Rouages: "Respect for privacy is a fundamental right that must be guaranteed."
Laurent Bourgue is Deputy Director of General and Institutional Affairs. He is also Data Protection Officer, an essential and mandatory role that ensures the privacy rights of the University of Montpellier's 50,000 students, staff, and third parties are respected. He talks about this in the video series Rouages produced by the University of Montpellier.
"Personal data? It's information that can be used to directly or indirectly identify a person," explains Laurent Bourgue, Data Protection Officer (DPO) at the University of Montpellier. " We don't handle data as sensitive as a hospital, but we do have addresses, bank details, information on household composition, staff health status, student results... It's a gold mine for people with malicious intent!" And his job is to make sure that never happens.
In May 2018, the appointment of a DPO became a legal requirement for all public bodies and certain private companies following the entry into force of the General Data Protection Regulation (GDPR). Although this role does not require any specific training or prerequisites, Laurent Bourgue took the Data Protection Officer course offered by the University of Montpellier. Recruited as deputy director of general and institutional affairs in 2022, he was appointed DPO by President Philippe Augé and registered as such with the CNIL. "It took almost 40 years between the 1978 law known as 'Informatique et Liberté' (Data Protection Act) and the implementation of the GDPR. It's a real paradigm shift, and we are somewhat pioneers in this field," he recalls.
Inform and raise awareness
The DPO has a range of tools at their disposal to carry out their various tasks. First, there are essential basic IT tools known as "logical security measures": antivirus software, firewalls, etc. For all these issues, Laurent Bourgue works closely with the IT systems security manager at DSIN (see Rouages: "We are one of the most used but also one of the most hidden departments"). Another set of tools is the law."We must ensure that everyone is informed and aware that data concerning them is being collected and used, and that they have rights over this use,"explains the data protection officer. These rights include the right to access data concerning us, but also the right to object to its use or to request its correction or deletion.
To ensure that everyone is aware of their rights and the limits of those rights, raising awareness is an essential part of the DPO's work. To this end, Laurent Bourgue works with all of the university's departments, particularly the Dred and the Dipa. " The existing relationships between UM and its co-contractors or partners require the conclusion of data processing agreements so that the obligations of each party with regard to data protection are defined or specified," he emphasizes. Awareness-raising initiatives aimed at students are also expected to be launched in the near future.
Monitor and ensure
The DPO may also be required to carry out random checks on data processing within the University, but Laurent Bourgue states that "it is not possible to check everything, and I much prefer to take action upstream by raising awareness and explaining, particularly to researchers, that the GDPR is not a hindrance. While it does involve additional formalities, it guarantees that everyone's data will remain confidential. " Education, patience, and openness to dialogue are therefore essential tools in the DPO's arsenal, not to mention a certain firmness when the situation requires it. "You have to know how to set limits, whatever the issue, including in the context of research. Respect for privacy is a fundamental right that must be guaranteed."
And if you have any questions about data processing, Laurent Bourgue reiterates: "It is important and entirely legitimate to contact me by phone, email, or mail.I am the point of contact for these issues at the University, so don't hesitate to get in touch!" Among the ways to improve this approach, the DPO would like to see the creation of a label that could distinguish and reward organizations that comply with the fundamental principles of the GDPR. "This could be motivating for teams and, above all, attractive to the public, as these issues will arise more and more."