To ensure that the University can comply with the requirements of the General Data Protection Regulation (GDPR) and to assist the College identify and manage its information assets, the College has produced the Data Asset Registration Tool (DART) Platform.
Completion of DART Registrations will appease two legal requirements as defined under GDPR:
· create Data Protection Impact Assessments (DPIA), which can be downloaded as a PDF, as defined under Article 35 of the UK GDPR, and
· populate the College’s Records of Processing Activity (RoPA) and ensure personal data is being recorded and managed in an effective manner.
· link - Data Asset Registration Tool (DART)
WHEN TO CONDUCT A DART REGISTRATION
Any activity / project that processes (uses, stores, analyses etc.) personal data requires the completion of a DART registration. Depending on the type of processing and type of data involved in such activity, the DART will ask a different set of questions to facilitate the registration process.
The following scenarios would automatically require the completion of a full DPIA and as such a specific DART Registration;
- systematic and/or extensive profiling with significant affect on individuals;
- processing special category or criminal offence data;
- systematically monitor publicly accessible places on a large scale;
- use / implementation of new technologies and systems;
- use of profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach;
- as part of best practice, for any new processing activities or subsequent changes in current processing activities.;
- as part of engagement activities with new partner organisations;
- as part of reviewing current partner organisations;
- undertaking research activities;
Or as part of a Faculty / Support Services mandated activity, please see as follows for more information:
Data protection | Faculty of Medicine | Imperial College London
Data protection | Faculty of Natural Sciences | Imperial College London
Data protection | Administration and support services | Imperial College London
Examples of Information Assets which will require registration
- a new database of staff personal details or a database of students’ details;
- a database (in physical or electronic format) containing newsletter subscribers’ contacts details;
- data collected as part of a defined research study/project;
- a team who process data pertaining to staff / students as part of their core activities. In this instance the team will be registered and then individual information assets will be linked to the team;
DART ROLES
Information Asset Owner;
The role of the Information Assert Owner (IAO) is a vital part of protecting and maximising the efficient use of information within the College. The main purpose of the role is to understand and address risks to the information they ‘own’, usually as part of their management of the service. It also provides assurance to the Senior Information Risk Owner (SIRO) on the security, accuracy and use of these assets.
Specific responsibilities
The College has adopted the concept of an Information Asset Owner (IAO) as defined by the Cabinet Office in respect of Information Asset Owners in UK government departments; this is as follows:
“Information Asset Owners (IAOs) must be senior/responsible individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result, they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process.”[1]
Specifically, this means an IAO is responsible for an information asset in terms of;
- Identifying risks associated with the information asset.
- Managing and operating the asset in compliance with College and Faculty policies and standards.
- Ensuring controls are implemented to manage all risks appropriately.
- Managing access controls to ensure only suitable personnel have access to data whether it be internal / external parties respectively and keep access requirements under review.
- Ensuring all users who have access to the information asset are appropriately trained.
- Implementing and maintaining security controls in line with College requirements pertaining to the transfer, storage, processing and retention of data whether it be held in physical or digital format.
- Understanding and having in place necessary Back-up, Resilience and Disaster Recovery arrangements.
- Ensuring that information assets are registered, reviewed (at least on annual basis) and, where required updates / changes are implemented to achieve data protection compliance.
The IAO is responsible for determining access requirements. The IAO may delegate roles to one or more Information Asset Administrators (IAA(s)) provided that all such IAA(s) have sufficient knowledge of the conditions of use of the identified dataset.
Information Asset Administrator
The role of IAA has delegated responsibility (from the IAO) for an identified data set as defined by the IAO. An IAA has a working knowledge of the data set / activity / information system and is able to support the IAO operationally.
They will have day to day responsibility for the asset, make sure that College policies and procedures are applied and adhered to plus can recognise actual or potential security incidents. They are responsible for reporting such incidents to the IAO and consulting the College re incident management.
DART User
A person who is completing a DART Registration. This could be any individual with a formal affiliation with the College and has an Imperial College Office 365 Account.
The DART User can also be an IAA or IAO respectively
DART Data Protection Advisor
A lead individual identified from each department in the DART Departments List. This role would receive the first automated notification from DART when a new registration is submitted and is ready for assessment. In many cases this role could be managed via a shared mailbox.
DART Assessor
A main point of contact for progress with an assessment, review and approval process for a DART Registration. It could be the same individual listed as the DPA depending on the process implemented locally within each faculty / business area.
The role should be carried out by someone who has a good understanding of data protection legislation / information governance within the College.
DART Reviewer
Subject matter experts within the College that may be required to review DAR Registrations, for example – ICT, ICT Security, Contract Teams, Legal Services etc.
When identified they will be provided access to specific registrations which require their input unless they already form part of the activity / project oversight group.
DART Approver
Members of staff who have authority to approve DART Registrations (i.e. they can approve DPIAs on behalf of the College). The level of approval would depend on the risk level associated with the individual registration. These roles would typically be carried out by the College Data Protection Officer (DPO), Deputy Data Protection Officer (DDPO), College Caldicott Guardian equivalent or other members of staff delegated by the DPO.
FAQs
I previously completed a paper version of the DPIA or filled in a FoM DPIA Tool registration, do I need to do this as well?
No, the information you provided previously will be entered onto DART by the central support / faculty teams and assigned for your awareness. Following this occurrence you will be required to keep updated and ensure accuracy of the registration.
What types of ‘risk’ are being assessed?
Whilst the GDPR does not define ‘risk’, the focus of risk is always on how it could / would effect individuals rights and freedoms including those relating to privacy / data protection rights and fundamental rights and interests. ‘Risk’ would therefore cover potential harm be it physical, digital or intangible, economic, social and / or the risk on society as a whole.
What does ‘large scale’ mean?
Whilst the GDPR does not define what ‘large scale’ means, you should consider;
- the number of individuals concerned;
- the volume of data;
- the variety of data;
- the duration of the processing; and
- the geographical extent of the processing;
What will the College do with the information provided?
Data from the Research DPIA Tool will be used to facilitate reporting on key metrics, such as:
- Number of registered projects;
- Number of overdue reviews;
- Number of high risk datasets;
- Creation of the College Records of Processing Activity (RoPA)
The College stipulates an annual review process for registered projects - these will also be managed via DART and the Annual Declaration Process.
HoDs and DOMs will receive findings reports for information and action, as appropriate. These reports will also be provided to the Faculty Information Governance & Strategy Committee to act upon.
What about projects / activities / data sets which have already been completed but the data has been retained for retention purposes or future processing?
If the data set that was collected as part of the activity is still held and/or will be used in the future you will be required to log this and the context under which the data was collected. The College recognises that there is a significant amount of historical / ongoing projects that process health and social care data. Whilst these must be registered, given the scale of the task Departmental Managers under the direction of the Faculty Operating Officer, associated Information Governance lead and Strategy Committee will plan this activity.
What happens next?
Following all feedback and outcomes being implemented into the proposed registration it will be signed off and finalised. Following this completion, the entries will remain under constant review to allow for updates / amendments / new data sets to be added however if nothing changes then no further action will be necessary outside an annual review which will be necessary as part of the annual declaration process and managed via DART.
MORE INFORMATION
To find out more and start the registration process see as follows
- DART Code of Practice – CURRENTLY BEING FINALISED (will replace CoP 5 - Information Asset Register)
- Link - Data Asset Registration Tool (DART)
[1] From the Cabinet Office document ‘Guidance on the IAO role; https://www.gov.uk/government/publications/information-asset-owner-role-guidance