How do we monitor and evaluate our Data Protection policy?

The Data Protection Officer will monitor new and on-going data protection risks and update the relevant University risk register, reporting this promptly as required to the Director of Governance and Legal Services and the Head of Assurance Services.

The Data Protection Officer will liaise with the Director of Information Services and the Head of Assurance Services to ensure that IT security risks related to data protection are captured on the register and that Schools, Institutes and Professional Service record data protection and information security risks on their local registers and escalate these as necessary to the Head of Assurance Services.

How do we implement this policy?

This policy is implemented through the development, implementation, monitoring and review of the component parts of the University Information Security Management System. This will require:

  • The Data Protection Officer to liaise with Heads of Colleges, Schools, Institutes and Professional Services and their managers to review and update information risk assessments and records of processing activities and take necessary actions to identify and protect personal data and systems used to process the data
  • Coordination of effort between relevant Heads of Service and professional specialists to integrate IT, physical security, people, information management, risk management and business continuity to deliver effective and proportionate information security controls
  • Reviewing and refreshing of all relevant policies and procedures
  • Offering generic and role specific training and awareness
  • Embedding privacy by design and default and related information governance requirements into procurement and project planning
  • Compliance with information security incident management policies and procedures
  • Compliance with business continuity management
  • Monitoring compliance and reviewing controls to meet business needs