Authorisation Form for the Release of Personal Or Sensitive Data

Authorisation Form for the Release of Personal or Sensitive Data

1.For Completion by Department/School/Team Requesting Data

Complete all of section 1 and 2, then send to Data Protection Officer for authorisation

1.1.Data Release Authorisation Reference Number

If this is a modification/resubmission of a previous release request, please provide Data Release Authorisation Request Reference Number (found at 3.4 of your original submission).
Click here to enter text.
If this is not a modification or resubmission, go to 1.2

1.2.Data User and Owner (This must be completed and submitted by the person requesting the data)

Name / Click here to enter text. /
Email / Click here to enter text. /
Job Title / Click here to enter text. /
Department/School / Click here to enter text. /
Who has authorised this request in your department/school?
Please attach/include the authorisation with this request / Click here to enter text. /

1.3.Intended Use of the Data (You must not use the personal data beyond these state purposes)

What data do you need? Be specific and list all data (Include in a separate list if necessary) / Click here to enter text. /
For your intended purpose, can the data be anonymised and aggregated? / YES Anonymised (e.g. if purpose of the report is to determine numbers, rather than individuals, your data should be anonymised)
☐ / YES Aggregated (where the cohort is <5, or if cutting the data in a particular way renders someone identifiable from anonymous data then these cohorts are aggregated with bigger, non-identifiable cohorts)
☐
Can you directly or indirectly identify a natural (living) person from the data you need? (identifiers can include, for example, name, email address, student number) / YES Directly☐ / YES Indirectly☐
Do you need identifiable personal data that is directly or indirectly a special category of data?
/ Directly (check any box that applies to the personal data you are requesting) / Indirectly (check any box that applies to the personal data you are requesting)
An actual example is a Charitable organization working in a civil war zone, collecting data of its employees’ 1st language. Their first language indirectly identifies their ethnicity. The NGO stopped collecting this, once it realized the impact of the data privacy risk
Race / ☐ / ☐ /
Ethnic origin / ☐ / ☐ /
Politics / ☐ / ☐ /
Religion / ☐ / ☐ /
Trade Union Membership / ☐ / ☐ /
Genetics / ☐ / ☐ /
Biometrics (used for ID) / ☐ / ☐ /
Health / ☐ / ☐ /
Sex life / ☐ / ☐ /
Sexual Orientation / ☐ / ☐ /
If yes to any of the above, we will likely need to ask you more questions to ensure your data request is lawful.
One lawful condition for processing special categories of data is if you have specific, explicit, unambiguous, consent for a specific purpose and that any further processing is in line with that original, specified purpose / Can you provide evidence of the data subject’s specific, explicit consent to process/further process their data for your intended purpose? / ☐ Yes (please include with request)
☐ No, but I know how the consent was collected
(Please specify:Click here to enter text.)
☐ No, I don’t know how we collect this data
Please tell us what format/s you want the personal data in? / Please describe either a specific format (csv, excel spreadsheet, pdf) or tell us how you want to use the data (I need to merge the data with other data I have in a spreadsheet, I need to share external to the university, I need to give a presentation externally and know/don’t know if there is Wi-Fi there)
Click here to enter text.
Please explain why the data is needed / Click here to enter text. /
Please explain the specific purpose for which you will use the data? / Click here to enter text. /
When do you need the personal data by? / Please enter a date
Click here to enter a date.
Please change from the 00:00 default if you need by a specific time on your stated date. Use 24 hour time format)
00:00

1.4.Security

The General Data Protection Regulation states that data must be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” [accessed 02/05/2018]

You are responsible for the Security of the personal data you are requesting.

Please check all that applies to where you will store the data.

I would be ok looking at the information in a system – I don’t need to export, keep, or transit / ☐ / Provide more detail (only if necessary)
Click here to enter text.
Paper copy locked in a secure cupboard. No transit / ☐ / Please explain how you will ensure that you are using a secure printer, and that your printout will not be left unattended
Click here to enter text.
Paper copy as above, plus transit to other locations / ☐ / Please explain how you will keep the personal data secure when in transit
Click here to enter text.
Password protected on a university-managed laptop/PC/Mac / ☐ / Please explain who will know the password. (You must ensure you do not leave your university account logged in, unattended). Please explain how you will access a secure network in a secure location
Click here to enter text.
Kept on a SharePoint site with managed permissions / ☐ / Please explain who will share the permissions
Click here to enter text.
Intended Dissemination by SharePoint link / ☐ / Please explain who, specifically, will have access to the SharePoint Link if different from above. If the same, write ‘same’
Click here to enter text.
Intended Dissemination by Email (password-protected) / ☐ / Please explain who, specifically, you intend emailing with the documentation, and how will you ensure that you NEVER send the personal data to an incorrect email recipient (one of the biggest data breach causes)
Click here to enter text.
Intended Dissemination by secure ftp site / ☐ / Please provide details
Click here to enter text.
Use of personal device to access the information / ☐ / Please explain why you need to use a personal device (we may be able to suggest viable alternatives). Please explain how you will ensure the device is secure (you have changed factory settings), how your device is locked, how you will access the data on your personal device (any app or service you access is password-protected on your device so that it is not left open), how you will ensure all data is destroyed on your personal device
Click here to enter text.
Use of a USB stick or CD / ☐ / This is really high risk as you could leave this anywhere. Please explain why you need to use a USB stick or CD (we can help you find viable alternatives)
Click here to enter text.
Other / ☐ / Please specify
Click here to enter text.

1.5.Destroying the Data

As the Data Owner, and Data User, you are responsible and accountable for the destruction of data to the timelines and method below:

Please tell us when you will finish with the personal data for your stated intended purpose at 1.2? / Click here to enter a date. /
Please tell us by what date you will destroy all copies of this personal data? / Click here to enter a date. /
Please tell us how you will destroy the data? / Click here to enter text. /
If you are using a personal device, please tell us how you are going to ensure all copies of the personal data are destroyed / Click here to enter text. /
Please tell us if you need help or advice as to how to destroy the data / Click here to enter text. /

1.6.Adding to the Data

Will you add to the data or modify it in any way at all? (This includes merging with other datasets, manipulating the data, deleting data from the dataset) / Yes☐
If yes, please provide details
Click here to enter text.

1.7.Disclosure of Data

Will you disclose this data to people who are not University of Brighton staff?
(If you are unsure whether or not someone is categorized as staff, for example, a student ambassador, or a temporary contractor, put yes) / Yes ☐
If yes, please provide comprehensive and specific details as to each person and their organisation (consider whether you need a data sharing agreement with these people, or how you, as Data Owner, are going to ensure that these further users will safeguard the requested data, and only use it for its intended purpose, and will destroy it once the intended purpose is fulfilled):
Click here to enter text.

2.Conditions for Release of Personal Data to You (the Data Owner and the Data User)

A condition of release of data to you, the data owner, is that you are responsible and accountable for the security of this personal data, and for its exclusive use for the specified purpose at 1.2., and for the security and safeguarding of this personal data if shared to other specified people for its intended purpose.

Please confirm you understand this condition for the release of personal data to you

☐I, Click here to enter text., understand I am responsible and accountable for the security of this personal data when released to me, and that I am responsible and accountable for its use only for the stated intended purpose at 1.2

☐I, Click here to enter text., will notify the Data Protection Officer of any security or data breach relating to this personal data and will abide by the rules of the Data Protection Policy

☐I, Click here to enter text., will be responsible for and accountable for this personal data on release to me, in accordance with the published University of Brighton Data Protection Policy and Guidance A condition of release of data to you, is that you are responsible and accountable for the security of this personal data, and for its exclusive use for the specified purpose at 1.2.

If you cannot accept these conditions of service, we cannot release the personal data to you

You cannot accept these conditions of service on behalf of someone else, or on behalf of a group or team of people. Requests must be submitted by the person requesting the data, the data owner.

3.Data Protection Officer Authorisation

(Please complete either 3.1, or 3.2, or 3.3 as appropriate and section 3.4, and send either to data owner for modification or systems and data team for request fulfilment)

3.1.Authorised:

☐I, Click here to enter text. , authorise the release of the personal data for the intended purpose, use, dissemination, retention, security and destruction as stated above by the Data Owner/User
☐I, Click here to enter text. confirm the information listed on this form is the final agreed version of the Data Release Authorisation request
Click here to enter a date.
Please outline any discussions leading up to authorisation of this data release request (amendments, email discussion, reduction in requirements to meet DP principles)
Click here to enter text.

3.1.1.Lawful basis for Processing

Please enter the lawful basis for processing / Choose an item.
If special category of data requested, what is the condition for the processing of special categories data under which we can lawfully process this data request? / Choose an item.

3.2.Rejected:

☐I, Click here to enter text. DO NOT authorise the release of the personal data for the intended purpose, use, dissemination, retention, security and destruction as stated above by the Data Owner/User
Click here to enter a date.

3.3.Rejected pending recommended modifications:

☐I, Click here to enter text. may authorise the release of the personal data for the intended purpose, use, dissemination, retention, security and destructed as stated above by the Data Owner/User with the listed modifications
Click here to enter a date.
Please outline the modifications you would need to see, in order to authorise the release of the personal data
Click here to enter text.

3.4.Data Release Authorisation Request Reference Number

Please provide a DPO Data Release Authorisation Request Reference Number:
Click here to enter text.

4.Systems and Data Team Declaration

(Please complete either 4.1 or 4.2 as appropriate and send to Data Protection Officer)

4.1.We were able to fulfil the request

☐I, Click here to enter text. have released the personal data as authorised for release by the Data Protection Officer in this request form
Click here to enter a date.
Please confirm method of release to the stated Data Owner/User
Click here to enter text.

4.2.We were not able to fulfil the request

☒I, Click here to enter text. ,have NOT released the personal data as authorised for release by the Data Protection Officer in this request form
Click here to enter a date.
Please explain any reason you have not fulfilled the authorised data release?
Data already available from another agency / ☐
Please specify the agency (e.g. HESA, UCAS)
Click here to enter text.
Data already available from another University source / ☐
Please specify the university source (e.g. Qlikview)
Click here to enter text.
There is a slightly different dataset already available, which may meet requirements / ☐
Please specify the dataset (e.g. BO report name, Data release reference number)
Click here to enter text.
We do not think the data requested is the best dataset/method to service the intended purpose / ☐
Please provide more detail
Click here to enter text.
We have serious concerns about the intended purpose, and we want the relevant authority to consider these concerns before the DPO confirms authorisation / ☐
Please outline the concerns you want to raise with DPO
Click here to enter text.
We have serious concerns about the data quality of the requested dataset, especially in relation to its intended purpose / ☐
Please outline the data quality concerns you want to raise with the data owner
Click here to enter text.
We do not hold the data requested in the system in a releasable format / ☐
Please provide any further relevant detail
Click here to enter text.
We do not hold the data requested in the systems for which we are responsible / ☐
Please provide information where you think the data might be held, if known by you
Click here to enter text.
We currently have other priorities and will contact the Data Owner to negotiate a data release date / ☐
Please outline when you think you might be able to deliver the data request by, if known
Click here to enter text.
Other reason / ☐
Please provide any further relevant detail
Click here to enter text.
☐I, Click here to enter text....., recommend the data release authorisation be reviewed by the Data Owner/User, and resubmitted to the Data Protection Officer with the following recommended modifications:
Please outline the modifications to the Data Release request you want to recommend to the Data Owner/User and the Data Protection Officer
Click here to enter text.