What is the data protection policy?

Roehampton University processes information about its staff, students and other individuals for a variety of purposes. When processing information, the University is committed to protecting the rights and privacy of students, staff and others in compliance with the Data Protection Act 1998 [the „Act‟] and related legislation. This Policy sets out the principles that will apply in meeting this commitment. The accompanying Guidelines on Personal Data provide detail on the application and implementation of the Policy.

Data Controller

The University as a body corporate is the data controller under the Act.

Application of Policy

The Policy and the Data Protection Principles apply to all staff, students and agents of the University, including those who process personal data off-site.

All personal data collected, held and processed on computer, on-line as well as in structured manual files is subject to this Policy and to the Data Protection Principles. Examples of the purposes for which data is processed by the University include but are not limited to: recruiting and paying staff, administering programmes of study, recording progress, calculating and approving awards, collecting fees, and complying with legal obligations to funding bodies and government

Notification1

Notification is the responsibility of the University Secretary and Registrar and the Data Protection Officer. Details of the University's notification are published on the Information Commissioner's website. Anyone who is, or intends, processing data for purposes not included in the University's Notification must seek advice from the Data Protection Officer.

Compliance with Policy

The Vice-Chancellor‟s senior management group, Heads of Departments, Directors and others in managerial or supervisory roles, are responsible for ensuring adherence to this Policy.

A breach of the Act or of this Policy may constitute a disciplinary offence for either staff or students and trigger the application of the relevant disciplinary procedures. A breach of the Act may also constitute a criminal offence. Other agencies and individuals working with the University, and who have access to personal information processed by the University, must also comply with this Policy.                                                Departments and academic units that interact with external agencies are responsible for ensuring that such agencies agree to abide by this policy.

Notification is the process by which a data controller informs the Information Commissioner of certain details about their processing of personal information. These details are used by the Information Commissioner to make an entry describing the processing in the register of data controllers that is available to the public for inspection. Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner‟s Office (ICO), unless they are exempt. Failure to notify is a criminal offence.