It is only a few days before new regulations become law, with the implementation of GDPR from 25 May 2018. The Provost noted in TheWeek@UCL last week that UCL is preparing for the new law to take effect, with a number of activities being coordinated by the UCL GDPR Project Board (https://www.ucl.ac.uk/news/staff/staff-news/copy4_of_january-2018/02052018-ucl-preparations-gdpr). The Provost noted that “it is […] not possible to be fully compliant on day one, nor does the Information Commissioner’s Office (ICO) expect us to be. The ICO does however expect us to be continually looking to identify the risks to privacy and addressing these.”
Following an initial assessment, the GDPR team does not feel Library Services is a ‘high-risk’ area: there is good practice within the Library and other parts of the university process larger volumes of sensitive personal data. However, this is an opportunity for us all to reflect on how we process personal data and change our practice where it is not in line with the new regulations. A survey is about to be shared with all staff across UCL. I would like to stress that at this stage, we want to identify how personal data is processed without seeking to assign blame or penalties for historic bad practice. Referring to the Provost’s message (as above):
“The survey will not gather any personal information about the respondent, and we will be issuing an ‘amnesty’ across the university regarding current data collection, processing, and retention practices. The survey is intended to be a tool for UCL to provide baseline understanding of its risk of non-compliance with GDPR, so that we can prioritise areas of concern for further investigation and action. This survey will also help us to identify areas where we may find ‘quick wins’ – small changes that can completely mitigate risks identified. We need staff to engage with this survey fully so that the university as a whole can become compliant.”
We cannot afford to be complacent, and whilst UCL will roll out initiatives at an institutional level (including a survey and mandatory training), we can also take action as a department. Please see below for important news about how to raise your queries about GDPR, mandatory training which you must undertake this summer and also, if you are interested, a free webinar on research data and GDPR.
- Library enquiries about GDPR
We have established an email address firstname.lastname@example.org. If you have any queries relating to GDPR in your area of work, and have not dared to ask until now, please email us and we will advise or refer enquiries to the central UCL team as appropriate.
- Important: Mandatory training for Library Services staff
The April edition of the Core Brief included an update on GDPR and strongly encouraged all Library Services staff to undertake training on data protection which is currently available from Moodle. Following discussion at Library SMT, this training is now mandatory and must be completed by the end of August. This will provide a solid basis for future GDPR training which UCL will implement later in the summer.
Please undertake the Data Protection, Information Security and Freedom of Information training in Moodle to ensure that you understand the regulations and UCL’s policies, and that you can ensure we handle personal data with due care and attention.
For more information on GDPR, you can visit the UCL GDPR Preparedness website, which also provides background information on GDPR . The GDPR homepage includes a 20-minute webinar by UCL Legal Services, covering 9 key elements of GDPR and how they impact on UCL. The page also includes FAQs, which are updated regularly: https://www.ucl.ac.uk/legal-services/ucl-general-data-protection-regulation-gdpr