Data Protection

These pages provide practical and straightforward guidance about how the University uses personal data safely and in compliance with the data protection legislation.

The University has a wide range of functions as an organisation; ranging from research and education to legal services and human resources. Almost all of its functions require the University to use data about living individuals.

To use personal data, the University must comply with all relevant UK data protection legislation. This means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

Personal data is information that either on its own or when combined with other information, can identify a living individual. This can include (but is not limited to) names, addresses, student and staff ID numbers, dates of birth, photographs, social media handles, video footage, emails, and WhatsApp messages.

Certain types of personal data are deemed more sensitive than others. Personal data that falls into the following categories is called special category data. These categories of data require extra safeguards to be met when they are used. Personal data that fall into the special categories include race or ethnic origin, health data (either physical or mental health), and sex life or sexual orientation.

The main types of personal data that the University uses are staff data, student data (prospective, current, and alumni), and research data.

What are my rights under data protection legislation?

The UK GDPR gives individuals a range of rights with any organisation that holds their personal data. The rights are not absolute and exemptions may be applied by the University where appropriate.

The most common way that individuals exercise their rights is to ask an organisation for a copy of the personal data it holds about them and the reasons for doing so (Right of access). This process is called a Subject Access Request.

Under the UK GDPR, you can request that the University does the following things with your personal data:

  • Amend any personal data we hold about you that is inaccurate. (Right to rectification).
  • Erase information that you no longer want the University to keep about you. This right is only applicable in certain situations. (Right to be forgotten).
  • Restrict how your personal data is used by the University. This right is only applicable in certain situations. (Right to restriction).
  • Object to how the University is using your information and ask us to stop doing so. This right is only applicable in certain situations. (Right to objection).
  • Ask the University to provide you with your personal data so that you can move it to a new provider. This right is only applicable in certain situations. (Right to data portability).

The ICO provides summaries of all the rights of the individual under the UK GDPR. This gives specific information about how rights can be used by an individual and the situations in which they apply.

Our Information Compliance Privacy Notice applies to individuals sending requests for information under the provisions of the Freedom of Information Act 2000, the Environmental Information Regulations 2004, and the UK General Data Protection Regulation (UK GDPR), or if you write to the university’s Data Protection Officer.

Last update: 2 February 2023

Back to: Legal & Governance