Rouages: “Privacy is a fundamental right that must be safeguarded”

Laurent Bourgue is the assistant director of general and institutional affairs. He also serves as the data protection officer, a vital and mandatory role designed to ensure respect for the right to privacy ofUM approximately 50,000 students, staff, and third parties. He discusses this role in the video series *Rouages*, produced by the University of Montpellier.

“Personal data? It’s information that can be used to directly or indirectly identify a person,” explains Laurent Bourgue, Data Protection Officer (DPO) at the University of Montpellier. “We don’t handle data as sensitive as a hospital does, but we do have access to addresses, bank details, information on household composition, employees’ health status, and students’ grades… A goldmine for people with malicious intent!” And his job is precisely to ensure that this never happens.

In May 2018, the appointment of a Data Protection Officer (DPO) became a legal requirement for all public entities and certain private companies following the entry into force of the General Data Protection Regulation (GDPR). Although this role does not require any specific training or prerequisites, Laurent Bourgue completed the University of Montpellier’s certificate program in Data Protection Officer studies. Hired as deputy director of the General and Institutional Affairs Department in 2022, he was appointed DPO by President Philippe Augé and registered as such with the CNIL.“It took nearly 40 years between the 1978 ‘Data Protection’ Act and the implementation of the GDPR. This is a true paradigm shift, and we are, in a way, pioneers in this field,” he notes.  

Inform and raise awareness

The DPO has a range of tools at his disposal to carry out his various duties. First, there are essential basic IT tools known as“logical security measures”: antivirus software, firewalls, etc. For all these issues, Laurent Bourgue works closely with the IT systems security manager at the DSIN (see “Behind the Scenes”: “We are one of the most frequently used departments, but also one of the least visible). Another set of tools: the law.“We must ensure that everyone is informed and aware that data concerning them is being collected and used, and that they have rights regarding that use,”explains the data protection officer. Among these rights are the right to access data concerning oneself, as well as the right to object to its use or to request its correction or deletion.

To ensure that everyone is aware of their rights and the limits of those rights, raising awareness is an essential part of the DPO’s work. To this end, Laurent Bourgue collaborates with all of the university’s departments, and more specifically with the Dred and the Dipa. “The existing relationships betweenUM its contractors or partners require the signing of so-called data processing agreements so that the parties’ respective obligations regarding data protection are defined or clarified,” he emphasizes. Awareness-raising initiatives aimed at students are also expected to be launched soon.

Monitor and ensure

The DPO may also be called upon to conduct random checks on ongoing data processing within the University, but as Laurent Bourgue states,“it’s not possible to check everything, and I much prefer to take a proactive approach by raising awareness and explaining—especially to researchers—that the GDPR isn’t a hindrance; while it certainly involves additional formalities, it guarantees that everyone’s data will remain confidential. ” Education, patience, and openness to dialogue are therefore essential tools in the DPO’s arsenal, not to mention a certain firmness when the situation calls for it. “You have to know how to set boundaries, no matter what is at stake; even in the context of research, the right to privacy is a fundamental right that must be guaranteed.”

And if there are any questions regarding the implementation of data processing, Laurent Bourgue reiterates:“It’s important and perfectly legitimate to contact me by phone, email, or mail.I’m the point of contact for these issues at the University—please don’t hesitate! ” Among the ways to improve this process, the DPO would welcome the creation of a certification program that could recognize and, in a sense, reward organizations that comply with the fundamental principles of the GDPR. “This could be motivating for teams and, above all, appealing to the public, as these issues will come up more and more often.”