3.1 Cambridge Enterprise has a corporate responsibility as a data controller (or when acting as a joint data controller or a data processor) for:
3.1.1 Complying with data protection law and holding records demonstrating this;
3.1.2 Co-operating with the Information Commissioner’s Office (‘ICO’) as the UK regulator of data protection law; and
3.1.3 Responding to regulatory/court action and paying administrative levies and fines issued by the ICO.
3.2 The Cambridge Enterprise Senior Management Team is responsible for:
3.2.1 Reviewing (at least once every year until 25 May 2020 and once every five years thereafter) and approving this policy;
3.2.2 Assessing the overall risk profile and ensuring appropriate resources and processes are in place and implemented to enable compliance with data protection law.
3.3 The Deputy Director, as the named person within Cambridge Enterprise with responsibility for data protection compliance, is responsible for:
3.3.1 monitoring and auditing Cambridge Enterprise’s compliance with data protection law, especially its overall risk profile, and reporting when necessary to the Senior Management Team;
3.3.2 advising on all aspects of Cambridge Enterprise’s compliance with data protection law (including its use of Data Protection Impact Assessments), seeking advice from the University Information Compliance Office where necessary;
3.3.3 acting as Cambridge Enterprise’s standard point of contact with the ICO with regard to data protection law, including in the case of personal data breaches;
3.3.4 acting as an available point of contact for any complaints from data subjects;
3.3.5 handling data subject rights requests;
3.3.6 publishing and maintaining core privacy notices and other Cambridge Enterprise data protection documents;
3.3.7 managing and/or handling Data Protection Impact Assessments; and
3.3.8 ensuring all Cambridge Enterprise staff are aware of this policy as necessary;
3.3.9 ensuring that appropriate processes and training are implemented to enable compliance with data protection law; and
3.3.10 ensuring that appropriate processes are implemented to enable information assets containing personal data within Cambridge Enterprise to be included in the University’s Information Asset Register where appropriate.
3.4 Individual staff, in order to enable Cambridge Enterprise to comply with data protection law, are responsible for:
3.4.1 completing relevant data protection training;
3.4.2 following relevant advice, guidance and tools/methods provided to staff, regardless of whether access to and processing of personal data is through Cambridge Enterprise-owned and managed systems, University-owned and managed systems, or through their own or a third party’s systems and devices;
3.4.3 when processing personal data on behalf of Cambridge Enterprise, only using it as necessary for their contractual duties and/or other Cambridge Enterprise roles and not disclosing it unnecessarily or inappropriately;
3.4.4 recognising, reporting internally, and co-operating with any remedial work arising from personal data breaches, including following the procedure set out in the Personal Data Breach Policy;
3.4.5 recognising, reporting internally, and co-operating with the fulfilment of data subject rights requests, including following the procedure set out in the Subject Access Request Policy;
3.4.6 ensuring compliance with Cambridge Enterprise’s Data Retention policy, deleting and removing data in accordance with the policy; and
3.4.7 on leaving Cambridge Enterprise ensuring that all data housekeeping requirements are fulfilled, only deleting, copying or removing personal data as agreed with their Head of Team and as appropriate.
3.5 Non-observance of the responsibilities in paragraph 3.4 may result in disciplinary action.
3.6 The roles and responsibilities in paragraphs 3.1 to 3.5 do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection law.[6]
[6] These criminal offences include: unlawfully obtaining, disclosing or retaining personal data; recklessly re-identifying de-identified personal data without the data controller’s consent; deliberately altering or deleting personal data to prevent disclosure in accordance with data subject access rights; forcing a data subject to exercise their access rights; and knowingly giving false statements to the ICO.