Data Protection Update: May 2022

Must-do Training!

If you have not completed the University Data Protection training or refresher in the past two years. Please do so as soon as possible. Data Protection training for people handling personal data is a mandatory Information Commissioners Office requirement as well as a University requirement.

If you have any queries or would think your service may benefit from additional team or service question and answer sessions please contact us on

Personal Data Security Incident or Breach

Not every personal data incident security incident is a data breach and not every data breach is reportable to the Information Commissioner. But the University has a statutory duty to investigate, evaluate and record all incidents (whether reportable or not).

When reporting a data breach to the Information Commissioner’s Office the first or second question is always “have staff involved completed data protection training”?

The UKGDPR and DPA 2018 gives the Information Commissioner the power to issue penalties and instructions for lack of process. Lack of training will be considered lack of process leaving the University vulnerable to financial penalties, enforcement notices and bad publicity!

If in doubt seek advice and assistance from Information Compliance

All incidents are distressing to individuals affected by them so it is important that lessons are learned and  that all incidents are reported to Information Compliance. If incidents are not reported we cannot learn lessons or comply with the law.

First lesson in Data Incident Management if you can get it back – get it back – then contact us!

New Online Reporting Tool

Information Compliance have launched a new online reporting tool. This form provides all the information we need to evaluate any incident or breach. If you cannot access this form for any reason please e-mail Information Compliance on the e-mail above.

Incident Trends

Most information security incidents happen because of human error or lack of thought, this is true of all the incidents reported in the past quarter. Common mistakes include

  • e-mails sent to the wrong people
  • e-mails sent to a group rather than an individual (or wrong group).

Information Compliance  has reported 1 breach to the Information Commissioner’s Office in the past quarter and held discussions about a further two incidents which were very close to the statutory requirement to report (to the Commissioner’s Office)


Where you are working and who can see your work

Recently I travelled on the Euston to Crewe train I returned to my seat having walked through the corridor. I sat down and informed the man opposite me that he worked for the MoD! the person two seats down was a lecturer… etc! I could read their screens just moving through the carriage! I do not work on the train unless I have a privacy screen fitted (they are easily removeable when not needed and are very light).

For the cost of £30 (approx.) could save the University and Departments £000s’

How do you send information?

Is it secure? Who can see it?  Do you know the privacy settings. Is it appropriate use of acebook or teams for example?


University Laptops are encrypted. The reason for this  to prevent inappropriate access if laptops are lost or stolen. Organisations have been fined  tens of £000,000.00s’ for losing unencrypted laptops. Keeping log in details (such as encryption key and passwords) with the laptop negates encryption and leaves the UoK open to financial penalties. Please keep them separate!!

Don’t Keep Encryption Keys and passwords with your computer

Think what you do with other people’s data treat it at least as securely as your own!

  • Keep personal data secure
  • Don’t share your passwords
  • Beware of scams
  • Lock your computer even if you leave it for “only a couple of minutes”

Last but not least, congratulations to Laura Pullin, who has now commenced her role as Head of Data Protection!