Roles & responsibilities

All staff at the University are responsible for ensuring compliance with data protection legislation. Your specific obligations will depend upon your role in the University and how you work with personal data. 

Current, honorary or affiliate staff

In reference to paper and data storage (e.g. home drive, email etc.)

Responsibilities

You will:

  • Check what personal data you process and store, and make sure that you still have a valid reason for retaining it. If no reason exists, securely destroy it.

So that:

  • You can demonstrate that the personal data you have is secure and you have a justifiable reason to process it under the new legislation.
  • You understand any gaps in compliance between current working practice and the new legislation, and you make realistic short, medium and long term plans to improve, addressing the highest risks first.

Research Principal Investigator

In reference to paper and data storage used for research data

Responsibilities

You will:

  • Check what personal data you process and store to assess what changes apply to your research/ethics processes, and plan what you need to do to be compliant with the requirements of the new legislation.
  • Protect all personal data required by the terms of the funder/contract, and not delete while required. (For further advice contact your College Research Support Office.)

So that:

  • You can demonstrate that the personal data you have is secure and you have a justifiable reason to process it under the new legislation.
  • You understand any gaps in compliance between current working practice and the new legislation, and will make realistic short, medium and long term plans to improve, addressing the highest risks first.

School / Institute / Service Directorate

In reference to paper and data storage (e.g. shared drives, and locally managed software applications)

Responsibilities

  • Head of School/Institute/US Directorate is Accountable
  • Head of School/Institute/US Directorate Administration is Responsible (and should nominate staff to maintain their Information Asset Register)

You will:

Identify high-risk activity, and complete the Information Asset Register for data-sets you own.

So that:

  • You can demonstrate that the personal data you have is secure and you have a justifiable reason to process it under the new legislation.
  • You understand any gaps in compliance between current working practice and the new legislation, and will make realistic short, medium and long term plans to improve, addressing the highest risks first.

Centrally provided IT applications

In reference to centrally managed databases (e.g. MyCampus, Core HR, Infrastructure etc.)

Responsibilities

  • Service Owner is Accountable  (the service owner is in the business unit, e.g. for Finance it is the Director of Finance)
  • Service Manager is Responsible (this is the IT manager for the service, who may be local or in IT Services)

You will:

Identify high-risk activity, and complete the Information Asset Register for data-sets in your area.

So that:

  • You can demonstrate that the personal data you have is secure and you have a justifiable reason to process it under the new legislation.
  • You understand any gaps in compliance between current working practice and the new legislation, and will make realistic short, medium and long term plans to improve, addressing the highest risks first.