Data Protection Act

About your data rights

The university complies with the responsibilities and duties as set out in the Data Protection Act 2018. This alters the General Data Protection Regulation (GDPR) EU 2016/679 to form a UK GDPR in relation to your personal data.

The format of personal data includes but is not limited to; Paper records, emails, electronic files, databases, CCTV and other video footage, photographs, comments on exam scripts.

Your data rights

GDPR confers certain rights on individuals which increases their rights of access and control over their own personal information. Please note that not all of these rights are universal. Your rights under GDPR are;

  • The right to be informed
  • The right of access (Subject Access Request)
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Please see our Data Rights Guidance which provides more detail about these rights.

Should you wish to exercise any of these rights, please email

  • How the university processes your personal data under GDPR

    Designed to protect the rights of the individual and to allow individuals access to their own personal data (with a few exemptions), the regulation lays out seven principles which must be complied with.

    The principles state that processing of personal data requires:

    • Lawfulness, fairness and transparency
    • Purpose limitation
    • Data minimisation
    • Accuracy
    • Storage limitation
    • Integrity and confidentiality (security)
    • Accountability

    In order to comply with the seven principles at least one of the conditions below must be met for the processing of personal data to take place:

    • The individual has consented to the processing
    • Processing is necessary for the performance of a contract with the individual
    • Processing is required under a legal obligation (other than one imposed by the contract)
    • Processing is necessary to protect the vital interests of the individual
    • Processing is necessary to carry out public functions
    • Processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)

    To demonstrate compliance all new university processing has been subject to a Data Protection impact assessment (DPIA) which is also known as a Privacy Impact Assessment (PIA). Information about the PIA Form and Guidance is available, or feel free to get in touch with us if you have any queries.

  • How the university processes special category personal data under GDPR

    Specific provision is made under the Legislation for the processing of sensitive personal information, called special category data.

    Special Category data includes:

    • racial or ethnic origin
    • political opinions
    • religious or other beliefs
    • trade union membership
    • physical or mental health conditions
    • sex life

    For sensitive personal information to be considered processed fairly, at least one of several extra conditions must be met. The full list is in the legislation but for example includes:

    • Having the explicit consent of the individual
    • Being required by law to process the data for employment purposes
    • Needing to process the information in order to protect the vital interests of the individual or another person
    • Dealing with the administration of justice or legal proceedings
  • How the university handles suspected data breaches

    As well as a Data Protection Officer (DPO), the University has a team of Data Protection Co-ordinators (DPC) who report and investigate all suspected data breaches, as well as keeping the staff in their team/area up to date with any developments relating to Data Protection.

    When a suspected breach occurs, or a situation arises that would constitute a “near miss”, staff inform the Faculty/Departmental Data Protection Coordinator who assess the severity of, and any risks to individuals’ data rights associated with the breach. DPCs can then offer advice on how to proceed and offer steps to mitigate against reoccurrence. In the event of breaches involving large amounts of data, or particularly sensitive data the DPO is contacted to investigate further. A central log is maintained in order to identify any individuals or teams that may require further guidance or training. This informs reports that can be submitted to the Information Commissioners Office.

    IT Security issues report to IT via IT Service Desk.

    For information on what to do in the event of a breach, see the Data Security Breach Management Procedure, speak to your area Data Protection Coordinator, or drop us a line to

  • All staff must complete mandatory data protection training provided and monitored by Staff Development.

    The Data Protection Officer (DPO) is employed to oversee the University’s data protection strategies and implementation. They are the officer that ensures that an organisation complies with the requirements of Data Protection legislation.

    Along with the DPO, the Records Management team assist with matters relating to compliance with such regulations. This is done through activities such as:

    • Organising, facilitating and supporting Data Protection Audits in order to ensure that the processing of personal data that occurs is in line with the principles of the Data Protection Act/UKGDPR
    • Advising teams on best practice
    • Ensuring all new processing or systems used to process data are subject to a Data Privacy Impact Assessment
    • Advising on the development of Data Sharing agreements
    • Assisting in the development of Privacy notices
    • Complying with Data Rights requests
    • Investigation of suspected Data Breaches and the management thereof
    • Reporting to the Information Commissioners Office
    • Helping to facilitate implementation of the Records Retention Schedule
    • Facilitation of safe, secure and confidential destruction of records at the end of their lifecycle

Contact us

If you require further information or assistance, please contact the Records Management Office by email to

Contact for the University Data Protection Officer:

The records management/compliance team will handle any data rights requests, reports of suspected data breaches and general enquiries about the university’s processing of personal data.

Our Campus