Record of Processing Activity (ROPA)

The University of Liverpool is a data controller as defined by the UK General Data Protection Regulation and the Data Protection Act 2018. Our ROPA describes how and why we use personal information.

The Record of Processing Activity (ROPA) details the categories of data subjects and personal data that we process, as well as the purpose of the processing along with any recipients the personal data may be shared.

The University is organised into three academic faculties (Humanities & Social Sciences, Science & Engineering and Health & Life Sciences) and supported by four directorates within Central Professional Services (Education, Legal & Governance, Finance and People & Services).

Purposes for processing information

The University processes personal data for several purposes.

  • Providing education and support services to our students.
  • Staff administration.
  • Safeguarding the health and safety of our staff, students and third parties.
  • Management and administration of University research.
  • Financial purposes.
  • Data security and integrity management.
  • Statutory returns and other legal obligations.
  • Guild of Students’ administration.
  • The prevention and detection of crime.
  • Marketing and event promotion.
  • Alumni engagement management.
  • Fundraising and donation management.
  • Contractor management and commercial activities to our clients.

Categories of data subjects

As a result, the University processes the personal data of:

  • Staff and contracted personnel.
  • Prospective staff.
  • Unsuccessful applicants (staff).
  • Unsuccessful applicants (students).
  • Volunteers.
  • Former staff.
  • Prospective students.
  • Alumni.
  • Former students (withdrawn).
  • External Third Parties.
  • Donors and friends of the University.
  • Exchange students (incoming).
  • Visitors.
  • Individuals captured by CCTV images.
  • Landlords, tenants.
  • Parents, guardians, and carers of students.
  • Contractors.
  • Industry/Business contacts.
  • Suppliers of goods and services.
  • Complainants and enquirers
  • Authors, publishers, and other creators
  • Persons who may be the subject of enquiry
  • Third parties participating in course work
  • Health, welfare, and social organisations

Categories of personal data

Categories of personal data processed by the University are:

  • Biographical and family details.
  • Lifestyle and social circumstances.
  • Visual images, personal appearance, and behaviour.
  • Contact information.
  • Next of kin and emergency contact information.
  • Survey/feedback information.
  • Student record, attendance, and academic data.
  • Employment record and data.
  • Trade union membership.
  • Financial details.
  • Contract record information – including external third parties.
  • Misconduct, disciplinary and grievances investigations and outcomes.
  • Qualifications and professional memberships information.
  • Consent record information.
  • Health and disability data.
  • Criminal proceedings and conviction information (offences and alleged offences and sentences).
  • Equality information.
  • Vetting and barring checks.

Recipients of personal data

In certain circumstances the University must share personal data with a third party if this is required by law or because it otherwise deems it to be necessary to achieve a specified purpose. The University of Liverpool complies with the UK General Data Protection Regulation and the Data Protection Act 2018 when disclosing personal data.

The categories of recipients for personal data are:

  • Suppliers and service providers.
  • New and previous employers.
  • Regulatory bodies including the Office for Students (OfS).
  • Third party statistical agencies, including HESA.
  • Governmental bodies including UKV&I, ESFA and DSA.
  • Local Councils.
  • Awarding bodies.
  • Work experience or other placement provider.s
  • Accommodation providers.
  • Student support providers.
  • Parents, guardians, and carers.
  • Police and other law enforcement services.
  • Guild of Students.
  • Legal representatives.
  • International agents.
  • Research councils.

Transfers of data to a third country

The University has relationships with institutions and agencies outside of the UK which encourage and facilitate international learning and research. Where we transfer personal data outside of the UK as part of these relationships, we ensure appropriate contracts or other safeguards are in place.

Retention of data

The University of Liverpool retains personal data in line with our Record Retention Schedule, which forms part of our Information Management Policy.

More information

Data Protection Officer
Daniel Howarth,

Data controller
University of Liverpool, Foundation Building, 765 Brownlow Hill, Liverpool L69 7ZX

ICO registration number Z6390975

Page reviewed: 21 February 2024

Back to: Legal & Governance