Smart training will help avoid data protection fines

To help Scotland’s universities avoid penalties for breaching data protection laws, free online training modules are being updated to meet new rules. Diana Watt from Edinburgh Napier University explains why the revised training will take pressure off institutions.

Universities in Scotland have to abide by data protection and information governance legislation. Recent updates to these has meant that at Edinburgh Napier we’re refreshing our training resources to keep pace.

In 2012 a successful bid for funding was made to the Leadership Foundation for Higher Education (LFHE) to adapt three modules developed by the Institute of Cancer Research (ICR) on data protection, freedom of information and information management (collectively known as the information governance online training modules).

Edinburgh Napier University provided the resources for reviewing the modules and identifying updates, while the LFHE funding went towards the cost of the work done by the ICR, which keeps the intellectual property rights for the modules and the technical means to update them.

They’ve been used successfully by a number of Scottish HEIs, however, since their introduction there have been changes to the legislation. This means that extensive updates are required to the existing data protection module to ensure that it remains fit for purpose. Other tweaks to the modules have also been identified through their ongoing use, in addition to legislative changes.

Data protection law changes

All universities in Scotland have to comply with a raft of legislation: the Data Protection Act 1998 (soon to be replaced by the General Data Protection Regulation (GDPR) in 2018), the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004.

Universities are also obliged to conform to the “Scottish Ministers’ Code of Practice on Records Management by Scottish Public Authorities” under section 61 of the Freedom of Information (Scotland) Act 2002″ to ensure good record management practices are in place.

Financial penalties for a breach of the data protection act are currently a maximum of £500,000, however under the new General Data Protection Regulation these rise to a maximum of €20m (at time of publication that’s more than £17m) or 4% of the global turnover of the organisation involved, whichever is greater.

Regulators recommend that all staff are trained to ensure that they are familiar with their responsibilities in order to reduce the risk of penalties. Online training modules are an efficient method of delivering training, but can be seen as expensive with costs ranging from approximately £6 per employee per year to £3,500 upfront then £900 maintenance per year (figures taken from those available online). Multiply this by the 15 universities in Scotland and that adds up to a substantial amount.

Reducing duplication of effort

The 2016/17 project aims to ensure that the online information governance training modules developed previously with funding from the LFHE are updated following recent legislative changes. This is to ensure that the modules remain a comprehensive and current learning resource, tailored to the sector, which Scottish universities can use to provide staff members with an excellent grounding in information governance in an efficient and cost effective manner.

By providing all HEIs with access to this learning resource the LFHE is reducing duplication of effort across institutions, reducing outlay for software solutions and resources to maintain the materials and therefore maximising efficiencies by maintaining shared resources.

Information professionals from all Scottish universities have been asked for their input which has been included in the updates. Currently we are awaiting further guidance from the UK Information Commissioner’s Office, who will regulate the GDPR, to ensure the final version of the modules will be relevant into the future.

The modules can be accessed via Edinburgh Napier’s website – updates will show as and when they are made.

Diana Watt
Diana is the information governance officer at Edinburgh Napier University.