Policies and procedures
Peer Review
Peer review should seek to encourage individual lecturers and tutors to reflect on their teaching, to identify and build on their particular strengths, to address any weaknesses and generally to increase their effectiveness as teachers. Peer review should also provide a means by which best practice in the School’s departments and across departments can be shared. It should not lead to homogeneity of teaching style. The peer-review process should acknowledge that excellence in teaching can take a diversity of forms.
Information Security and Data Protection
Information Security and Data Protection
Many staff regularly handle the personal data of staff, students, research participants and others. For example, it is common practice to create files of all relevant data relating to an individual student or member of staff as a record of that person's time studying or working at the University. The data is subject to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and concerns all administrative, academic and commercial areas within the University.
Data breaches
Under GDPR all staff are obliged to report data breaches within 72 hours of becoming aware. (Eg. telling a line manager about an email sent containing sensitive personal data to an incorrect recipient.) If the University does not meet this deadline it could face a six figure fine. The clock starts from the moment we know a breach has occurred.
Email guidance
Once an email is sent you lose control over what the recipient does with the data. You should send the minimum necessary data and consider carefully whether or not email is the appropriate way to communicate personal data.
Frequently Asked Questions (including research data)
Freedom of Information requests
Public authorities are obliged to respond to a request within twenty working days from its receipt.
Information Risk Register
An Information Governance Risk Register Assessment (IGRR) needs to be completed by the business owner or project manager in certain circumstances (ie. high risk processing):
- involvement in the procurement or development of a new IT system
- making changes to an existing IT system
- involvement in a non-IT-related project or activity that involves collecting, using or sharing, information or data (whether it’s personal data or not) – this could include running competitions and outreach activities
Information Security and Data Protection online training
New staff starters (including GTAs/TAs) need to undertake this mandatory training as a matter of urgency once their contract has started.
Phishing emails
Phishing is an email that tries to trick you in to giving out personal information or visiting fake websites. Responding to a phishing attack can:
- Release your personal details to someone who may use them fraudulently
- Encrypt your files and folders, demanding that a 'ransom' fee be paid to revert the damage
- Stop your computer from working completely
If you think you’re a victim of a phishing email, or that your computer has become infected, telephone us immediately on +44 (0) 161 306 5544.
If you receive a suspicious email, do not click on any links and do not reply. Sending the phishing email as an attachment to phishing@manchester.ac.uk
Record retention
Records containing personal data should be managed in accordance with the UoM records retention schedule. The University has an obligation to tell data subjects how long their data will be kept for and to adhere to this policy.
Sharing personal data
Please familiarise yourself with guidance on disclosing personal information, data protection principles and staff obligations. Encryption instructions are available here. Failures or weaknesses in processing personal data can result in significant harm and distress to individuals who may be affected and may also cause significant reputational damage to the University.
Storing information
All University information must be stored and handled in a manner appropriate to its security classification and stored on University-approved systems.
Subject Access Requests
GDPR gives individuals the right to obtain confirmation as to whether or not personal data concerning them are being processed and where that is the case, access to the personal data, along with other information such as how long it is envisaged that the data will be stored for.