The General Data Protection Regulation (GDPR) and the Data Protection Act (2018) provide the legislative framework for data protection in the UK. Further details can be found under ‘Definitions’ below. This Policy will generally refer to data protection law, unless referring to a specific article or section of the GDPR or DPA (2018).
SOAS needs to collect and work with certain types of personal information about the people with whom it deals, such as current, past and prospective students, employees, and those with whom it communicates. This information is collected for administrative purposes (such as staff recruitment and the administration of programmes of study) and to fulfil legal obligations to funding bodies and the government.
Data Protection law requires that this personal data should be processed lawfully, stored safely and not disclosed to any other person or body unless it is necessary to fulfil a contract, meet a legal obligation, or you have asked us to. SOAS is committed to protecting the rights and privacy of individuals in accordance with the requirements of the law. This document outlines SOAS's policy in relation to the current law.
SOAS's Data Protection Policy applies to all students and staff of SOAS. Any breach of the policy may result in SOAS, as the registered Data Controller, being liable in law for the consequences of the breach. In addition, breach of SOAS's Data Protection Policy by staff or students will be considered a disciplinary offence and will be dealt with according to SOAS's disciplinary procedures. Any member of staff or student who considers that the policy has not been followed with respect to Personal Data about themselves should raise the matter with their Head of Department, line manager or SOAS's Information Compliance Manager.
This policy applies to all Personal Data for which SOAS is responsible, regardless of the format in which it is held (paper or electronic data, including but not limited to emails, photographs, video, CCTV and sound recordings).
Outside agencies and individuals who work with SOAS, and who have access to Personal Data for which SOAS is responsible, will be expected to comply with this policy and with data protection law.
SOAS will comply with data protection law and adhere to the six Data Protection Principles as described below.
1. Personal data shall be processed lawfully, fairly and transparently (lawfulness, fairness and transparency)
SOAS will ensure that data is obtained lawfully by ensuring we have a valid lawful basis (or reason) for processing personal data. We will tell each type of Data Subject why we process their information in privacy notices, which we will publish on this website. To make it absolutely clear what we are doing with your data, the notice will provide specific information about what data we are collecting, why we are collecting it and the purpose(s) for which it will be used. The notice will also provide more information about how long the data will be kept, our reason for processing and any third parties to whom the data will be disclosed, including instances in which Personal Data might be transferred outside the European Economic Area.
For Processing non-Sensitive Personal Data to be lawful, SOAS must identify an appropriate condition under Article 6 of the General Data Protection Regulation (GDPR):
- The Data Subject has given their consent to the Processing.
- The Processing is necessary for the performance of a contract with the Data Subject, or for taking steps with a view towards entering into a contract.
- The Processing is required under a legal obligation other than a contract.
- The Processing is necessary to protect the Vital Interests of the Data Subject.
- The Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the Controller’s official authority, including the exercise of functions under an enactment or rule of law
- The Processing is necessary to pursue the legitimate interests of SOAS or of third parties, and where our interests are not overridden by the rights, freedoms or legitimate interests of the Data Subject.
To process Sensitive Information SOAS needs to have an additional condition under Article 9 of the GDPR. We will only process Sensitive Information if at least one of the following reasons are met:
- The Data Subject has given their explicit consent.
- The Processing is required by law in connection with employment, social security or social protection law.
- The Processing is necessary to protect the vital interests of the Data Subject or another person.
- The Processing is necessary for legal proceedings, obtaining legal advice, or establishing or defending legal rights.
- The Processing is required for the exercise of functions under an enactment
- The Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, or medical diagnosis, subject to appropriate safeguards.
- The Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- The Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR
This list leaves out some conditions relating to the Processing of Sensitive Information which are unlikely to be relevant to SOAS. If you are not sure whether there is a valid condition for Processing Sensitive Information please ask the Information Compliance Manager.
Sensitive Information listed under points 2, 6, and 8 can only be processed if a further condition relating to employment and social care, health, or research under the UK Data Protection Act (DPA) 2018 is met. Data listed under point 7 can only be processed if a condition relating to substantial public interest in the DPA 2018 is met.
Sensitive Information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, and sexual orientation must also be processed in accordance with the Respect @ SOAS Policy.
Processing of Criminal Convictions data is treated separately from Sensitive Information under data protection law. For SOAS’s purposes, the processing of such data is only valid if it meets a condition in Parts 1,2 or 3 of Schedule 1 of the DPA 2018. In short, these conditions relate to employment, health and research (particularly employment law, social protection law and use in scientific or historical research); processing in the substantial public interest (for instance in the prevention and detection of unlawful acts and equality of opportunity or treatment); or other conditions pertaining to Criminal Convictions Data Processing (consent, public availability, or where it is necessary to defend or establish legal claims)
Information about how SOAS processes data relating to its students, staff, applicants to courses or jobs, alumni, and members of the wider SOAS community are contained in our privacy notices on the SOAS website.
2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
SOAS will ensure that Personal Data which is obtained for a specified purpose is not used for a different purpose. For instance, data collected from you for the purpose of administering your degree will not then be used to send you marketing information without your consent. Further processing may be permitted for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and, in accordance with Article 89(1), shall not be considered incompatible with the initial purposes.
3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose or purposes for which they are processed (data minimisation)
SOAS will ensure that it collects only the minimum Personal Data necessary for the purpose or purposes specified and will not collect or hold data on the basis that it might be useful in the future. SOAS may use techniques such as pseudonymisation to ensure that, where appropriate, personal information is separated from other information about an individual.
4. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)
SOAS will take reasonable steps to ensure the accuracy of Personal Data which it holds, and will take steps to amend, update, correct or remove inaccurate data when requested to do so by a Data Subject. Data will be inaccurate where it is incorrect or misleading as to any matters of fact.
SOAS has, where possible, put in place portals which allow Data Subjects to update their own details as necessary, such as MyView for staff. Where such systems are available, Data Subjects are expected to keep their personal data up-to-date.
5. Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
SOAS will ensure that Personal Data is not kept for longer than is required for the purpose or purposes for which the data was gathered. Staff must ensure that Personal Data is securely destroyed once the purpose or purposes for Processing has come to an end and there is no legal requirement or valid operational reason for keeping it.
SOAS may retain certain data indefinitely for research purposes (including archiving in the public interest, historical or statistical purposes) as permitted under the GDPR Article 89(1) (see separate guidance on the use of Personal Data in research on the website here: https://www.soas.ac.uk/infocomp/dpa/dparesearch/).
6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
Personal Data will be safeguarded in accordance with SOAS’s IT Security Policy (section B3 of the IT Policy), on the website here: https://www.soas.ac.uk/it/policies/itpolicy/
All staff must immediately report any incident, or potential incident, likely to result in unauthorised disclosure, damage, destruction, alteration or loss of Personal Data directly to the Information Compliance Manager within the Governance and Legal Services Directorate. SOAS has a statutory responsibility to inform the Information Commissioner’s Office within 72 hours of becoming aware of any data breach which affects the rights and freedoms of individuals. Our breach reporting procedure is on the website here: https://www.soas.ac.uk/infocomp/dpa/databreaches/
SOAS’s standard contractual clauses on data protection must be used in any circumstances where Personal Data is to be processed by a service provider or other third party on behalf of SOAS. Please contact the Information Compliance Manager for advice.
The Information Compliance Manager must be consulted in the early stages of any project or proposed change to a business process that has implications for the Processing of Personal Data. If the introduction of or change to a system or service poses a high risk to the rights of data subjects, the Department or Directorate initiating the project will work with the Information Compliance Manager on a Data Protection Impact Assessment in accordance with Article 35 of GDPR. For guidance on completing a DPIA, please see visit: https://www.soas.ac.uk/infocomp/dpa/dpia/
SOAS will provide guidance, support and training on safeguarding Personal Data to all SOAS staff, including those acting for or on behalf of SOAS.
7. The controller shall be responsible for, and be able to demonstrate compliance with, the other six data protection principles (‘accountability’).
Sometimes referred to as the seventh principle, the requirement for accountability is new to the current data protection law, and SOAS will need to demonstrate compliance with each of the other six data protection principles. SOAS will provide evidence of our lawful processing by the following methods:
1. Demonstrating lawful processing and transparency through privacy notices and a Record of Processing Activity document
2. When collecting data by consent, SOAS will ensure individuals can make informed and explicit choices about how their data will be used, by providing a selection of clearly explained opt-in options.
3. Clearly indicating on forms used in data collection exercises which fields are mandatory, and which are optional. Where appropriate we will employ pseudonymisation techniques to separate personal identifiers from other data.
4. Publishing clear instructions to Data Subjects on how to update their Personal Data, and how to check the accuracy of the Personal Data we hold.
5. Monitoring compliance with the SOAS Retention Schedule, and reviewing the retention policy regularly.
6. Ensuring data protection training is embedded in the Staff Development programme, that SOAS systems are secure, and that we have an effective procedure for responding to data breaches.
Under data protection law individuals have certain rights in relation to their personal data. SOAS will ensure that we comply with these requests within one month of being asked, although if the request is very big we may ask for a little more time (up to a maximum of two further months). These rights are:
1. The right to be informed: If you have supplied us with Personal Data directly, you have the right to be told who we are, why we are processing your data, our reason for doing so, whether we share the information with third parties, and if so who those third parties are, how long we hold onto the data for, and whether we transfer any of your data outside of the European Economic Area. We will tell you all this at the time we collect your data
If your Personal Data has been given to us by a third party, we will tell you who those sources are, and we will tell you the categories of Personal Data we are processing. This information will be given to you within one month of us receiving it, unless there is an exception under law, or it would be detrimental to the objective of the processing. Take a look at our Privacy Notices which contain this type of information for different groups of individuals at SOAS.
2. The right to access data we hold about you (“right of access”): You have the right to request a copy of the information we hold about you to check that we are processing your data lawfully. There are some exceptions to this right, which are listed on our page ‘Making a request for your information’.
3. The right to correct data we hold about you (“right to rectification”): If you find that any of the data we hold about you is factually incorrect, you can change it yourself (if you have access to a self-service system) or ask us to change it for you.
4. The right to ask us to restrict the processing of your data (right to restrict processing”): If you have challenged our processing or feel that we have inaccurate data which could affect your rights, you can ask us to restrict processing (we will hold it to enable us to flag the data as restricted, but will not use it) while we resolve the issue.
5. The right to request erasure of your data, or withdraw consent from direct marketing (“right to erasure”): If you withdraw your consent and want us to forget you, or we have finished processing your data under contract or for our operational needs and no longer need it any more, you can ask us to erase it.
6. The right to request a copy of the data you provide us with in machine readable format, or to request that we transfer a copy of the data to another IT environment (“right to portability”): If you have supplied us with automated data by consent or under contract, you can request a copy of the data in an open-source machine readable format which would allow it to be transferred directly into another IT environment, or you can ask us to transfer it directly.
7. The right to object to processing of your data, or withdraw consent from direct marketing (“right to object”): You can object to our processing of your personal data for any reason relating to your situation. If we are processing your data because it is in our legitimate interests or we are doing so in our official authority as a public body, we will consider whether your rights and interests override the School's interests.
8. The right to be informed of any automated processing or profiling which takes place at SOAS (“rights related to automated decision-making including profiling”): We will let you know if any of your personal data is subject to automated profiling. If it is you can request a review of the process and decision making by a human. You can also request regular audits of the information processed.
The right to be informed, to request access to your data, to correct your data, and to be informed of automated processing which might affect you are absolute rights, and are always available to Data Subjects.
The rights of restriction, erasure, portability and objection are not always available, and depend on SOAS’s reason for processing your data. The specific reason we give to justify our processing of your Personal Data will be stated in the privacy notice which applies to you.
SOAS is a Data Controller under data protection law. We are regulated by the ICO, which is the UK’s supervisory authority. The ICO has the power of enforcement and inspection, and can penalise organisations liable for data processing (whether as Controllers or Processors) for contraventions of the law.
SOAS’s Information Management Steering Group has oversight of planning and policy development matters in relation to information compliance, including data protection. The Chair of the Group is the Clerk to the Board of Trustees.
The Information Compliance Manager (reporting to the Director of Governance and Legal Services and Clerk to the Board of Trustees) is the School’s designated Data Protection Officer.
Any changes to data protection governance or the identity and contact details of the Data Protection Officer will be updated in this policy statement.
The role of the Data Protection Officer consists of at least the following tasks:
1. to inform and advise SOAS and its employees who carry out processing of their obligations under data protection law;
2. to monitor compliance with the GDPR, with the policies of SOAS in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
3. to provide advice where requested with regards the Data Protection Impact Assessment and monitor its performance under Article 35 of GDPR;
4. to cooperate with the Information Commissioner’s Office (ICO);
5. to act as the contact point for the ICO on issues relating to processing, including the prior consultation referred to in Article 36 of GDPR relating to high risk processing, and to consult, where appropriate, on any other matter.
When Processing Personal Data, SOAS staff must ensure they abide by the law, this policy and any related policies. Staff who are uncertain as to whether their Processing of Personal Data meets these requirements should refer any queries to their Head of Department or line manager in the first instance. All new staff are required to attend the mandatory Information Compliance Overview training, which covers data protection. Existing staff should also attend the training if they have not done so before or require a refresher. Requests can be made to the Staff Development team at firstname.lastname@example.org
Heads of Department and managers of administrative departments are responsible for ensuring that the Processing of Personal Data in their department conforms to the requirements of the law and this policy. In particular, they should ensure that new and existing staff who are likely to process Personal Data are aware of their responsibilities under data protection law. This includes drawing the attention of staff to the requirements of this policy, and ensuring that staff who have responsibility for handling Personal Data are provided with adequate training, such as the mandatory Information Compliance training.
Managers must also see that correct information and records management procedures are followed in their departments. This includes establishing internal procedures for complying with the retention schedule to ensure that Personal Data is not kept for longer than it is needed, and ensuring information security measures (such as encrypted files/devices, locked storage, clear desk policies) are appropriate for the sensitivity of data processed.
SOAS is not responsible for any Processing of Personal Data by staff which is not related to their employment with SOAS, even if the Processing is carried out using SOAS equipment and facilities. Staff are personally responsible for complying with the GDPR with regards to data for which they are the Data Controller.
This policy was originally approved by SOAS’s Information Strategy Committee on 22 February 2005.
This policy was reviewed and approved by Executive Board on 14 May 2018.
This policy will be reviewed every two years or sooner if considered appropriate by the Director of Governance and Legal Services and Clerk to the Board of Trustees.
Questions about this policy and data protection issues should be directed to SOAS’s Information Compliance Manager at the following address:
Information Compliance Manager
Governance and Legal Services Directorate
SOAS, University of London
London WC1H 0XG
Telephone: +44 (0)20 7898 4817
Data Controller: a person or organisation who makes decisions in regard to Personal Data, including decisions regarding the purposes for which and the manner in which Personal Data may be processed.
Data Processor: A person or organisation who processes personal data under explicit instructions from the Data Controller. Under new legislation the Data Processor can now be found liable for damage where it has not performed its specific obligations under the law or under the lawful instructions of the Data Controller.
General Data Protection Regulation: A Regulation which harmonises data protection law across all EU member states. The Regulation provides enhanced safeguards for individuals’ personal data, particularly in new standards of consent, transparency and accountability requirements, increased Data Subject rights, and stronger penalties for non-compliance.
Data Protection Act (2018): The Data Protection Act is the UK’s data protection law, which makes provisions for certain types of data processing which the GDPR leaves for member states to decide upon. The most significant derogations are in the areas of law enforcement and national security, and the Act also provides exemptions for processing in certain situations.
Data Protection Principles: a set of statutory requirements, which all Data Controllers are obliged to adhere to. The Principles balance the legitimate need for organisations such as SOAS to process Personal Data against the need to protect the privacy rights of the Data Subject.
Data Subject: an individual who is the subject of Personal Data.
Information Commissioner: the regulator appointed by the Crown to promote public access to official information and protect personal information. Compliance with data protection law is enforced by the Information Commissioner.
Personal Data: information relating to an identified or identifiable living individual, an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Processing: any operation on Personal Data, including obtaining, recording, holding, organising, structuring, storing, adapting or altering, retrieving, consulting, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destroying the data.
Pseudonymisation: A security technique which involves replacing information which might identify a person on its own or in combination with other available sources, with a random variable. The link between the random variable and the personal data will only be held by the data owner. This technique, properly applied, assists compliance with the third and sixth principles. It may also allow the Controller to undertake further processing without consent under certain circumstances.
Sensitive Information: Called Special Category Data in the GDPR, this is information relating to racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health (including disabilities), sexual life, sexual orientation, biometric and genetic data where it could lead to the identification of the Data Subject
Criminal Convictions Data: The GDPR sets data relating to criminal convictions under a separate section (Article 10) to Special Category Data, and derogates the details to the Data Protection Act (2018). The DPA specifies that this data relates to: the alleged commission of offences by the Data Subject, proceedings for an offence committed or alleged to have been committed by the Data Subject, or the outcome of proceedings, including sentencing.
Subject Access Request: a request from an individual, under Article 15 of the GDPR, for access to their Personal Data for the purpose of checking SOAS is processing their data lawfully, and that the data we hold is accurate.
Vital Interests: relating to life and death situations, eg the disclosure of a Data Subject’s medical details to a paramedic after a serious accident.