Roles and responsibilities

Introduction: roles and responsibilities

The paragraphs below set out the roles and responsibilities of all Heriot-Watt University staff in relation to compliance with the Data Protection Policy and information security.

All staff and users of University information

All users of University information are responsible for:

  • Completing relevant training and awareness activities provided by the University to support compliance with the HWU Data Protection Policy;
  • Taking all necessary steps to ensure that no breaches of information security result from their actions;
  • Reporting all suspected information security breaches or incidents promptly to IShelp  so that appropriate action can be taken to minimise harm;
  • Informing the University of any changes to the information that they have provided to the University in connection with their employment or studies, for instance changes of address or bank details.

The Principal and Vice-Chancellor

As the Chief Executive Officer of the University, has ultimate accountability for the University's compliance with data protection law.

The Secretary of the University

The role holder has senior management accountability for information governance and for ensuring that the Data Protection Officer is given sufficient autonomy and resources to carry out their tasks effectively.

The Global Director of Governance and Legal Services

This post has senior management responsibility for information governance within the University.

The Head of Information Governance, as Data Protection Officer

  • Informing and advising senior managers and all members of the  University community of their obligations under data protection law;
  • Promoting a culture of data protection, e.g. through training and awareness activities;
  • Reviewing and recommending policies, procedures, standards, and controls to maintain and demonstrate compliance with data protection law and embed privacy by design and default across the University;
  • Advising on data protection impact assessment and monitoring its performance;
  • Monitoring and reporting on compliance to the University Executive, the Audit and Risk Committee and other relevant committees and boards;
  • Maintaining Records of Processing Activities;
  • Providing a point of contact for data subjects with regard to all issues related to their rights under data protection law;
  • Investigating personal data breaches, recommending actions to reduce their impact and likelihood of recurrence;
  • Acting as the contact point for and cooperating with the Information Commissioner’s Office on issues relating to processing.

All Chief Operating Officers; Chief Executives of Global Research Institutes; Executive Deans, Global Directors and Heads of Professional Services

  • Assigning generic and specific responsibilities for data protection management;
  • Managing access rights for information assets and systems to ensure that staff, contractors and agents have access only to such personal data as necessary for them to fulfil their duties;
  • Ensuring that all staff in their areas of responsibility undertake relevant training provided by the University and are aware of their responsibilities for data protection;
  • Ensuring that staff responsible for any locally managed IT services liaise with University Information Services staff to put in place equivalent IT security controls;
  • Assisting the Data Protection Officer in maintaining accurate and up to date records of data processing activities.

Academic Registrar

Responsible for maintaining relevant student administration policies and procedures and for oversight of the management of student records and associated personal data across the University in compliance with data protection law.

Global Director of Information Services

Responsible for ensuring that centrally managed IT systems and services embed privacy by design and default and for promoting good practice in IT security among staff.

Global Director of Human Resources

Responsible for maintaining relevant human resources policies and procedures, to support compliance with data protection law. 

Head of Assurance Services

Responsible for ensuring that data protection and wider Information Security controls are integrated within the project management, risk, business continuity management and audit programmes and for liaising with insurers to ensure that the ISMS meets insurance requirements.

Head of Procurement Services

Responsible for ensuring that supply chain due diligence and procurement processes embed information risk and data protection impact assessment and privacy by design.

Head of Safeguarding Services 

Responsible for ensuring that controls to manage the physical security of the University take account of relevant data protection risks and are integrated into the ISMS.

Global Information Governance and Data Protection Committee

Responsible for reviewing the effectiveness of data protection policies and procedures as part of its wider oversight of information security management, as set out in the Information Security Policy Framework.