Audit of personal data protection at the university

Objectives of the audit

Publication of examination results with a list of students’ names, dispatch of leaflets to former candidates, career monitoring without the prior consent of the graduate are only some among the instances of universities acting in breach of the law.

Universities are extremely autonomous and complex organizations, processing the data of tens of thousands of students, employees and other stakeholders within the framework of a dispersed structure of internally and externally managed IT systems, databases, spreadsheets and forms.

The objective of the audit offered by PCG in cooperation with the *Lex‑Artist law firm is to examine the compliance of the activity of the university with the currently applicable personal data protection provisions and to elaborate specific proposals of solutions minimizing the legal and reputational risk relative to inappropriate data processing.

Scope of the service

General activities:
- Identifying the personal data filing systems processed;
- Verifying compliance with the general principles of data processing.
Analysis of physical and IT safeguards:
- Verifying physical safeguards and organizational measures adopted by the data controller with regard to compliance with the minimum standards;
- Verifying IT system safeguards with regard to compliance with the minimum standards and to granting access authorizations;
- Verifying the security level of passwords used in IT systems;
- Analyzing backup copy creation procedures;
Processing of students' personal data:
- Verifying the terms of direct and indirect data collection;
- Verifying the students' data retention period;
- Verifying the correctness of the forms used to collect data from students;
- Verifying the compliance with the obligation to inform and the correctness of agreements concluded with students;
Analysis of HR documentation:
- Auditing the required employee documentation: regulations, questionnaires, etc.
- Verifying the compliance of the enrolment process with data protection provisions (enrolment forms, job offers, security measures for CVs)
Analysis of the personal data protection system currently in place:
- Analyzing the specimen authorizations to process personal data;
- Analyzing the register of authorized persons;
- Verifying the documentation relative to personal data protection (Security Policy, IT System Management Instruction);
- Analyzing the procedure relative to granting authorizations;
- Verifying whether the employees who have access to the personal data are obliged to keep such data secret;
- Verifying the manner of fulfillment of the registration obligation (notification of the data filing systems for registration with GIODO, the issue of their possible updates);

Benefits

Upon the completion of the service, we will provide you with a confidential report containing findings which will allow to identify the irregularities in the personal data protection system previously in place. The report will also include our recommendations with regard to the solutions designed to ensure data security.

The services offered by PCG and Lex‑Artist allow to obtain the following benefits:

Obtaining a Certificate of compliance with the principles of secure and lawful processing of personal data;
Meeting the requirements specified in the personal data protection provisions (the required documentation, the implementation of the relevant solutions, the training of staff);
Protection against data leaks and loss of reputation by the university;
Full documentation, including the suggested changes with a view of streamlining business processes.

* Lex Artist is the only law firm in Poland specializing exclusively in personal data protection. The firm has performed over 500 documentation audits and implementations, held over 1000 trainings and acts as DPO for over 80 regular customers.