Data Protection Policy: General Responsibilities of SOAS Staff
SOAS as a corporate body is a data controller under the Data Protection Act. SOAS's Information and Internal Communications Committee has oversight of planning and policy development matters in the area of information compliance, including Data Protection. An Information Compliance Manager (reporting to the Deputy Secretary) deals with day to day Data Protection matters, such as subject access requests (see Access to data), and is a point of contact for issues relating to Data Protection (see Data Protection contacts).
When processing personal data, SOAS staff must ensure that they abide by the Data Protection Act, this policy and any related policies (see Related guidelines and policies). SOAS must only process personal data in accordance with its registration with the Information Commissioner. The registration defines, in a very general way, the purposes for which SOAS processes personal data and related information (see Data Protection Act Overview), and is available on the Information Commissioner's website as part of the Register of Data Controllers. In practice, most routine uses of personal data will be covered by SOAS's registration and will be legitimate from a Data Protection standpoint. However, this will not necessarily be the case where changes are introduced to the way in which data are processed - such as using the data for a purpose for which the data have not previously been used, or transferring the data to a new source.
Before such changes are introduced, staff should check to ensure that the proposed changes will be in accordance with SOAS's registration with the Information Commissioner, and will comply with the Data Protection Act and this Policy. Staff who are uncertain as to whether their processing of data meets these requirements should refer any queries to their head of department or line manager in the first instance. Staff should also ensure that any personal information for which they are responsible is accurate and up to date, including information which SOAS holds about themselves (e.g. their home address), and that data for which they are responsible are kept secure and are not disclosed to unauthorised parties (see Security of Data).
Data should only be transferred internally within SOAS when there is a genuine business need to do so. Staff who receive transferred data are equally responsible for ensuring that the data are processed in accordance with this policy and SOAS's obligations under the Data Protection Act. It is important that internally transferred data should continue to be used for purposes which are consistent with the purposes which applied when the data was gathered, to avoid violation of the second Data Protection Principle (see Data Protection Act Overview). Particular care should be taken when disclosing personal data to parties outside the School (see Disclosure of Data).
Heads of Department and managers of administrative departments are responsible for ensuring that the processing of personal data in their department conforms to the requirements of the Data Protection Act and this policy. In particular, they should ensure that new and existing staff who are likely to process personal data are aware of their responsibilities under the Act. This includes drawing the attention of staff to the requirements of this policy, and ensuring that staff who have responsibility for handling personal data are provided with adequate training.
Managers must also see that correct information and records management procedures are followed in their departments (see Records Management). This includes establishing retention periods to ensure that personal data are not kept for longer than is required (see Retaining Data).
Staff should also note that SOAS is not responsible for any processing of personal data by them which is not related to their employment with SOAS, even if the processing is carried out using SOAS's equipment and facilities. Staff are personally responsible for complying with the Data Protection Act in regard to data for which they are the data controller.
Last updated December 2007