Electronic Sharing of Responses for GDPR
  1. Home
  2. Projects
  3. Electronic Sharing of Responses for GDPR
  4. Closure Report

Closure Report

Project Summary 

The project was set up in order to deliver a method for providing information electronically and securely to requestors (including members of the public) making a request to the University, to satisfy the GDPR legislation(Article 15, section 3) "Where the data subject makes the request by electronic means, and, unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form".

The key objectives of this project were to provide an electronic solution in order to share personal sensitive data to EXTERNAL requestors of Subject Access Requests.

Changes to Scope

  • Provision of user-guide and troubleshooting guide was added to the project scope, as the solution delivered was not intuitive enough for the business to sue without this.
  • It has been agreed that part of the project delivery  (ensuring that files will be automatically deleted after six months) would be completed under support, due to the fact that testing can be carried out only once a week as the microsoft deletion process runs only once weekly, and service management need to resolve this issue for their general support needs.

Objectives, Deliverables

Number   Description

 

Priority 

 

 Complete
O1  

To ensure compliance of GDPR Subject Access Requests within Freedom of Information(FOI)

Publication Scheme Database, for the Records management team by providing an electronic

solution to enable a response to the Subject.

 

 Must  
D1

Provide an electronic medium to facilitate the Records Management Team response to

any Subject that has requested Sensitive personal information.

 

 Must  YES
D2 Ensure data  is encrypted and secure to meet the GDPR Legislation(Article15, section 3) standards. Must

 PARTIAL

- automatic deletions will  be

delivered under support
D3    

Support Records management team with UAT.

 

 Must  YES
       
   ADDITIONAL DELIVERIES    
   User Guide Must  YES
   Troubleshooting Guide Should  YES

 

Analysis of Resource Usage:

Staff Usage Estimate: 30 days 

Staff Usage Actual: 106 days -                                                            

Staff Usage Variance: 106/30  x 100 = 353 %

The estimate was increased to 115 days :-

Project Services - (PM and BA) : 68 days

  • extensive testing by PM and BA for the SharePoint product
  • provision of a detailed user guide for the business
  • additional training and testing for the business which had not been originally anticipated.

Service Management - (SharePoint resources) : 34 days

  • additional effort to deliver  and test SharePoint solution

Explanation for variance

1. Analysis 

The original estimate and plan for the project  had anticipated that:

  • The SharePoint solution would be a simple and straightforward solution for sharing electronic data
  • The software development team would be allocated as the technical resource,
  • That the project would close in April due to perceived simplicity of deliver and low development effort 

However the analysis stage determined that : 

  • SharePoint data sharing in the service offered at that time had a potential data protection issue  was not acceptable to the business 
  • the SharePoint solution was not straight forward and more analysis was required

 

2. Build, test and delivery

  • The Software Dev team did not have the skills available to provide the necessary input
  • Replanning was required  while the  SharePoint team was available to the project

 

  •  conflicts for SharePoint resources with other project work and support work incurred delays and did not allow the resources to focus on the project
    • Contractor resource had to be costed and additional funding approval obtained from STU programme  incurring additional  delays 
      • Conflicts for contractor resource with HR project incurred more delays
      • Contractor resource left the university before the solution was delivered, adding to additional pressure on service management resources to deliver

 

  • Sharepoint solution for external users is only for Office365 (O365) authenticated users
    • It took time to look for an alternative solution for anyone not using  O365, and eventually a decision was made by the business that an alternative  would not be acceptable, because the option being considered was not compliant with data protection obligations, as it required users to submit details to a third party.
    • Microsoft then released an update on 31 January which allowed an additional option for  'external sharing' with authentication which removed the potential data protection issue - time was spent evaluating and testing

 

  • Digital technology testing was new for the BA and business:
    •  Testing required much more time to complete than planned
    • It was anticipated that Testrail would be used, but both the BA  found this difficult and anticipated that the business would too, and so this was abandoned
    • The team reverted to using JIRA for testing but due to conflicts for BA time, a full test plan was not created
    • The product delivered  by the contractor did not fully reflect the requirements, therefore extensive QA was required by the PM and BA before the solution could be handed to the business
    • Testing of deletions took additional time and effort as deletions can be tested only once a week, due to the constraints of microsoft's design

 

  • Provision of the User Guide and Trouble shooting guide were added to the project scope
    • providing these took much more effort than had been anticipated

 

  • As SharePoint is a new service:
    • additional time was  required to evaluate and approve the service and support routes.
    • Requirements from the Information security consultant were not anticipated
    • Additional time was spent discussing and investigating areas which the project team did not understand were part of SharePoint's design and therefore could not be changed

 

  • During the testing, a key issue was identified, in that the 'requestors' would be able to view/delete/upload and rename any documents that had been shared in the folder. Resolving this issue  required that all testing had to be redone.

 

  • Project services and the SharePoint team had not worked on delivering a bespoke SharePoint solution before and there were some gaps in expectation between the teams. For example,  project services  expected the design methodology  used by development services to be followed, but this is  not the  agreed methodology within Service Management or  the SharePoint team.

 

  • Records management found JIRA was a confusing system, and that it wasn't always clear what they were supposed to do when trying to carry out testing. This might be because records management did not have an understanding of some of the jargon and methodology. However the project team, particularly the business analyst, was very responsive to any questions.

 

  • Records management appreciate the very thorough user guide produced by the ausiness analyst.

 

The detail of these changes can be found in the following PICCL's:

PICCL No. 3: https://www.projects.ed.ac.uk/unpublished/project/stu262/issues/3

PICCL No. 5: https://www.projects.ed.ac.uk/unpublished/project/stu262/issues/5

PICCL No.6 : https://www.projects.ed.ac.uk/unpublished/project/stu262/issues/6

 

Key Learning Points

  • There was a learning curve for the IS project team  in  understanding how the GDPR  legislation translated to the changes. 
  • SharePoint solution  was assumed to be a simple solution to the requirements but proved more difficult to deliver than anticipated
  • The SharePoint manager worked hard to deliver the project, while dealing with multiple conflicts for resources
  • The business analyst made a significant contribution to the delivery of the project, through rigorous analysis, testing and provision of essential documentation 
  • Great communications between records management, the SharePoint development resource and business analyst proved to be successful in the development of the tool.
  • RISK management ensured control throughout the Project.
  • The engagement of the information security consultant ensured that the service delivered is secure
  • Business users may need training in the use of test applications such as JIRA in order to ensure that  the testing process can progress well
  • Project services and service management agreed  that there are ways in which delivery of  projects  between project services and service management can  be improved.
    • A meeting between service management and the project managers of several related projects has already taken place
    • SharePoint resources are to be requested and assigned in  ASTA  from 18/19
    • Action on next steps  is being taken forward by team managers 

Outstanding Issues

There is one outstanding issue which will be undertaken as a support task:

1. Ensuring that deletion of responses works as and when expected

  • This is required for other SharePoint services and is a priority for the support team
  • A manual workaround is available

 

Other

The delivery of a monthly audit report will be undertaken as a support task.

 

 

This article was published on

Project Info

Project
Electronic Sharing of Responses for GDPR
Code
STU262
Programme
Student Services (STU)
Management Office
ISG PMO
Project Manager
Morna Findlay
Project Sponsor
Sara Cranston
Current Stage
Close
Status
Closed
Start Date
27-Nov-2017
Planning Date
n/a
Delivery Date
n/a
Close Date
27-Jul-2018
Programme Priority
2
Overall Priority
Higher
Category
Compliance

Documentation

Close