reflect GDPR expectations||GREEN||GREEN||Open||Reduce||Megan Graham|
|8||Scope and scale of the various Types of media is unknown||GREEN||AMBER||Open||Retain||Sara Cranston||19-Dec-2017|
|9||Solution may not be delivered by 25 May deadline||GREEN||GREEN||Open||Reduce||Megan Graham||21-Dec-2017|
Current project status
|Report Date||RAG||Budget||Effort Completed||Effort to complete|
|July 2018||BLUE||115.0 days||105.0 days||0.0|