The University has a wide range of functions as an organisation; ranging from research and education, legal services and human resources. Almost all of its functions require the University to use data about living individuals.
In order to use personal data, the University must comply with all relevant UK data protection legislation. This means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
Personal data is information that either on its own, or when combined with other information, can identify a living individual. This can include (but is not limited to) names, addresses, student and staff ID numbers, dates of birth, photographs, social media handles, video footage, emails and WhatsApp messages.
Certain types of personal data are deemed more sensitive than others. Personal data that falls into the following categories is called special category data. These categories of data require extra safeguards to be met when they are used. Personal data that fall into the special categories include race or ethnic origin, health data (either physical or mental health) and sex life or sexual orientation.
The main types of personal data that the University uses are staff data, student data (prospective, current and alumni) and research data.
What are my rights under data protection legislation?
The UK GDPR gives individuals a range of rights with any organisation that holds their personal data. The rights are not absolute and exemptions may be applied by the University where appropriate.
The most common way that individuals exercise their rights is to ask an organisation for a copy of the personal data it holds about them and the reasons for doing so (Right of access). This process is called .
Under the UK GDPR, you can request that the University does the following things with your personal data:
- Amend any personal data we hold about you that is inaccurate. (Right to rectification).
- Erase information that you no longer want the University to keep about you. This right is only applicable in certain situations. (Right to be forgotten).
- Restrict how your personal data is used by the University. This right is only applicable in certain situations. (Right to restriction).
- Object to how the University is using your information and ask us to stop doing so. This right is only applicable in certain situations. (Right to objection).
- Ask the University to provide you with your personal data so that you can move it to a new provider. This right is only applicable in certain situations. (Right to data portability).
The ICO provides summaries of all the rights of the individual under the UK GDPR. This gives specific information about how rights can be used by an individual and the situations in which they apply.
Other information you can find on these pages is summarised below:
- Data Protection Policy
This policy sets out how personal data will be managed by the University and explains our responsibilities.
- Privacy notices
Privacy Notices tell individuals exactly what the University will do with their personal data.
- Reporting a data loss incident
This page gives guidance to anyone who wish to report a data protection concern. It holds the University’s data breach report form.
Last update: 15 September 2021
Back to: Legal & Governance