
2
o any other contractual obligations on the College or the individual which impose
confidentiality or information management obligations (which may at times exceed
those of College policies with respect to storage or security requirements – e.g. for
funded research).
5. This policy is reviewed by IMC and approved by Governing Body. It is reviewed at least once
every 2 years. The Senior Bursar remains responsible for ensuring appropriate resources are
in place to achieve compliance with data protection law in line with an appropriate overall risk
profile.
Obligations of the College
6. The College upholds data protection law as part of everyday working practices, through:
a) ensuring all personal information (see Annex) is managed appropriately through this
policy;
b) understanding, and applying as necessary, the data protection principles (see Annex)
when processing personal information;
c) understanding, and fulfilling as necessary, the rights given to data subjects (see Annex)
under data protection law;
d) understanding, and implementing as necessary, the College’s accountability obligations
(see Annex) under data protection law; and
e) the publication of data protection statements outlining the details of its personal data
processing in a clear and transparent manner.
7. The College shall appoint a statutory data protection officer, who will be responsible for:
a) monitoring and auditing the College’s compliance with its obligations in data protection
law, especially its overall risk profile, and reporting on such annually to the College;
b) advising the College on all aspects of its compliance with data protection law;
c) acting as the College’s standard point of contact with the Information Commissioner’s
Office with regard to data protection law, including in the case of personal data breaches;
and
d) acting as an available point of contact for complaints from data subjects.
8. The College shall otherwise ensure all members and staff are aware of this policy and any
associated procedures and notes of guidance relating to data protection compliance, provide
training as appropriate, and review regularly its procedures and processes to ensure they are
fit for purpose. It shall also maintain records of its information assets.
9. Individual members and staff are responsible for:
a) completing relevant data protection training, as advised by the College;
b) following relevant College policies, procedures and notes of guidance;
c) only accessing and using personal information as necessary for their contractual duties
and/or other College roles;
d) ensuring personal information they have access to is not disclosed unnecessarily or
inappropriately;
e) where identified, reporting personal data breaches, and co-operating with College
authorities to address them; and