Student Systems GDPR compliance

Overview

The project seeks to ensure GDPR compliance in accordance with the EU General Data Protection Regulation (GDPR) that came into effect on 25 May 2018. The regulation imposes additional obligations on organisations which process personal data, and introduces severe penalties for breaching of data protection. In response to the new regulation, the University has updated its data privacy notices for applicants and students, and has also defined new procedures for handling data breaches.

The Information Compliance Team (ICT) has recommended a number of changes to the way that data is stored and processed using systems managed or supported by Student Systems, including SITS:Vision, ADSS and Oracle Service Cloud. The project is working alongside the ICT to help define personal data stored on these systems, and to ensure that data retention schedules and purging mechanisms are in place and fully compliant. Following a comprehensive impact assessment, a one-off manual purge will be executed, to ensure the relevant data sets are compliant, with subsequent automated purges managed as part of annual maintenance procedures.

Key Benefits

  • Implement the University’s data polices, including automating the deletion of data once retention periods have elapsed
  • Reducing the risk of personal data breaches (PDBs) on student systems, by ensuring processes are documented, data has been cleansed and is managed according to published retention schedules
  • Establish a reliable process for anonymising personal/sensitive data used for system development and testing purposes
  • Mitigate potential/future data breaches due to incorrect data matching for graduate applicants who have not been matched with prior records
  • Review and improve the Subject Access Request (SARs) and Right To Be Forgotten (RTBF) processes, alongside ICT, to reduce the response time for SAR and RTBF requests
  • Review and implement the new XDUT functionality to improve the duplicate matching process and reduce the number of miss-matches, and potential security breaches, based on issue information gathered from key stakeholders
  • Free up space on SITS production environments

Timescales

Work commenced in November 2019 and the project is currently working towards completion in early 2021.

 

Contact

Enquiries:

SSGDPR@it.ox.ac.uk

Project sponsor:

John.Nicholas@admin.ox.ac.uk 

Project manager:

Michelle.Griffiths@it.ox.ac.u