Our customers have told us that, in principle, all management information should be made open and transparent. This is because insight can be gained from comparative management information that allows users to learn from others. We recognise, however, that there may be exceptions. For example, we are legally required to restrict access to certain datasets, especially data concerning individuals (for example student and staff records).
We are conscious of the need to restrict access to sensitive data to appropriate audiences. This means:
- We will ask for confirmation of your job role and need when you request access to dashboards containing sensitive data.
- We agree with data owners how the personal data is visualised for dashboards in their domain, and we agree with data owners which groups of staff are able to access those dashboards.
- We carry out Data Protection Impact Assessments whenever we work with new personal data in Tableau or in our IDW.
Responsibilities in using Management Information
In requesting access to management information and the Tableau reports, you agree that you:
1. Are familiar with .
3. Have completed UCL Information Security Awareness training, accessed via the training site.
4. Are familiar with any additional data retention policies which exist in your department.
The Data and Insight Service complies with all requirements with regards to data protection, freedom of information and privacy. A complete description of these legal requirements is available on the .
As some data in the Tableau reports may be confidential and may include individualised staff or student information, you must ensure compliance with UCL's approaches to handling sensitive data as outlined in (password protected).
General Data Protection Regulation (GDPR)
The General Data Protection Regulation legislation came into effect in May 2018. The GDPR has changed the way in which organisations, like UCL, collect, use and transfer personal data.
GDPR legislation has affected the provision of the Data & Insight service from May 2018. The service will consider the different types of processing it carries out as part of its activities, to ensure compliance.
Whilst the Data & Insight service can still rely on consent as a legal basis to process personal data, a data subject must be given an easy way to withdraw it. Consent must still be 'explicit' for the processing of sensitive data, renamed 'special category' data under GDPR. A data controller will need to demonstrate that such consent has been given.
More information concerning how GDPR legislation affects UCL is available on the .