GDPR and Finance

Staff in finance roles across the University deal with sensitive information. Find out what steps you need to take to be ready for the GDPR deadline.

Are you are responsible for:

  • processing payments to individuals, suppliers, pensioners, staff, or students
  • collecting payments from individuals, students, staff or customers
  • accessing finance systems
  • accessing Worktribe
  • salary forecasting?

If so, you may potentially be handling personal data and therefore you should be aware of the need to ensure the privacy of the information held.

As you will be aware, GDPR regulations come into force on the 25th May.

Set out below are some principles for you to consider when dealing with personal information.

Processing Finance Data

Please ensure that you only send the minimum amount of data to Finance for processing.

Help us to keep finance data secure. Remember:

  • don’t share your password
  • lock your computer/laptop/tablet whenever you leave it 
  • lock away your papers when you are away from your desk
  • don’t work with personal data on unencrypted devices.

Retention periods

The Finance Department is responsible for maintaining the golden copy of all financial documents and will maintain the corporate record.  Information on finance retention guidance is here.

Only keep personal finance data that you need and don’t keep it for longer than needed, remember:

  • review your records to check whether you need to keep what you have
  • regularly delete emails that you don’t need to keep
  • follow the University retention schedule.

Using an electronic device to access finance data

If you are working with finance data please ensure that you follow the University’s guidance on how to protect your device and data. Information Security guidance on best practice. 

If you are using a portable device to access sensitive financial information on portable devices please ensure the device is encrypted. Guidance on how to encrypt your device.

If you have any questions regarding security of data or establishing a secure process for handling data, you can contact the Information Security team at: informationsecurity@ed.ac.uk

If you have been granted access to any of the finance systems please ensure that you treat the personal information held on the systems confidentially.  

Guidance on the use of all University computing and network facilities by staff, students and anyone else authorised to use them and key finance systems codes of practice is  given below.

GDPR Training for Staff

If you have not already done so, anyone accessing finance systems must be undertake the University’s online GDPR related training.

The training is available via Learn. To access:

  • Log into Learn via the left hand menu on the home screen of MyEd
  • In Learn select the self-enrol tab on the top left of the screen and then select the "browse course catalogue option" search option
  • Enter "Data Protection Training" into the search and click on the link to select the course. If you are responsible for processing payments to individuals or suppliers, please ensure that you only send the minimum amount of data to Finance for processing.  

As well as the Data Protection Training, your should undertake the University's Information Security Essentials training if you have not done so already. This is available via Learn.

Be aware when sharing personal data

Use approved University systems to access, use and store emails and documents. In particular:

  • don’t use generic cloud storage, such as Dropbox
  • don’t use personal email addresses to access/store work related information 

If you are sharing personal data with a third party, think:

  • why the information is being shared and whether the third party has a right to receive it – check your contracts
  • what data do they need to have? Can it be anonymised and serve the same purpose?
  • what is the most secure way to share the data?

If something goes wrong

Tell us if personal data is deleted, lost, stolen or shared by mistake

  • We can ensure that the correct action is taken if you report any incident to the dpo@ed.ac.uk, adding “Breach” into the subject line of the email
  • Please report any near misses to dpo@ed.ac.uk, adding “Breach” into the subject line of the email
  • You must tell us as soon as you become aware of any issues.

Further Information

We will be updating the Finance website with information as we finalise the finance GDPR guidance which will be available here.

We have developed a privacy policy for financial processes in the University and this is available here. If you have any comments or questions on this, please email Finance@ed.ac.uk.

We are updating finance forms to ensure that, if appropriate, a link to the finance privacy policy is added. If you are using your own version of a finance form,  you may wish to include a link to the finance privacy policy on the form -  available here

The finance GDPR register is currently being edited and will be made available via the GDPR page once finalised. This will cover all corporate finance systems and processes, removing the need to have a local finance register.

We will be making some changes to finance systems to support GPDR. One change being implemented next week is the introduction a staff (P02) payment voucher. Once this is ready to go live an email will be sent out notifying you of any changes.

If you have a question about Finance and GDPR please email Finance@ed.ac.uk.

Our records management pages contain further information and guidance to assist you.

Further information on GDPR.

This article was published on