Policies

The request was partially successful.

Dear University of Manchester,
1) please can you send me a copy of the current subject access request acknowledgment AND response letter that you use
2) a copy of the last 5 dpias completed
3) a copy of any internal mandatory information governance training that you give to staff which was written in the last 2 years including presentation slides and videos and any other media
4) a copy of any instructions given to staff members to reduce data security breaches, for example double checking work which was written in the last 5 years
5) a list of any policies implemented in the last 2 years within the organisation to help reduce the environmental impact that the organisation has?

Yours faithfully,

tim wells

MTRS FOIA, University of Manchester

1 Attachment

Dear Tim,

 

I am writing to acknowledge your request under the Freedom of Information
Act 2000 received by The University of Manchester, our reference as per
the subject line.

 

The University will respond to your request within 20 working days.

 

With best regards

 

Lisa

 

Dr Lisa Crawley l  Information Officer  l Information Governance Office
l Directorate of Compliance and Risk l  Professional Support Services |
Room G7 Christie Building  l Compliance & Risk Management Office l  The
University of Manchester  l  Oxford Road  l  Manchester  l  M13 9PL  l 
Tel +44 (0)161 275 8400  

[1]www.manchester.ac.uk

[2]cid:image001.jpg@01D320C7.272763F0

We are all responsible for protecting person identifying data held by the
University, including who we share that data with. Stop and think before
you send your email.  For further guidance see:
[3]www.dataprotection.manchester.ac.uk

 

References

Visible links
1. http://www.manchester.ac.uk/
3. http://www.dataprotection.manchester.ac....

MTRS FOIA, University of Manchester

5 Attachments

Dear Tim,

 

Thank you for your request for information received by The University of
Manchester on 19 December 2019 which was as follows:

 

1) please can you send me a copy of the current subject access request
acknowledgment AND response letter that you use

2) a copy of the last 5 dpias completed

3) a copy of any internal mandatory information governance training that
you give to staff which was written in the last 2 years including
presentation slides and videos and any other media

4) a copy of any instructions given to staff members to reduce data
security breaches, for example double checking work which was written in
the last 5 years

5) a list of any policies implemented in the last 2 years within the
organisation to help reduce the environmental impact that the organisation
has?

 

The University has now considered your request and our response can be
found below.

 

1.      Subject access requests are logged on a system used by the
Information Governance Office to administer such requests called Onetrust.
This generates an auto-acknowledgement email which reads as follows:

 

Dear __FirstName__ __LastName__, Your request has been successfully
submitted (Date Submitted below relates to date/time of logging which may
differ from date/time of your initial submission). Your Request ID is
__RequestId__, please keep this for your records. If you have any
questions, please contact a member of the team.

 

The email also includes outline details of their request i.e. their name,
date submitted, information requested etc.

 

We do not use a standard response letter, each response is drafted in
relation to the details of the request that was received. However we do
include two paragraphs as standard in most responses which are as follows:

 

NB Please note that should you have any queries regarding your response,
you will be able to respond to us via this portal for 60 days after your
response has been received. After this date, any attachments will be
deleted and you will no longer be able to message us via this portal, any
queries relevant to this request should then be emailed
to [1][email address].

 

If you are not happy with our response you have a right to complain to the
Information Commissioner’s Office. This can be done online at
[2]https://ico.org.uk/make-a-complaint/your...
or please see the address below:

 

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

 

2.      The University completes a lower level data protection risk
assessment for all projects or initiatives involving processing of
personal data. Formal DPIAs are only required for high risk processing, in
accordance with ICO guidance.

 

Please find attached to this email DPIAs entitled
“dpia-template-v1_InnovateLMK” and “DPIA Privacy Notice Communication v4”.

 

NB Re the Innovate DPIA – The DPIA was provided following an enquiry as it
appeared to be required. Upon receipt of the completed form this proved
not to be the case as the initiative did not involve high risk personal
data.

 

NB Re the DDAR DPIA – Please note that the version attached includes the
comments made as part of the process to assess the DPIA. This is because
this documentation was to formalise discussions in the Division of
Development and Alumni Relations (DDAR) with regards communicating the
DDAR Privacy Notice.  The DPIA is due to be logged in the University’s new
case management system Onetrust, hence why the document remains incomplete
and is not signed off.

 

The remaining three are deemed exempt from disclosure by virtue of the
listed exemption at Section 22A (1) of the Freedom of Information Act 2000
– Research. Under this exemption, information obtained in the course of,
or derived from, a programme of research is exempt information if the
programme is continuing with a view to the publication, by a public
authority or any other person, of a report of the research, and where
disclosure ahead of the publication date would, or would be likely to,
prejudice the research or the interests of those involved in the research.

 

As section 22A is a qualified exemption we again must consider the public
interest in releasing this information. 

 

Factors for disclosure

Disclosure would allow scrutiny of the DPIA process at the University as
well as of the research, which would in turn allow the public to ensure
that the funding is being spent in the correct way and that feedback is
being followed.

 

Factors against disclosure

The DPIAs we are exempting relate to projects of ongoing research within
the University.  By releasing the information to the world at large we
believe that there is potential for this to prejudice the on-going
programmes of research and subsequently the interests of The University of
Manchester. As research data would not be expected to be published until
its completion we believe that providing data during the research project
would undermine the research project before it is intended completion and
publication. This prejudice would be likely to affect the success of the
project which could ultimately result in public money being wasted.

 

Balancing Test

The University has concluded that at this present moment in time, the
balance lies in favour of withholding the information for the factors
outlined above.

 

3.      Please find attached a text-only version of our Data Protection
course entitled “Data Protection course - text-only version to be used
with screen readers”.

 

4.      If an incident occurs, as part of the recording and mitigating
process we will provide tailored advice depending on the circumstances of
the incident e.g. If an email has been misdirected we will advise the
staff involved to always double check email recipients and ask that this
advice is passed throughout their IG network (we have a network of
Information Governance Guardians (IGG) who assist us with Information
Governance matters – see advice here
[3]https://www.staffnet.manchester.ac.uk/ig...).
We also do inputs at IGG Network meetings where we will highlight recent
incidents and reiterate advice. The attached article “Data Privacy Day
2020_StaffNet article” is also due to be published on the University’s
Staffnet webpages ([4]https://www.staffnet.manchester.ac.uk/); this is
another way in which we provide advice across the University. You may also
be interested to see our advice on the reporting of incidents which can be
found here
[5]https://www.staffnet.manchester.ac.uk/ig....

 

5.      Please see the following links to policies. Dates vary from 2014
onwards, however activities to implement these have been over the last two
years. 

 

[6]Environmental Sustainability, p10 includes the ES Policy

[7]Tree Policy

[8]Greenroof

[9]Energy and Utility Policy

 

You may also find the below of use which are not strictly policies however
we have included them as they relate to the environment and environmental
sustainability.

 

[10]Code of Practice for Design Teams

[11]Sustainable Resources Plan

[12]Living Campus Plan

 

I trust this information is of use to you however if you feel that The
University of Manchester has refused access to information to which you
are entitled, or has not dealt with your request appropriately under the
FOIA, you have a right of appeal.

 

An appeal in the first instance should be directed to the Information
Governance Office at [13][email address]. You should include: 

·         details of your initial request

·         any other relevant information

 

You must make this appeal within 40 working days from receipt of your
response. We will not accept appeals received after this date, as per the
Freedom of Information Code of Practice, Section 5.3.

 

The University will deal with your appeal within a reasonable time, and
will inform you of the projected time scale on receipt of your complaint.
You are also welcome to contact the Information Governance Office with
informal questions about the handling of your request. 

 

After The University’s internal appeals procedure has been exhausted, you
have a further right of appeal to the Information Commissioner’s
Office. Details of this procedure can be found at [14]www.ico.org.uk.

 

Kind regards

 

Sharon

 

Sharon Glen | Information Officer | Information Governance Office |
Directorate of Compliance and Risk |Professional Services | G7 Christie
Building | The University of Manchester | Oxford Road | Manchester | M13
9PL | Tel +44(0) 161 306 7549| [15]www.manchester.ac.uk

[16]data_matters_logo2-(3)

We are all responsible for protecting personal data held by the
University, including who we share that data with. Stop and think before
you send your email.  For further guidance see:
[17]www.dataprotection.manchester.ac.uk

 

References

Visible links
1. https://mailto:[email address]/
2. https://ico.org.uk/make-a-complaint/your...
3. https://www.staffnet.manchester.ac.uk/ig...
4. https://www.staffnet.manchester.ac.uk/
5. https://www.staffnet.manchester.ac.uk/ig...
6. http://documents.manchester.ac.uk/displa...
7. http://documents.manchester.ac.uk/displa...
8. http://documents.manchester.ac.uk/displa...
9. https://www.estates.manchester.ac.uk/med...
10. https://www.estates.manchester.ac.uk/med...
11. http://documents.manchester.ac.uk/displa...
12. http://documents.manchester.ac.uk/displa...
13. mailto:[email address]
14. http://www.ico.org.uk/
15. http://www.manchester.ac.uk/
17. http://www.dataprotection.manchester.ac....