Privacy and Data Protection: Record of processing activities

The first step that organizations should take in order to fulfill their responsibilities to protect personal data is to properly identify and document what personal data exists or will exist within an application and under what authority and for what purposes the collection of data was authorized. This activity is often referred to as maintaining a record or register of processing activities.

About

The purpose of this document is to help development teams associated with the University of Illinois fulfill theirresponsibility to comply with Illinois Cybersecurity and Privacy standards. You may have other obligations. Contact counsel/compliance for guidance on complying with relevant law. 

Properly recording data processing activities helps comply with the Institutional Data Security Standard, NIST SP 800-53 Rev. 5 (specifically 3.15 Personally Identifiable Information Processing and Transparency) as well as privacy laws such as the General Data Protection Regulation (GDPR). 

Definitions

While standards vary, GDPR Article 4 defines ‘personal data and ‘processing’ as follows: 

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

  1. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

What to gather

The first step that organizations should take in order to fulfill their responsibilities to protect personal data is to properly identify and document what personal data exists or will exist within an application and under what authority and for what purposes the collection of data was authorized. This activity is often referred to as maintaining a record or register of processing activities. 

NIST 800-53 Rev. 5 PT-2, PT-3, PT-4 and PT-5 and GDPR Article 30 requires that organizations maintain a record of processing activities which describe why personal data is collected, what the legal basis is for the collection of personal data, what authority has authorized the legal basis, and finally to communicate that information transparently to your users.

The first step in creating a record of processing activities is to follow best practices for data mapping. A data map is like a census for your data. Data mapping should begin with the Institutional Data Security Standard DAT01.1.1 and identify all data elements and their data classification according to the University’s data classification scheme. In addition, a data map should include: 

  1. The name and contact information of the subject matter expert who would be responsible for responding to questions in coordination with the Privacy Team. 

  1. The purpose of the processing. 

For example, see the processing activities that are identified in Table 1 of the Universities Supplemental Privacy Policy. 

  1. A description of the categories of data subjects and the categories of personal data. 

Example data subjects: 

  • Prospective Students  
  • Students 
  • Alumni 
  • Faculty 
  • Staff 
  • Human Research Subjects

Example categories of personal data: 

    • Personally Identifiable Information (PII) 
    • Student Data 
    • Health Data 
    • Financial Data 
    • Employee Data 
    • Data that has additional legal obligations 

 

  1. The recipients to whom the personal data have been or will be disclosed including internal or external recipients. 

 

  1. Where applicable, a list of any international data transfers including country and organization. 

 

  1. Data retention and time limits for different categories of data. For more information, see the Records and Information Management Services Records Retention Schedules. 

 

  1. A general description of the technical and organizational security measures. 

Technical measures might include: 

    • Access Control Lists 
    • Pseudonymization
    • Anonymization 
    • Encryption 
    • Network Authentication  

Organizational measures might include: 

    • Awareness and Training 
    • Disaster Recovery Plans 
    • Incident Response Plans 
    • Regular Test Plan 
    • Segmented Access Control 


Keywords:
privacy, security, developer, sdlc, cybersecurity, devops, secdevops, gdpr 
Doc ID:
124639
Owned by:
Security S. in University of Illinois Technology Services
Created:
2023-03-07
Updated:
2024-09-03
Sites:
University of Illinois Technology Services