Introduction: roles and responsibilities

The paragraphs below set out the roles and responsibilties of all Heriot-Watt University staff in relation to compliance with the Data Protection Act 1998 and information security.

All staff and users of University information

All users of University information are responsible for:

  • Undertakingand completing relevant training and awareness activities provided by the University to support compliance with the HWU Data Protection Policy
  • Taking all necessary steps to ensure that no breaches of information security result from their actions
  • Reporting all suspected information security breaches or incidents promptly to ITHelp@hw.ac.uk  so that appropriate action can be taken to minimise harm
  • Informing the University of any changes to the information that they have provided to the University in connection with their employment or studies, changes of address or bank details

There are also specific responsibilities and levels of accountability assigned to certain posts by vitue of their seniority within the University:

The Principal and Vice-Chancellor

As the Chief Executive Officer of the University, the role holder has ultimate accountability for the University's compliance with data protection law.

The Secretary of the University

The role holder has senior management accountability for information governance and for ensuring that the Data Protection Officer is given sufficient autonomy and resources to carry out their tasks effectively.

Director of Governance and Legal Services

This post has senior management responsibility for information governance within the University.

Data Protection Officer

  • Informing and advising senior managers and all members of the  University community of their obligations under data protection law;
  • Promoting a culture of data protection, e.g. through training and awareness activities;
  • Reviewing and recommending policies, procedures, standards, and controls to maintain and demonstrate compliance with data protection law and embed privacy by design and default across the University;
  • Advising on data protection impact assessment and monitoring its performance; Monitoring and reporting on compliance to the University Executive, the Audit and Risk Committee and other relevant committees and boards;
  • Maintaining Records of Processing Activities;
  • Providing a point of contact for data subjects with regard to all issues related to their rights under data protection law;
  • Investigating personal data breaches, recommending actions to reduce their impact and likelihood of recurrence;
  • Acting as the contact point for and cooperating with the Information Commissioner’s Office on issues relating to processing.

The Academic Registrar and Deputy Secretary

The role holder is responsible for maintaining relevant student administration policies and procedures and for oversight of the management of student records and associated personal data across the University in compliance with data protection law.

All Heads of Schools, Institutes and Professional Services

The role holders are responsible for implementing the policy within their business areas, and for adherence by their staff including:

  • Assigning generic and specific responsibilities for data protection management
  • Managing access rights for information assets and systems to ensure that staff, contractors and agents have access only to such personal data is necessary for them to fulfil their duties
  • Ensuring that all staff in their business areas undertake relevant training provided by the University and are aware of their accountability for data protection
  • Ensuring that staff responsible for any locally managed IT services liaise with University Information Services staff to put in place equivalent IT security controls
  • Assisting the Data Protection Officer in maintaining accurate and up to date records of data processing activities

The Director of Information Services

The role holder is responsible for ensuring that centrally managed IT systems and services embed privacy by design and default and for promoting good practice in IT security among staff.

The Director of Human Resources

The role holder is responsible for maintaining relevant human resources policies and procedures, to support compliance with data protection law. 

Head of Assurance Services

The role holder is responsible for ensuring that data protection and wider Information Security controls are integrated within the project management, risk, business continuity management and audit programmes and for liaising with insurers to ensure that the ISMS meets insurance requirements.

Head of Procurement Services

The role holder is responsible for ensuring that supply chain due diligence and procurement processes embed information risk and data protection impact assessment and privacy by design.

The Security and Resilience Manager

The role holder is responsible for ensuring that controls to manage the physical security of the University take account of relevant data protection risks and are integrated into the ISMS.

University Information Governance and Security Group

The Group reviews the effectiveness of data protection policies and procedures as part of its wider oversight of information  security management, as set out in the Information Security Policy Framework.