Council has executive responsibility for ensuring that the University complies with data privacy legislation.
It is supported by its General Purposes Committee, which is responsible for keeping under review the University’s policies and compliance with legislation and regulatory requirements.
Data Protection Officer (DPO)
The DPO is responsible for monitoring internal compliance, advising on the University’s data protection obligations and acting as a point of contact for individuals and the ICO.
Vice Chancellor’s and Registrar’s Office: Information Compliance Team
The Information Compliance Team is responsible for:
- establishing and maintaining policies and procedures at a central level to facilitate the University’s compliance with data privacy legislation;
- establishing and maintaining guidance and training materials on data privacy legislation and specific compliance issues;
- supporting privacy by design and privacy impact assessments;
- responding to requests for advice from departments;
- coordinating a University-wide register exercise to capture the full range of processing that is carried out;
- complying with subject access and other rights based requests made by individuals for copies of their personal data;
- investigating and responding to complaints regarding data privacy (including requests to cease the processing of personal data); and
- keeping records of personal data breaches, notifying the ICO of any significant breaches and responding to any requests that it may make for further information.
In fulfilling these responsibilities, the team may also involve, and draw on support from, representatives from sections, departments and divisions.
Heads of department (or equivalent)
Heads of Department are responsible for ensuring that the processing of personal data in their department conforms to the requirements of data privacy legislation and this policy. In particular, they must ensure that:
- new and existing staff, visitors or third parties associated with the Department who are likely to process personal data are aware of their responsibilities under data privacy legislation. This includes drawing the attention of staff to the requirements of this policy, ensuring that staff who have responsibility for handling personal data are provided with adequate training and, where appropriate, ensuring that job descriptions for members of staff or agreements with relevant third parties reference data privacy responsibilities.
- adequate records of processing activities are kept (for example, by undertaking register exercises);
- data protection requirements are embedded into systems and processes by adopting a ‘privacy by design’ approach and undertaking privacy impact assessments where appropriate;
- privacy notices are provided where data is collected directly from individuals or where data is used in non-standard ways;
- data sharing is conducted in accordance with University guidance;
- requests from the Information Compliance Team for information are complied with promptly;
- data privacy risks are included in the department’s risk management framework and considered by senior management on a regular basis; and
- departmental policies and procedures are adopted where appropriate.
Others processing personal data for a University purpose eg. staff, students and volunteers
Anyone who processes personal data for a University purpose is individually responsible for complying with data privacy legislation, this policy and any other policy, guidance, procedures, and/or training introduced by the University to comply with data privacy legislation. For detailed guidance, they should refer to the University’s Guidance on Data Protection and any relevant departmental policies and procedures. In summary, they must ensure that they:
- only use personal data in ways people would expect and for the purposes for which it was collected;
- use a minimum amount of personal data and only hold it for as long as is strictly necessary;
- keep personal data up-to-date;
- keep personal data secure, in accordance with the University’s Information Security Policy;
- do not disclose personal data to unauthorised persons, whether inside or outside the University;
- complete relevant training as required;
- report promptly any suspected breaches of data privacy legislation, in accordance with the procedure in section 6 below, and following any recommended next steps;
- seek advice from the Information Compliance Team where they are unsure how to comply with data privacy legislation; and
- promptly respond to any requests from the Information Compliance Team in connection with subject access and other rights based requests and complaints (and forward any such requests that are received directly to the Information Compliance Team promptly).