1. Who we are
7. Your rights
SOAS University of London is a Data Controller in respect of your personal data. That means we decide why and how to process your personal data. Our current Data Protection Officer should be your first point of contact for any questions you have relating to our use of your personal data. They can be contacted at firstname.lastname@example.org or 0207 898 4817.
If the Data Protection Officer is unavailable, you can contact the Records Officer by email at email@example.com or 0207 898 4150. To reach us by post, please address correspondence to:
Information Compliance Office, SOAS Library, SOAS University of London, 10 Thornhaugh Street, Russell Square, London WC1H 0XG.
As a trustee of the School, you can expect SOAS to process only the following types of personal data:
- Biographical data (name, date of birth, gender)
- Contact details (home address, personal email, personal telephone number)
- Employment information (employer, position (including directorship), consultancy roles)
- If we require any additional types of personal data from you, we will ask you directly for it and we will always explain why we need it.
We process your personal data for the following specific purposes. We need to have a lawful basis for each of these purposes, and these are described below
- To communicate with you and ensure the effective administration of the Board of Trustees. Communicating with Trustees about the administration and conduct of Board of Trustees meetings and business is in the legitimate interests of SOAS and its Trustees, and maintaining accurate contact addresses are necessary to fulfil this purpose. We are satisfied that this purpose does not impinge on Trustees’ data protection rights and freedoms.
- To maintain a Register of Interests. Collecting contact details and current employment details, including directorships and consultancy positions, is carried out in accordance with our legal obligation to disclose this information to the Charity Commission.
- To carry out Fit and Proper person tests as required by the Office for Students
- Where necessary, to allow third party donors to carry out due diligence checks. Personal data is only disclosed to third party donors for the purpose of carrying out due diligence on Trustees with the Trustee’s consent.
We will only process your Special Category data to ensure the School has appropriate facilities to accommodate your needs. For example, we may need to process information about disabilities, or dietary requirements where these are related to your religious or philosophical beliefs. We process this data in order to comply with a statutory obligation conferred on us by equality law or health and safety law, in accordance with Schedule 1 Part 2 of the Data Protection Act 2018.
We process Criminal Offence data to the extent that this might arise in Fit and Proper person checks, or other due diligence undertakings. We process this data in order to protect the public from dishonesty in accordance with the condition in Schedule 1 Part 2 Paragraph 11 of the Data Protection Act 2018.
When you correspond with officers of the School by email, your correspondence and email address will be stored by Google. Google provide SOAS’s email service (Gmail), which is hosted in the cloud. The data is stored by Google in servers based in the United States. SOAS has entered into a Data Processing Agreement with Google to ensure that all personal data is secure, and that individuals can exercise their rights under the law and have access to effective legal remedies. With regards US data transfers, Google is signed up to Privacy Shield, the EU-US framework for transferring personal data between the US and EEA territories.
We will share with the Charity Commission personal data collected from you in the Register of Interests form once a year.
With your consent, we will share your personal data with third party donors for the purpose of conducting due diligence checks
We will otherwise only share your data if we are legally obliged to do so (e.g. by a court order).
Sharing personal data outside the EEA is known as a ‘restricted transfer’. We will only make a restricted transfer in circumstances where our data processor is covered by an existing framework agreement between the EU and a third country, such as Privacy Shield, or under the European Commission’s Standard Contractual Clauses.
Any other transfer of personal data outside the EEA would only occur if the following safeguards are met:
- The party receiving the personal data is based in a country with an Adequacy Decision from the European Commission, meaning the country’s laws provide a level of data protection at least equivalent to the protection offered by EU law.
- The data is transferred under the terms of a legally binding and enforceable instrument with another public authority.
Or in accordance with exceptions which allow occasional transfers of data to take place
- With your explicit consent
- Where it is justified for important reasons of public interest
- To establish, exercise or defend legal claims
- Where it is in your vital interests, and you are unable to give consent
You have the following rights over personal data processed by SOAS:
- Right to access a copy of your personal data (see webpage Requesting access to personal data for guidance)
- Right to correct your data
- Right to ask us to restrict processing of your data
- Right to erasure
- Right to ask us to transfer your data to another iT environment
- Right to object to our processing of your data
To enquire about your rights as a data subject, please contact our Data Protection Officer at firstname.lastname@example.org or phone 020 7898 4817.
If you think SOAS is processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office, at http://www.ico.org.uk
We will review this notice on an annual basis, and will make updates as necessary to reflect any changes to the type of personal data that we process and/or the way in which it is processed. The most recent version of this notice can always be found at the following page of the SOAS website: https://www.soas.ac.uk/infocomp/dpa/privacy-notices/trustees-privacy-notice/