Rouages: "Respect for privacy is a fundamental right that must be guaranteed".

Laurent Bourgue is Deputy Director of General and Institutional Affairs. He is also the Data Protection Delegate, an essential and mandatory function to guarantee the privacy rights of the UM's 50,0000 students, staff and third parties. He talks to us about this in the Rouages video series produced by the University of Montpellier.

"Personal data? It's information that directly or indirectly identifies a person," explains Laurent Bourgue, Data Protection Officer (DPO) at the University of Montpellier. We don't handle data as sensitive as that of a hospital, but you can find an address, bank details, information on household composition, the state of health of employees or student results... A gold mine for ill-intentioned people !" And his job is to make sure that never happens.

It was in May 2018 that the appointment of a DPO became a legal obligation for every public body and for certain private companies following the entry into force of the General Data Protection Regulation(RGPD). While this position requires no special training or prerequisites, Laurent Bourgue has completed the DU Délégué à la protection des données offered by the University of Montpellier. Recruited as deputy director of the general and institutional affairs department in 2022, he was appointed DPO by Chairman Philippe Augé and declared as such to the CNIL. " Between the 1978 law known as "Informatique et liberté" and the implementation of the RGPD it took almost 40 years. It's a real paradigm shift, and we're a bit of a pioneer," he recalls.  

Informing and raising awareness

The DPO has a range of tools at his or her disposal to carry out his or her various tasks. First of all, there are the basic IT tools, known as " logical security measures ": antivirus, firewall, etc. For all these matters, Laurent Bourgue works closely with the DSIN's IT systems security manager (see Rouages: " We are one of the most widely used departments, but also one of the most hidden "). Another set of tools: the law. " We have to make sure that everyone is informed and aware that data concerning them is being collected and used, and that they have rights over this use ", explains the Data Protection Officer. These rights include access to personal data, the right to object to its use, and the right to request its rectification or deletion.

To ensure that everyone knows their rights and the limits of their rights, raising awareness is an essential dimension of the DPO's work. To this end, Laurent Bourgue works with all the university's departments, and in particular with Dred and Dipa. " The existing relationships between the UM and its co-contractors or partners require the conclusion of so-called data processing contracts, so that the obligations of both parties in terms of data protection are defined or specified ", he emphasizes. Awareness-raising initiatives aimed at students should also be undertaken in the near future.

Control and guarantee

The DPO may also be required to carry out random checks on data processing underway at the University, but Laurent Bourgue affirms, " It's not possible to check everything and I largely prefer to act upstream by raising awareness, explaining, particularly to researchers, that the RGPD is not a hindrance, that it certainly entails additional formalities but that it is a guarantee for everyone that their data will remain confidential." Pedagogy, patience and openness to dialogue are therefore part of the DPO's indispensable toolkit, not forgetting also a certain firmness when the situation calls for it. " You have to know how to set limits, whatever the issue at stake, including in the field of research. Respect for privacy is a fundamental right that must be guaranteed.

And if you have any doubts about data processing, Laurent Bourgue reiterates: "It' s important and perfectly legitimate to contact me by phone, e-mail or post. I'm the point of entry for these questions at the University, so don't hesitate ! Among the ways of improving this approach, the DPO would welcome the creation of a label that could distinguish and reward, as it were, organizations that respect the fundamental principles of the RGPD. " This could be motivating for teams and above all attractive to the public, as these questions are going to come up more and more."