Monitoring, evaluating and implementing

How do we monitor and evaluate our Data Protection policy?

The Data Protection Officer will monitor new and on-going data protection risks and update the relevant University risk register, reporting this promptly as required to the Global Director of Governance and Legal Services and the Head of Assurance Services.

The Data Protection Officer will liaise with the Global Director of Information Services and the Head of Assurance Services to ensure that IT security risks related to data protection are captured on the register and that Schools, Institutes and Professional Service record data protection and information security risks on their local registers and escalate these as necessary to the Head of Assurance Services.

The Data Protection Officer will make regular reports to the University Executive and other Committees and Boards on data protection compliance.

As part of the University's internal audit programme, the Audit and Risk Committee will instruct the University’s Internal Auditors to audit the management of privacy and data protection risks and compliance with relevant controls, as required.

How do we implement this policy?

This policy is implemented through the development, implementation, monitoring and review of the component parts of the University Information Security Management System. This will require:

  • The Data Protection Officer to liaise with the Executive Deans, Directors of Professional Services and their managers to review and update information risk assessments and records of processing activities and take necessary actions to identify and protect personal data and systems used to process the data;
  • Coordination of effort between relevant Directors, Division Heads and professional specialists to integrate IT, physical security, people, information management, risk management and business continuity to deliver effective and proportionate information security controls;
  • Reviewing and refreshing of all relevant policies and procedures;
  • Generic and role specific training and awareness;
  • Embedding data protection by design and default and related information governance requirements into procurement and project management and the implementation of software applications or process enhancements;
  • Information security incident management policies and procedures;
  • Business continuity management;
  • Monitoring compliance and reviewing controls to meet business needs.