- What are your institution’s rules about maintaining individual and commercial confidentiality?
- Do you make sure students and employees can find these easily on the institution’s website?
- What is your practice about retaining discharged ‘warnings’ in employees’ files indefinitely? Is there a regular check to make sure these have been removed?
- Do you ensure that managers and heads of department and academic staff are aware that their emails may be disclosable to data subjects?
- Do you have a code of conduct about sharing or forwarding emails without the knowledge of the author and ensure that managers and heads of department and academic staff are aware of it?
- Do you always take the full forty days allowed by law to fulfil a data subject access request?
A good example of a university Policy on Data Protection may be found at
and a list of definitions of terms at