Resources

Data Protection Procedures – General Operations

October 2022


Preamble

These procedures have been created to assist staff of The UWI comply with the University Data Protection Policy (2020) and by extension the legislation in the local jurisdiction within which they operate.

These are general procedures and might not apply to every scenario or sub-entity of The UWI. Therefore, please recognise that the content is not comprehensive, is being refined, and will evolve over time.

Since these are general procedures, the expectation is that, as time progresses, individual sub-entities will create their own procedures, or customise these, to address their specific needs. Until that is done, these are the procedures that should be used guide how staff operate when processing personal data.



1.0 Introduction

The UWI’s Data Protection Policy (2020) states that The UWI will:

  • comply with both the Data Protection legislation and policies in the countries in which The UWI operates, and global Data Protection best practices;
  • protect the privacy rights of all students and staff (including applicants), and alumni;
  • ensure that the Personal Data and/or Sensitive Personal in The UWI’s possession are kept safe and secure;
  • support staff of The UWI in meeting their legal responsibilities;
  • mandate that third parties processing data on behalf of the University observe this Policy;
  • respect the Data Protection rights of individuals; and
  • provide awareness training and support for staff who process Personal Data and/or Sensitive Personal Data.

These procedures are linked to, and should be read in conjunction with, the University Data Protection Policy (2020) and provide step-by-step instructions to University personnel and those acting on behalf of the University as sub-contractors/contractors. Outlined in these procedures are the actions to be taken in order to ensure that the staff member (or contractor), acting on behalf of The UWI (Data Controller) or Data Processor (non-UWI entity), do not breach The UWI Data Protection Policy (2020).

In addition to its body, these procedures contain the following appendices to assist the reader better appreciate the content:

Appendix 1
Elements of Personal Data and Sensitive Personal Data; a listing of the Personal Data and Sensitive Personal Data currently, or likely to be, managed by the University;

Appendix 2
The University entities, both academic and non-academic, to which these procedures apply;

Appendix 3
The Data Protection Acts and Authorities across the Caribbean (in the 17 contributing territories of The UWI);

Appendix 4
a list of The UWI global centres;

Appendix 5
Data Protection Authorities across the Anglophone Caribbean (in the countries where The UWI has a Global centre);

Appendix 6
Record of Personal Data and/or Sensitive Personal Data Collected;

Appendix 7
Personal Data and Sensitive Personal Data Access list template;

Appendix 8
Forms; and

Appendix 9
Personal Data Request Procedures; to be used by persons, external agents as well as internal staff, irrespective of their level within The UWI, when requesting Personal Data.



2.0 Scope

These procedures apply to all Personal Data and/or Sensitive Personal Data managed by all constituent parts of The UWI and its staff (full-time, part-time, or sub-contractor) in the course of their work with/for the University and irrespective of the format (electronic or hard-copy) in which these data are managed. These procedures also apply to archival holdings.



3.0 Definitions

Alumni
Any individual who holds a PhD, Master’s, Bachelor’s or Associate degree, Diploma and Certificate from The University of the West Indies or The University College of the West Indies. (From the UWIAA Constitution)

Contractor
A natural or legal person (i.e., a living individual or entity) who agrees to undertake work for the University based on the terms of a specific contract between them and the University.

Contractors are not considered staff of the University and, unlike staff, are independent and may, depending on the terms of the contract between them and the University, undertake work for multiple entities simultaneously and also, independent of the University, be responsible to meet their tax and other statutory obligations.

Data Executive
The head of a University department in which Personal Data and/or Sensitive Personal Data are managed – collected, stored, processed, and/or maintained.

Data Controller
The University of the West Indies.

Data Custodia
The person managing the actual data.

Data Processor
An external entity which manages (creates, collects, stores, disseminates, or disposes of) data on behalf of The UWI.

Data Requestor
Any individual (staff, student, external entity) who makes a request for Personal Data and/or Sensitive Personal Data.

Enterprise Systems Support (ESS)
ICT staff who work in any section which supports the University’s Enterprise Systems.

Personal Data
Information relating to a living individual, or to an individual who has been deceased for less than thirty years, who is, or can be identified, either from the data by itself or from the data in conjunction with other information, which is in, or is likely to come into the possession of the Data Controller (The UWI). (ref. Data Protection Policy (2020))

Sensitive Personal Data
Specific categories of Personal Data. These are defined as data relating to a person’s racial origin, political opinions or religious or other beliefs, physical or mental health, sexual life, criminal convictions or the alleged commission of an offence, and trade union membership. (ref. Data Protection Policy (2020))

Staff
Persons in the employment of the University engaged in one, or a combination, of the following: teaching; research; the application of a well-defined body of technical knowledge, practices and skills in support of the University’ mission; the overall management of the University and/or that of its systems and/or component parts in support of the University’s mission. (Adapted from Statutes and Ordinances 2012 – Revised May 15, 2014)

Student
A person who is registered as a student of the University during a current academic year for a first or higher degree, diploma, certificate or such other qualification or courses of the University as may be approved by the Senate as qualifying a person for the status of a student, but does not include a student of an affiliated institution who is registered for examinations to the degrees, diplomas, certificates and other academic awards of the University. (ref. Statutes and Ordinances 2012 – Revised May 15, 2014)



4.0 Rule of Thumb

As stated in The UWI Data Protection Policy (2020), Personal Data refers to information relating to a living individual, or to an individual who has been deceased for less than thirty years, who is, or can be identified, either from the data by itself or from the data in conjunction with other information, which is in, or is likely to come into the possession of the Data Controller (The UWI). Sensitive Personal Data refer to specific categories of Personal Data. These are defined as data relating to a person’s racial origin, political opinions or religious or other beliefs, physical or mental health, sexual life, criminal convictions or the alleged commission of an offence, and trade union membership.

Always manage (collect, create, store, use, share, and dispose of) Personal Data and/or Sensitive Personal Data about other people as carefully as you would wish Personal Data and Sensitive Personal Data about yourself to be managed.



5.0 Managing Personal Data and/or Sensitive Personal Data as Records

Personal Data and/or Sensitive Personal Data, managed (collected, created, stored, used, shared, and disposed of) by staff (or sub-contractors) as a result of their engagement with The UWI, form part of University records. These are therefore subject to the University Records Management Policy and its accompanying procedures and guidelines.

Always consult the Campus Records Management Unit at your campus (or the Campus Records Management Unit associated with your Centre location) in respect of the retention and disposal/destruction of the Personal Data and/or Sensitive Personal Data in your custody.



6.0 Managing Personal Data and/or Sensitive Personal Data as Records

(Ref. #’s 1, 2, and 8 of the Data Protection Governing Principles outlined in The UWI Data Protection Policy - p.7)

According to the Data Protection Governing Principles outlined in The UWI Data Protection Policy (2020), processing must be:

  • Fair (principle #1);
  • Lawful (principle #2); and
  • Justified (#6)

When creating Personal Data and/or Sensitive Personal Data: Unless these are based in fact and can be defended as accurate if challenged, do not make adverse comments about a Data Subject (the individual to whom the Personal Data and/or Sensitive Personal Data relates). Also, comments should directly related to the Data Subject’s association with the University. Always bear in mind that the Data Subject has a right to ask to see what is written about them.

7.0 Obtaining Personal Data and/or Sensitive Personal Data

(Ref. #’s: 1, 2, 3, 5, and 6 of the Data Protection Governing Principles outlined in The UWI Data Protection Policy - p.7)

When obtaining/collecting Personal Data and/or Sensitive Personal Data (7.1 – 7.3):

  • Only collect Personal Data and/or Sensitive Personal Data that are required. Even if information might be useful in the future, do not collect information outside the scope of the immediate activity for which the information is to be used.

    • Notes: The Data Executive is the competent authority who determines the kinds of Personal Data and/or Sensitive Personal Data that ought to be collected by their respective section (see Appendix 1 – Elements of Personal Data and Sensitive Personal Data). The Personal Data and/or Sensitive Personal Data to be collected by a section should be documented, perhaps in department/section procedures, and provided to staff in the section.
    • Do not record Personal Data unnecessarily,
      Example: If a student reveals Personal Data to a non-clinical member of staff who then uses that information to refer the student to a relevant professional or professional department. Any Personal Data, such as notes, recorded should be destroyed immediately after the interaction between the student and the non-clinical staff member.
  • Always consider whether depersonalised data, i.e., data which cannot be used to identify individuals would achieve the same result as data with identification (name, id#, etc.) included. If depersonalised data can be used, do not use data with identifiers included.
  • Always be transparent and honest with the Data Subject (the person to whom the Personal Data and/or Sensitive Personal Data relate) when trying to acquire information:
    • Ensure that the identity of the Data Controller (The UWI) as well as the Data Custodian (your department/unit, etc.) appears on any instrument used to collect the information, or is stated in conversation or email.
    • Consider inserting a ‘Fair Processing’ statement in the instrument (or online screen) to be used for Personal Data collection.

      The at the of The University of the West Indies will use your personal information for and related purposes. We will keep your personal information only for as long as required for this purpose unless you agree to let us add you to our mailing list, in which case your information will be retained after the has ended.

      May we add you to our mailing list? [TICK WHICH APPLIES: YES NO]

      If you wish to be removed from our mailing list at any time, please email or the University Data Protection Officer (dpo@uwi.edu).

      Notes:
      • If what is being obtained is Sensitive Personal Data, what should be included is an opt-in, rather than an opt-out box on the instrument. With Sensitive Personal Data, consent cannot be inferred from a failure to respond. To be clear, consent cannot be assumed just because the Data Subject has not clearly refused.
      • If the Personal Data are being obtained during a telephone (or instant message) conversation, and there is an intention to use, or a likelihood of using, the Personal Data for a further purpose, the Data Subject must be informed and asked to provide written consent.
      • The evidence of written consent should be retained for as long as the Personal Data and/or Sensitive Personal Data are retained.
    • Record the staff member who obtained the Personal Data and/or Sensitive Personal Data, the date it was obtained (collected), where it is to be stored and who will have access to it. (See Appendix 6 – Record of Personal Data and/or Sensitive Personal Data Collected.)
    • Provide a brief description of the purposes for which the Personal Data and/or Sensitive Personal Data, which are being obtained, will be used.
    • If you know or believe that the Personal Data and/or Sensitive Personal Data being obtained will be used for purposes other than that for which they are being obtained, say so and obtain the consent of the Data Subject before obtaining the information. Obtaining informed consent is imperative if Personal Data are to be used for purposes other than those for which they were originally collected.
  • If Personal Data and/or Sensitive Personal Data are obtained from a party outside the University, or even from one within the University, outside your department/unit, check whether the party has been authorised by the Data Subject to share it. Keep a record of the answer.
  • If Personal Data and/or Sensitive Personal Data are obtained from a party outside the University, or even from one within the University, outside your department/unit, check how accurate the party providing the Personal Data believes it to be. Keep a record of the answer.
  • If there is doubt about the accuracy of the Personal Data and/or Sensitive Personal Data obtained from a party outside the University or even from one within the University outside your department/unit, record this. This might become important if you have to respond to a request from the University Data Protection Officer (dpo@uwi.edu) as a result of a complaint from the Data Subject or a request from the Data Protection Authority in the Data Subject’s jurisdiction.

If you do not have explicit consent and are unsure whether the collection of Personal Data and/or Sensitive Personal Data violates the University’s Data Protection Policy contact your supervisor/manager, before you begin collection, who may then contact the University Data Protection Officer (dpo@uwi.edu) for clarification.



8.0 Using and Storing Personal Data and Sensitive Personal Data

Care must be taken when handling (using and storing) Personal Data and/or Sensitive Personal Data.

  • Personal Data and/or Sensitive Personal Data should be used only for the purposes for which they were collected or for compatible purposes in line with what was indicated to the Data Subject.
  • A case in point. Unless the Data Subject consents to this different use, data collected for research purposes should not be used for marketing purposes.
  • Staff must be especially careful when handling Sensitive Personal Data. The following are important considerations to note:
    • Explicit/written consent must be provided before handling; or
    • Handling should be essential for the job tasks to be undertaken (Data Executive to determine who/roles has access and the kind of access – (See Appendix 7 - Personal Data and Sensitive Personal Data Access list template)); or
    • One of the following justifications should apply
      • the information is already in the public domain;
      • handling is lawfully required for employment purposes;
      • handling is required to protect the interests of the Data Subject or another individual and the option of obtaining consent is unavailable or impractical;
      • handling is required for legal proceedings, to obtain legal advice, or to establish or defend legal rights.
      Note: Staff should contact the University Data Protection Officer (dpo@uwi.edu), through their supervisor/manager, if they are unable to determine if the justifications can be used.

      • Transferring Personal Data and/or Sensitive Personal Data to devices (PCs, etc.)

  • Personal Data and/or Sensitive Personal Data should not be transferred (copied or downloaded) from any of the University’s enterprise resource planning (ERP) systems, e.g. PeopleSoft, Banner, TMA, etc., unless it is absolutely necessary to do so. Absolute necessity means that the information cannot be used from within the ERP to do the work of the University.

    Note: The staff member should not, on their own, determine when it is necessary to transfer Personal and/or Sensitive Personal Data. Instead, staff should consult the Data Executive, or immediate supervisor, for their unit when determining absolute necessity.
    • This stipulation should be observed regardless of the owner of the device in question and applies equally to University-owned devices, assigned to the staff member or available to the staff member for use, and those not owned by the University.
    • This stipulation should be observed whether the staff member is operating from University property or outside.
    • This stipulation should be observed whether the staff member connects to University ERPs via the University’s (at whatever campus or Centre location) Virtual Local Area Network (VLAN).
  • Staff should contact the relevant Campus IT Services unit, whether directly or through their supervisor/manager, to ensure that they are able to access computing services, including ERPs (e.g. Banner and PeopleSoft). Such access should be based on their job role and should allow the staff member to be able to do their assigned duties without hindrance.
  • Where the circumstances warrant the transfer of Personal Data and/or Sensitive Personal Data to a staff member’s device (PC, etc.), whether or not that device is owned by the University or assigned to the staff member:
    • The staff member must ensure that any Personal Data and/or Sensitive Personal Data managed by the University is secure. While the University, as the Data Controller, is ultimately responsible for the protection of the Personal Data and/or Sensitive Personal Data under its management, if the security of the staff member’s device is compromised (hacked, stolen, etc.), the staff member will be held accountable for the Data Protection breach. (Seek guidance from your IT Services section for assistance with securing your device.).
    • The staff member must ensure that any Personal Data and/or Sensitive Personal Data managed by the University is not shared with unauthorised persons. (See Appendix 7 - Personal Data and Sensitive Personal Data Access list template.)
    • Any and all Personal Data and/or Sensitive Personal Data transferred to a staff member’s device should be deleted from that device as soon as the data have been used for the purpose for which they were transferred in the first place.
    E.g. Personal Data and/or Sensitive Personal Data transferred to a staff member’s device in order to compile a report should be deleted once the report has been compiled. The Personal Data and/or Sensitive Personal Data in the compiled report should, where possible, be anonymised (identification fields deleted) or pseudonymised (identifiers with replaced pseudonyms) to minimise the possibility of identifying the Data Subject if the device is compromised.

    • Securing Personal Data and/or Sensitive Personal Data
  • The username and password, together referred to as credentials, provided to you for accessing University systems allow you access to Personal Data and/or Sensitive Personal Data. Anyone, including colleagues in your department/unit, with access to your credentials might be able to access information which you alone should have access to. Remember, Data Protection is about disclosure to unauthorised persons, therefore, if someone else uses your credentials to access Personal Data and/or Sensitive Personal Data, this is a Data Protection breach. To prevent this:
    • Ensure that your credentials are kept secure at all times; and
    • If you have even the slightest doubt whether your credentials have been compromised, treat this as a possible Data Protection breach. Immediately request a password change from IT Services. Report it to your supervisor.
  • Do not leave hard/paper copies of Personal Data and/or Sensitive Personal Data in a location where anyone but you can access them (look at, pick up, destroy, etc.).
  • Store hard/paper copies of Personal Data and/or Sensitive Personal Data in a secure, locked location accessible only by persons authorised to handle this information.
  • If Personal Data and/or Sensitive Personal Data are held on, or accessible from, a device assigned to, or owned by, you, never leave it unattended without locking the screen.
  • If Personal Data and/or Sensitive Personal Data are held on, or accessible from, a device assigned to, or owned by, you, and someone who is not authorised to see these data are in a place where they can view the data, change location, lock the screen or indicate to them that they cannot remain at their present location. If the situation is one where you, or the person, are/is unable to change location, report the matter to your supervisor and indicate the potential for a Data Protection breach.
    • Personal Data and/or Sensitive Personal Data transmitted, whether within or outside The UWI, must be done with the appropriate level of security. Ensure the following:
    • If the Personal Data and/or Sensitive Personal Data are being transmitted in hard-copy, whether internally or externally, ensure that this is done in a sealed envelope and alert the recipient when it has been dispatched.
    • If possible, electronic communication should be encrypted.
    • If possible, electronic files should be password protected. If the recipient needs to be sent the password, it should be transmitted in a separate communication and, if possible, using a communication mode different from the one used to transmit the initial file.
    • If Personal Data and/or Sensitive Personal Data are being transmitted electronically (e.g. via email), whether internally or externally, the email should be labelled ‘CONFIDENTIAL’.

      • Communication via Telephone
    • Disclosure of Personal Data and/or Sensitive Personal Data oftentimes takes place over the telephone. Take the following precautions:
    • Always check the identity of the person requesting, via telephone, Personal Data and/or Sensitive Personal Data. This applies to co-workers or those purporting to represent persons of high authority within or outside The UWI.
    • Even if disclosure is agreed to via telephone, this should be accompanied by a Personal Data Request Form (See Appendix 8 – Personal Data Request Procedures)


    • 9.0 Protecting Personal Data and/or Sensitive Personal Data in mail and email

    (Ref. #4 of the Data Protection Governing Principles outlined in The UWI Data Protection Policy - p.7)

    Always ensure the following:

    • When sending the same email message to more than one recipient.

      Unless you intend to share with all recipients the email addresses of those to whom the message is being sent and are in no doubt that recipients’ email addresses (which is Personal Data) are already known to all other recipients and sharing email addresses is of no consequence (e.g. when recipients are in the same unit/department, part of the same internal group, etc.), always use ‘bcc’ (blind carbon copy) instead of ‘cc’ (carbon copy) when adding the email addresses of those to whom the message should be sent.

      Remember: The Data Subject must give written consent for their Personal Data (even email address) to be shared.
    • Personal Data should be removed from envelopes which are re-used. Removal includes redacting or covering the information to make it illegible. Remember, someone’s name and address (home and/or work) are considered Personal Data.
    • Incoming and outgoing traditional (snail) mail and emails containing Personal Data and/or Sensitive Personal Data should either filed or deleted once the action to which they relate has been completed. If these mail and email can be filed or deleted before the action to which they relate has been completed, without prejudicing the action, this should be done.
    • Email containing Personal Data and/or Sensitive Personal Data which remain in a member of staff’s (or contractor’s) inbox awaiting the conclusion of a particular action to which these relate, should be reviewed at regular intervals, protected, and placed in specific email folders in order for easy deletion.
    • Personal email received at your UWI email account should be placed in email folders separate from the Personal Data and/or Sensitive Personal Data received as a part of your work activities. These emails should also be scrutinised and routinely deleted to ensure your privacy and the privacy of anyone whose information might be contained in those personal, non-work-related, emails.


    Non-UWI parties handling the Personal Data and/or Sensitive Personal Data of UWI Data Subjects

    For all Personal Data and/or Sensitive Personal Data to be managed by Non-UWI parties, the following are to be considered:

    • A Non-UWI party refers to a natural or legal person, public authority, agency or body other than the Data Subject and The UWI who is authorised, by The UWI, to manage (collect, create, store, use, share, and dispose of), on behalf of The UWI, the Personal Data and/or Sensitive Personal Data of individuals.
    • Written contracts between The UWI and non-UWI external entities (also known as Processors of Personal Data and/or Sensitive Personal Data) should exist to ensure a common understanding of their mutual obligations, responsibilities and liabilities.
    • Whenever The UWI (whichever UWI entity) uses a non-UWI entity to manage (collect, create, store, use, share, and dispose of) Personal Data and/or Sensitive Personal Data on its behalf, a written contract should be in place between The UWI and the external entity (Data Processor) before Personal Data and/or Sensitive Personal Data are shared with the external entity, and/or before the external entity collects Personal Data and/or Sensitive Personal Data on behalf of The UWI.
    • Similarly, if the external entity (i.e. the Processor) uses another organisation (i.e. a Sub-processor) to assist with managing Personal Data and/or Sensitive Personal Data for The UWI, the Processor should have a written contract in place with that Sub-processor before Personal Data and/or Sensitive Personal Data are shared with the Sub-processor, and/or before the Sub-processor collects Personal Data and/or Sensitive Personal Data on behalf of Processor which is itself acting on behalf of The UWI.
    • What needs to be included in the contract?

      Contracts should include:
      • the subject matter and duration of the processing;
      • the nature and purpose of the processing;
      • the type of Personal Data and/or Sensitive Personal Data and categories of data subject (e.g. student, staff, alumni, donors); and
      • The UWI’s obligations and rights.
      Contracts should also include specific terms or clauses regarding:
      • processing only on The UWI’s documented instructions;
      • maintaining confidentiality;
      • appropriate security measures;
      • using Sub-processors;
      • the rights of data subjects;
      • audits and inspections; and
      • end-of-contract provisions.


      • 11.0 Data Breach Management

      A data breach might take place due to any number of reasons. Whatever the reason, the data breach must be reported without delay by staff to the authorised officer (Data Executive or immediate supervisor), who in turn will immediately notify the Data Protection Officer. If the authorised officer is the person who commits the breach, he or she should immediately report this to the Data Protection Officer. (To make the report, use the “Possible Personal Data and/or Sensitive Personal Data Breach – Incident Report” in Appendix 8.)

      This applies to all who handle Personal Data and/or Sensitive Personal Data on behalf of The UWI. The persons include:

      • Any person who has access to University-controlled (acquisitioned, processed, stored, or outputted) Personal Data and/or Sensitive Personal Data
        • Staff employed to The UWI;
        • Visitors (including visiting scholars, researchers and
        • Data Processors
          • Contractors, part-time staff, and affiliated individuals (who have access to The UWI systems but are not employed to the institution);
          • Persons employed to contractors who process University data

        • This applies to all University-controlled (acquisitioned, processed, stored, or outputted) Personal Data and/or Sensitive Personal Data, such as:
      • [Location] All Personal Data and/or Sensitive Personal Data whether managed using the IT systems owned by The UWI, any other IT systems, including email, Cloud-based platforms, or IT system of a company or individual to which/whom Personal Data and/or Sensitive Personal Data management has been sub-contracted.
      • [Format] All Personal Data and/or Sensitive Personal Data managed in any format, digital and non-digital;
      • [Hardware/Device] All Personal Data and/or Sensitive Personal Data whether managed on a University-owned device or on another device not owned by the University;
      • [Management] All Personal Data and/or Sensitive Personal Data whether managed using The UWI’s central (including by the Technology Services division at a campus) IT systems or distributed IT systems of a Faculty/School, Division, Institute, Centre, Department or Unit.

      11.1 Determining whether a Personal Data and/or Sensitive Data Breach occurred

      Determining whether an incident rises to the level of a Personal Data and/or Sensitive Personal Data breach should be done on a case-by-case basis. Not all incidents involving Personal Data and/or Sensitive Personal Data are data breaches. Although it is not possible to provide a comprehensive list of Personal Data and/or Sensitive Personal Data breaches, some of the more common examples of Personal Data and/or Sensitive Personal Data breaches are listed below.

      • Accidental Destruction: inadvertently deleting an electronic file or destroying a physical one.
        Note: If there exists a full and up-to-date back-up of the Personal Data and/or Sensitive Personal Data which were deleted, this might not constitute a Personal Data breach.
      • Loss
        • Equipment (laptop, smartphone, tablet, external hard-drive, flash/thumb drive) on which Personal Data and/or Sensitive Personal Data are stored, or hard-copy records, are misplaced – even temporarily (see 4.1.1).
        • Equipment on which Personal Data and/or Sensitive Personal Data are stored fails/crashes causing data to be unrecoverable.
        • Breaches of physical security (e.g. break-ins to filing cabinet or other storage medium; break-ins to rooms/spaces) in areas where Personal Data and/or Sensitive Personal Data are housed. [This scenario might also lead to Unauthorised Access.]
      • Alteration
        • Changing an entire, or parts of a, data record in error.
        • Deleting an entire, or parts of a, data record in error.
      • Unauthorised Disclosure or Unauthorised Access
        • Human error – inadvertently disclosing Personal Data and/or Sensitive Personal Data to an individual whom it was thought had the requisite authorization to view/process this data.
        • Accidental disclosure
          • Inadvertently disclosing the wrong type of Personal Data and/or Sensitive Personal Data to an individual who has the requisite authorization to view/process this data. E.g. more data than what they are authorized to view/processed is disclosed to the individual in fulfilling a legitimate Personal Data request.
          • Leaving confidential information in accessible areas or leaving a device which is logged-in to an information system, application, data repository (including local storage), or electronic mail unattended.
      • Inappropriate/insufficient IT controls and/or precautions
        • Allowing transfer of information to external or unauthorised IT systems. E.g. uploading Personal Data and/or Sensitive Personal Data to an unauthorised website, domain or third-party service.
        • Allowing access to Personal Data and/or Sensitive Personal Data using insecure credentials.
        • Malware attacks or information security intrusions on IT infrastructure allowing unauthorised users access to Personal Data and/or Sensitive Personal Data.
          Note: If Personal Data and/or Sensitive Personal Data are securely encrypted or anonymised, this might not constitute a Personal Data breach.
        • Not collecting logs and other sources of access, authentication and authorisation activity – normally used for monitoring, reviewing, and evaluating suspicious activity.

      11.2 Management of a Data Breach

      There are three steps to managing a Data breach:

      • Collection of Incident Details;
      • Notification of Data Breach and Risk Assessment;
      • Evaluation and Response.

      11.2.1 Incident Details

      Details of the incident should be recorded accurately by the authorized officer including:

      • Description of the incident;
      • Date and time of the incident;
      • Date and time the incident was detected;
      • Who reported the incident and to whom it was reported;
      • The type of Data involved and its sensitivity;
      • The number of individuals affected by the breach;
      • Whether the Data were encrypted?
      • Details of any Information Technology (IT) systems involved;
      • Corroborating material(s).

      11.2.2 Notification of Data Breach & Risk Assessment

      Internal Notification
      • Having become aware of a suspected, potential or actual Personal Data and/or Sensitive Personal Data breach the staff member or contractor shall immediately report the incident to the head of their area (Unit/Department/School/Faculty/Division) or, in the case of contractors, University contact.
      • The head of their area (Unit/Department/School/Faculty/Division) or, in the case of contractors, University contact, shall, upon receipt of the report, then make a preliminary incident report to the Data Protection Officer (dpo@uwi.edu).
        The incident report should address the following questions:
        • What type of data are involved?
        • How sensitive are the data involved?
        • How many individuals’ Personal Data and/or Sensitive Personal Data are affected by the breach?
        • Were there protections (e.g. encryption) in place?
        • What are the potential adverse consequences for individuals and how serious or substantial are they likely to be?
        • How likely is it that adverse consequences will materialize?
      • After reporting the incident, the head of area (Unit/Department/School/Faculty/Division) or, in the case of contractors, University contact, shall, complete the Possible Personal Data Breach - Incident Report (See – “Personal Data Breach Incident Report” in Appendix 8) within 24 hours or as soon as they are able to do so.
      • The Data Protection Officer shall then determine how best to address the breach.

    11.2.3 Evaluation and Response

    Subsequent to any Personal Data and/or Sensitive Personal Data breach, a thorough review of the incident will be made by the Data Protection Officer. The purpose of this review will be to:

    • Ensure that the steps taken during the incident were appropriate;
    • Describe and record the measures taken to prevent a repetition of the incident;
    • Identify areas in need of improvement;
    • Document any recommended changes to the Policy and/or Procedures.


    Awareness Training & Support for Staff who process Personal Data

    The UWI aims to support staff members who process Personal Data and/or Sensitive Personal Data, through Data Protection Awareness Training and Data Protection support mechanisms.

    12.1 Data Protection Awareness Training

    Data Protection Awareness Training will take place during the orientation of new staff, and at various intervals throughout an employee’s professional career at The UWI. Training sessions will be conducted at least once each academic year.

    12.2 Data Protection Support

    Data Protection Support is provided by the individual(s) performing the role of Data Protection Officer(s).



    13.0 Compliance Audits (Risk Management)

    13.1 Internal Compliance Audit

    The main purpose of an Internal Compliance Audit is to determine whether The UWI is operating in accordance with the relevant Data Protection legislation and policies and to identify possible contraventions of the legislation and policies. Compliance audits will be the purview of The University Auditor and will form part of the University’s Compliance Framework.

    • Annual Internal Compliance Audits will be undertaken by members of one or more of the following: the Data Protection Working Group; the Data Protection Officer; the University Management Audit Department; any other authorized unit. The purpose of these audits is to identify existing and potential risks.
    • Internal Compliance Audits will review both manual and electronic Data Procedures and compliance.
    • In order to ensure that the requirements of the Data Protection legislation and policies are observed, immediate remedial action may be prescribed by the auditor / audit team.
    • Managers/ Staff shall cooperate fully with the auditor/ audit team in completing Internal Compliance Audit questionnaires and site visits.
    • Audit results will be recorded.


    Appendices

    Appendix 1 – Elements of Personal Data and Sensitive Personal Data
    Appendix 2 – University entities to which these procedures apply
    Appendix 3 – The Data Protection Legislation and Authorities across the Caribbean (in the 17 contributing territories of The UWI)
    Appendix 4 – List of The UWI Global Centres
    Appendix 5 – Data Protection Legislation in countries with UWI Global Centres
    Appendix 6 - Record of Personal Data and/or Sensitive Personal Data Collected
    Appendix 7 - Personal Data and Sensitive Personal Data Access list template
    Appendix 8 - Forms
    Appendix 9 - Personal Data and/or Sensitive Personal Data Request Procedures
  • Anguilla
  • Antigua & Barbuda
  • The Bahamas
  • Barbados
  • Belize
  • Bermuda
  • British Virgin Islands
  • Cayman Islands
  • Dominica
  • Grenada
  • Jamaica
  • Montserrat
  • St Kitts and Nevis
  • St Lucia
  • St Vincent and the Grenadines
  • Trinidad and Tobago
  • Turks and Caicos