SOAS needs to collect certain types of personal information about the people with whom it deals, such as current, past and prospective students, employees, and those with whom it communicates. This information has to be collected for administrative purposes (such as staff recruitment and the administration of programmes of study) and to fulfill legal obligations to funding bodies and the government.
The Data Protection Act 1998 (DPA) requires that this information should be processed fairly, stored safely and not disclosed to any other person unlawfully. SOAS is committed to protecting the rights and privacy of individuals in accordance with the requirements of the DPA. This document outlines SOAS's policy in relation to the DPA.
SOAS's Data Protection Policy applies to all students and staff of SOAS. Any breach of the policy may result in SOAS, as the registered Data Controller, being liable in law for the consequences of the breach. Legal liability may also extend to the individual Processing the data and his/her Head of Department or line manager under certain circumstances. In addition, breach of SOAS's Data Protection Policy by staff or students will be considered to be a disciplinary offence and will be dealt with according to SOAS's disciplinary procedures. Any member of staff or student who considers that the policy has not been followed with respect to Personal Data about themselves should raise the matter with their Head of Department, line manager or SOAS's Information Compliance Manager.
This policy applies to all Personal Data for which SOAS is responsible, regardless of the format (paper or electronic data, including emails, photographs, video, CCTV and sound recordings).
Outside agencies and individuals who work with SOAS, and who have access to personal information for which SOAS is responsible, will be expected to comply with this policy and with the DPA.
SOAS will comply with the DPA and adhere to the eight Data Protection Principles as described below.
- Personal data shall be processed fairly and lawfully
SOAS will ensure that data is obtained fairly by making reasonable efforts to ensure that Data Subjects are told who the Data Controller is, what the data will be used for, how long the data will be kept and any third parties to whom the data will be disclosed. This will be in the form of a privacy statement or data collection notice.
In order for Processing to be lawful, data (which is not Sensitive Personal Data) will only be processed by SOAS if at least one of the following conditions, set down in Schedule 2 of the DPA, has been met:
- The Data Subject has given his/her consent to the Processing.
- The Processing is necessary for the performance of a contract with the Data Subject, or for taking steps with a view towards entering into a contract.
- The Processing is required under a legal obligation other than a contract.
- The Processing is necessary to protect the Vital Interests of the Data Subject.
- The Processing is necessary for the administration of justice, the exercise of functions under an enactment, the exercise of functions of the Crown or a government department, or any other functions of a public nature exercised in the public interest.
- The Processing is necessary to pursue the legitimate interests of SOAS or of third parties, and does not prejudice the rights, freedoms or legitimate interests of the Data Subject.
Processing of Sensitive Personal Data is subject to more stringent restrictions under Schedule 3 of the DPA. Processing of Sensitive Personal Data will only be carried out by SOAS if at least one of the above conditions, applicable to non-sensitive data, has been met and one of the following Schedule 3 conditions can also be met:
- The Data Subject has given his/her explicit consent.
- The Processing is required by law in connection with employment.
- The Processing is necessary to protect the vital interests of the Data Subject or another person.
- The information has been made public by the Data Subject.
- The Processing is necessary for legal proceedings, obtaining legal advice, or establishing or defending legal rights.
- The Processing is required for the administration of justice, the exercise of functions under an enactment, or the exercise of functions of the Crown or a government department.
- The Processing is necessary for medical purposes, and is carried out by a health professional or a person with an equivalent duty of confidentiality.
- The Processing is necessary to trace equality of opportunity between people of different racial or ethnic backgrounds, different religious beliefs, or different states of physical or mental health.
- The Processing is in the substantial public interest; is necessary for the functions of a confidential counselling, advice, support or other service; and consent cannot be given by the Data Subject, SOAS cannot reasonably be expected to obtain the explicit consent of the Data Subject, or the Processing must necessarily be carried out without consent so as not to prejudice the provision of that counselling, advice, support or other service.
- The Processing is in the substantial public interest, and is necessary for research purposes; provided that the Processing will not support measures or decisions with regard to individuals, and will not cause substantial damage or distress to the data subject or any other person.
This list omits some conditions relating to the Processing of Sensitive Personal Data which are unlikely to be relevant to SOAS. Any uncertainty over whether there is a valid condition for Processing Sensitive Personal Data should be raised with the Information Compliance Manager.
Sensitive Personal Data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, and sexual life must also be processed in accordance with the Dignity at SOAS Policy.
Information about how SOAS processes data relating to its students is contained in the Student Data Protection Statement on the SOAS website. This explains to students what Personal Data SOAS collects about them; how their information will be used by SOAS while they are a student and after they cease to be a student; what external agencies may receive their data; and what their rights and responsibilities are in regard to their data.
- Personal data shall be obtained only for a specified and lawful purpose or purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
SOAS will ensure that Personal Data which is obtained for a specified purpose is not used for a different purpose, unless that use is done with the consent of the Data Subject, is covered by SOAS’s registration with the Information Commissioner, or is otherwise permitted under the DPA.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
SOAS will ensure that it collects only the minimum Personal Data necessary for the purpose or purposes specified and will not collect or hold data on the basis that it might be useful in the future.
- Personal data shall be accurate and, where necessary, kept up to date
SOAS will take reasonable steps to ensure the accuracy of Personal Data which it holds, and will take steps to amend, update or correct inaccurate data when requested to do so by a Data Subject. Data will be inaccurate where it is incorrect or misleading as to any matters of fact.
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose
SOAS will ensure that Personal Data is not kept for longer than is required by the purpose or purposes for which the data was gathered. Staff must ensure that Personal Data is securely destroyed once the purpose or purposes for Processing has come to an end and there is no legal requirement or valid operational reason for its continued retention.
SOAS may retain certain data indefinitely for research purposes (including historical or statistical purposes) as permitted under the DPA (see separate guidance on the use of Personal Data in research).
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act
These rights are to:
- Gain access to their data via a subject access request.
- Prevent the Processing of data which is likely to cause them substantial damage or substantial distress.
- ‘Opt out’ of having their data used for direct marketing at any time.
- Have automated decisions reconsidered.
- Seek compensation for substantial damage or distress caused by their data not being processed in accordance with the DPA.
- Request the rectification, blocking, erasure or destruction of inaccurate data.
- Appropriate technical and organisational measures shall be taken to prevent the unauthorised or unlawful processing of personal data and the accidental loss, destruction of, or damage to, personal data
Personal Data will be safeguarded in accordance with SOAS’s Information Security Policy.
All staff must report any incident, or potential incident, likely to result in unauthorised disclosure, damage, destruction or loss of Personal Data directly to the Information Compliance Manager within the Deputy Secretary Directorate.
SOAS’s standard contractual clauses on data protection must be used in any circumstances where Personal Data is to be processed by a service provider or other third party on behalf of SOAS.
The Information Compliance Manager must be consulted in the early stages of any project or proposed change to a business process that has implications for the Processing of Personal Data.
SOAS will provide guidance, support and training on safeguarding Personal Data to all SOAS staff, including those acting for or on behalf of SOAS.
- Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
SOAS will comply with the restrictions in the DPA on the transfer of Personal Data outside the European Economic Area. The Information Compliance Manager within the Deputy Secretary Directorate must be consulted in advance of any such transfers being undertaken or agreed.
SOAS as a corporate body is a Data Controller under the DPA and is required to notify the Information Commissioner of its Processing of Personal Data. A public register of Data Controllers and the type of data they process is available on the Information Commissioner’s website.
SOAS’s Information Strategy Committee has oversight of planning and policy development matters in the area of information compliance, including data protection.
The Information Compliance Manager (reporting to the Deputy Secretary) deals with day-to-day data protection matters, such as subject access requests, and is a point of contact for issues relating to data protection. The Information Compliance Manager is responsible for producing guidance on good data protection practice and promoting compliance across SOAS. Guidance on the procedures necessary to comply with this policy will be available on the SOAS website and/or intranet site. Each term, the Information Compliance Manager will present a training session on information compliance, including data protection. The Information Compliance Manager will also provide tailored training to smaller groups upon request or where a need has been identified.
When Processing Personal Data, SOAS staff must ensure they abide by the DPA, this policy and any related policies. Staff who are uncertain as to whether their Processing of Personal Data meets these requirements should refer any queries to their Head of Department or line manager in the first instance. All new staff are required to attend the Information Compliance training, which covers data protection. Existing staff should also attend the training if they have not done so before or require a refresher.
Heads of Department and managers of administrative departments are responsible for ensuring that the Processing of Personal Data in their department conforms to the requirements of the DPA and this policy. In particular, they should ensure that new and existing staff who are likely to process Personal Data are aware of their responsibilities under the Act. This includes drawing the attention of staff to the requirements of this policy, and ensuring that staff who have responsibility for handling Personal Data are provided with adequate training.
Managers must also see that correct information and records management procedures are followed in their departments. This includes establishing retention periods to ensure that Personal Data is not kept for longer than is required.
SOAS is not responsible for any Processing of Personal Data by staff which is not related to their employment with SOAS, even if the Processing is carried out using SOAS equipment and facilities. Staff are personally responsible for complying with the DPA in regard to data for which they are the Data Controller.
This policy was originally approved by SOAS’s Information Strategy Committee on 22 February 2005.
This policy was reviewed and updated on 23 May 2014.
This policy will be reviewed every two years or sooner if considered appropriate by the Deputy Secretary.
Questions about this policy and data protection issues should be directed to SOAS’s Information Compliance Manager at the following address:
Information Compliance Manager
Deputy Secretary Directorate
SOAS, University of London
London WC1H 0XG
- Data Controller: a person or organisation who makes decisions in regard to Personal Data, including decisions regarding the purposes for which and the manner in which Personal Data may be processed.
- Data Protection Act (DPA): the Data Protection Act 1998, together with all secondary legislation made under it. The DPA governs the way in which Data Controllers such as SOAS can process an individual’s Personal Data. It also gives individuals certain rights regarding the information that is held about them and obliges SOAS to respond to any requests from an individual to access their own Personal Data.
- Data Protection Principles: a set of statutory requirements, which all Data Controllers are obliged to adhere to. The Principles balance the legitimate need for organisations such as SOAS to process Personal Data against the need to protect the privacy rights of the Data Subject.
- Data Subject: an individual who is the subject of Personal Data.
- Information Commissioner: the regulator appointed by the Crown to promote public access to official information and protect personal information. Compliance with the DPA is enforced by the Information Commissioner.
- Personal Data: information relating to a living individual who can be identified from the data, or from the data and other information which is in the posession of (or likely to come into the posession of) SOAS. Personal data include information such as an individual's name, home address, educational background, images and photographs (including CCTV footage), expressions of opinion about the individual, and the intentions of SOAS in regard to the individual.
- Processing: any operation on Personal Data, including obtaining, recording, holding, organising, adapting, combining, altering, retrieving, consulting, disclosing, disseminating, deleting, destroying and otherwise using the data.
- Sensitive Personal Data: Personal Data relating to racial or ethnic origins, political opinions, religious beliefs, trade union membership, physical or mental health (including disabilities), sexual life, the commission or alleged commission of offences, and criminal proceedings.
- Subject Access Request: a request from an individual, under section seven of the DPA, for access to their Personal Data.
- Vital Interests: relating to life and death situations, eg the disclosure of a Data Subject’s medical details to a paramedic after a serious accident.