Data Protection Policy


Corporate, Staff

An overview on the Data Protection Policy 

1. Policy Statement

The Data Protection Act 2018 (DPA) which incorporates the UK GDPR and the PECR set out the legislative requirements for organisations processing personal data.

The Data Protection Legislation is overseen, and enforced by the Information Commissioner’s Office (ICO), who is an independent public body responsible directly to Parliament.

The University of Wolverhampton processes personal data relating to potential, existing and previous staff and students, website users and other web based forms as well as personal data collected for research purposes, collectively referred to in this policy as data subjects. When processing personal data, the University is obliged to fulfil individuals’ reasonable expectations of privacy by complying with UK GDPR and other relevant data protection legislation (data protection law).

The policy details how the university will handle all personal data whether it is processed or stored electronically or manually. A failure to comply with this policy may result in disciplinary action taken by the University.

Personal data is any information that relates to an identified or identifiable individual. This could be as simple as a name or a student or employee number or could include other identifiers such as an IP address or a cookie identifier. See Appendix 2 for a more detailed definition.


This policy therefore seeks to ensure that we: 

1. Are clear about how personal data must be processed and the University’s expectations for all those who process personal data on its behalf;

2. Comply with the data protection law and with good practice;

3. Protect the University’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights; and

4. Protect the University from risks of personal data breaches and other breaches of data protection law.

The main terms used are explained in Appendix 2 ‘Glossary of Terms’ of this policy

This Policy applies to all staff and others working for or on behalf of the University whether in the UK or overseas and includes; governors, secondees, any third party representatives, agency workers, volunteers, interns, agents and sponsors. Staff employed by the University must ensure that this policy is communicated to any organisation that they work with who may have access to the personal data where the university is data controller.

Non-compliance with this policy and associated polices could potentially expose the University, staff and students to unacceptable data protection risk. To this end the University commits to:

Information Governance Management: Establishing and supporting robust operational and management accountability structures, with appropriate resources and expertise to ensure information governance issues are dealt with appropriately, effectively and at levels within the organisation commensurate with the type and gravity of the issue in question.

Staff Empowerment: Embedding a culture of individual responsibility and capability across the University in relation to information management, protection and use as part of ‘business as usual’.

Training and Awareness: Implementing a system of training and awareness that meets government mandatory requirements, is role based, assessed and capable of equipping employees with the skills and knowledge necessary to do their jobs.

Systems and Processes: Establishing and maintaining information systems and processes to enable the efficient and secure storage and retrieval of information and the management of information risk.

Policy and guidance: Developing and embedding, policies and guidance documents in relation to the respective areas of information governance that support employees to fully understand the standards, practices and responsibilities required within the information governance framework and to take appropriate action where necessary.

Audit: Monitoring employees’ compliance with the information governance framework through regular audits.

All Deans of Faculties and Directors of Professional Services are responsible for ensuring that all University staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.

The Information Governance Manager is the designated Data Protection Officer and responsible for the operation of this policy who can be reached at

Personal data protection principles.

When an organisation and its staff process personal data, it should be done in line with the principles set out in the UK GDPR. The University is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below.

The principles require personal data to be:

1. Processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency). Detail on how to achieve this can be found in Appendix 1.

2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose limitation). Detail on how to achieve this can be found in Appendix 2.

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data minimisation). Detail on how to achieve this can be found in Appendix 2.

4. Accurate and where necessary kept up to date (Accuracy). Detail on how to achieve this can be found in Appendix 2.

5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Storage limitation). Detail on how to achieve this can be found in Appendix 2.

6. Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality). Detail on how to achieve this can be found in Appendix 2.

The consequences of failing to comply with the requirements of the above principles may result in:

⦁ Criminal and civil action against the University and staff

⦁ Fines and damages against the University and staff;

⦁ Personal accountability and liability;

⦁ Suspension/withdrawal of the University’s right to process personal data by the ICO;

⦁ Loss of confidence in the integrity of the University’s systems and procedures;

⦁ Irreparable damage to the University’s reputation.

The personal data held by the University typically relate to students and staff. These are known as data subjects. They have rights in relation to the way the University handles their personal data. Chapter 3 of the UK GDPR provides the following rights for individuals:

1. Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. The University must provide individuals with information including; purposes for processing their personal data; retention periods for that personal data; and who it will be shared with. This should be given in the form of a privacy notice

2. Right of Access: Individuals have the right to access their personal data, which is commonly referred to as a Subject Access Request. Individuals can make a request verbally or in writing and the University has one month to respond to a request. Extensions for complying with such requests can be given when necessary.

3. Right to rectification: The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. In certain circumstances the University can refuse a request for rectification. Individuals can make a request verbally or in writing and the University has one month to respond to a request.

4. Right to Erasure: The UK GDPR introduces a right for individuals to have their personal data erased. The right to erasure is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. This right is not the only way in which the UK GDPR places an obligation on the University to consider whether to delete personal data. Individuals can make a request verbally or in writing and the University has one month to respond to a request.

5. Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, the University is permitted to store the personal data, but not use it. Individuals can make a request verbally or in writing and the University has one month to respond to a request.

6. Right to data portability: The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. The right only applies to information an individual has provided to a controller.

7. Right to object: The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies the University may be able to continue processing if it is shown that there is a compelling reason for doing so. The University must inform individuals about their right to object. Individuals can make a request verbally or in writing and the University has one month to respond to a request.

8Rights related to automated decision making including profiling: The UKGDPR has provisions on:

A. automated individual decision-making (making a decision solely by automated means without any human involvement); and

B. profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

The UK GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.

University responsibilities

As the Data Controller, the University is responsible for establishing policies and procedures in order to comply with data protection law.

The University will ensure all staff are provided with data protection training and promote the awareness of the University’s data protection and information security policies, procedures and processes.

Data Protection Officer Responsibilities

The University DPO is responsible for:

A. Advising the University and its staff of its obligations under UK GDPR;

B. Monitoring compliance with this Regulation and other relevant data protection law, the University’s policies with respect to this and monitoring training and audit activities relate to UK GDPR compliance;

C. To provide advice where requested on data protection impact assessments;

D. To cooperate with and act as the contact point for the Information Commissioner’s Office; and

E. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Information Asset Owners and Custodians

The Information Asset Owner (IAO) is responsible for ensuring that the data protection act is followed and that personal data is handled and managed appropriately within their area of responsibility. The owners are supported by Information Assets Custodians. IAO will be in place throughout the University with at least one in each department or faculty. A list of IAOs can be found on the IG page of the intranet. Alongside giving advice to staff the IAOs will:

A. Personal data is kept in accordance with the University’s retention schedule;

B. New processing activities should be reported to the Data Protection team for inclusion on the Records of Processing Activity in accordance with Article 30 of the UK GDPR;

C. Consult with staff members when they conduct a Data Protection Impact Assessment (DPIA) for new processing activities which are likely to result in high risks to the rights and freedoms of individuals, such as using systematic profiling, special category or criminal conviction information or systematic monitoring;

D. Where personal information is being collected and processed for a new purpose, privacy notices must be put in place with the assistance and approval of the Information Governance Manager;

E. Where our data subject’s information is being shared with another data controller or processor, Data Sharing Agreements (DSA) or Data Processing Agreements (DPA) must be put in place with the assistance and approval of the Information Governance Manager;

F. Complete entries on the University Records of Processing Activities register (RoPA).

Staff responsibilities

Staff members who process personal data about students, staff, applicants, alumni or any other individual must comply with the requirements of this policy. Staff members must ensure that:

A. That all information processed is necessary for the purpose for which it is required;

B. All personal data is kept securely in line with the IT department’s prescribed practices;

C. No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;

D. Personal data is kept in accordance with the University’s retention schedule;

E. Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection team;

F.  Any data protection breaches are swiftly brought to the attention of the Data Protection team and the Information Governance Manager by following the Data Breach Reporting Procedure and that they support the Data Protection team in resolving breaches;

G.  Conducat a DPIA in consultation with the appropriate IAO for new processing activities which are likely to result in high risks to the rights and freedom of individuals, such as using systematic profiling, special category or criminal conviction information or systematic monitoring;

H. Data Sharing Agreements (DSA) or Data Processing Agreements (DPA) must be put in place with the assistance and advice of the Information Governance Manager'

I. Personal information is not transferred to any country where there is no adequacy decision (See UK GDPR Article 45), unless the transfer is subject to an appropriate safeguard provided in the UK GDPR;

J. Where there is uncertainty around a data protection matter advice must be sought from the Data Protection team and the Information Governance Manager; and

K. Notify their line manager and the Data Protection team if they believe this policy has been breached.

Where members of staff are responsible for overseeing students doing work which involves the processing of personal information (for example in research projects), they must ensure that those students are aware and are in compliance with the Data Protection principles in conducting their research.

Staff should direct any requests for personal information from third parties to the Data Protection team or the Information Governance Manager.

Contractors, Short-term and Voluntary Staff

The University is responsible for the use made of personal data by anyone working on its behalf. Managers who employ contractors, short term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. In addition managers should ensure that:

A. Any personal data collected or processed in the course of work undertaken for the University is kept securely and confidentially;

B. All personal data is returned to the University on completion of the work, including any copies that may have been made. Alternatively that the data is securely destroyed and the University receives notification in this regard from the contractor or short term / voluntary member of staff;

C. All practical and reasonable steps are taken to ensure that contractors, short term or voluntary staff do not have access to any personal data beyond what is essential for the work to be carried out properly.

Student responsibilities

Students are responsible for:

a. reading and understanding the Privacy Notice provided when they apply and enrol at the University; and

b. ensuring that their personal data provided to the University is accurate and up to date.

Third-Party Data Processors

The University uses various data processors to process data for different purposes on our behalf.

Where a third-party data processor is used:

A. A data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;

B. Reasonable steps must be taken that such security measures are in place;

C. A written contract or data processing agreement establishing what personal data will be processed and for what purpose must be set out as well as setting out the responsibilities and liabilities of each party; and

D. The contract or data processing agreement must be approved by the Data Protection Team, and must be signed by both parties.

The UK GDPR sets out what needs to be included in a contract or DPA.

If a processor uses another organisation (i.e. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.

For further guidance about the use of third-party data processors and for a Data Processing Agreement template, please contact the Data Protection team.

In the absence of Consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to the University (e.g. students’ parents, members of the public, private property owners).

Some bodies have a statutory power to obtain information (e.g. regulatory bodies such as the Health & Care Professions Council, the Nursing and Midwifery Council, government agencies such as the Child Support Agency, or Local Councils). Any requests for information of this nature should be referred to the Information Governance team.

Further, without a warrant, the police have no automatic right of access to records of personal data, though disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders. Any requests for information of this nature should be referred to the Information Governance team.

Sharing of personal data for research purposes may also be permissible, subject to certain safeguards.

The UK GDPR requires that the University report to the Information Commissioner’s Office (ICO) any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the Personal data breach results in a high risk to the data subject, they also have to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly.

Where a staff member knows or suspects that a personal data breach has occurred, they are required to report the data breach to the Information Governance team in accordance with the University data breach reporting procedure, which can be found here. They will decide if it needs to be reported to the ICO.

The UK GDPR restricts data transfers to countries where there is no adequacy decision in order to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. Personal data is transferred when it originates in one country across borders when you transmit or send that data to a different country or view/access it in a different country.

An individual may only transfer personal data to a country without adequacy, (as defined by the UK GDPR Article 45) if one of the following conditions applies:

1. The UK Government has issued a decision confirming that the country to which the personal data is being transferred, ensures an adequate level of protection for the data subjects’ rights and freedoms. The countries currently approved can be found here;

2. Appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved by the UK Government, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;

3. The data subject has provided explicit Consent to the proposed transfer after being informed of any potential risks; or

4. The transfer is necessary for one of the other reasons set out in the GDPR including:

5. The performance of a contract between the University and the data subject (e.g. students’ mandatory year abroad in an overseas institution/placement);

6. Reasons of public interest;

7. To establish, exercise or defend legal claims; or

8. To protect the vital interests of the data subject where the data subject is physically or legally incapable of giving Consent

The University has a range of standard transfer agreements and clauses and you should seek guidance from the Information Governance team at before any transfer of personal data takes place.

The UK GDPR requires the University to keep full and accurate records of all personal data processing activities. Accurate corporate records must be kept and maintained which reflect the University’s personal data processing, including records of data subjects’ Consents and procedures for obtaining Consents, where Consent is the legal basis of processing.

These records should include, at a minimum, the name and contact details of the University as Data Controller and the DPO, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.


The University is required to ensure that all employees undergo adequate training to enable them to comply with data protection law. The University must also regularly test its systems and processes to assess compliance.

All employees must undergo all mandatory data privacy related training annually, links to which can be found on the Organisational Development webpage here. There are UK GDPR refresher training sessions available and more tailored training may be made available on request, by contacting the Information Governance Team.

Each Department must regularly review all the systems and processes under its control to ensure they comply with this policy.

The University is required to implement privacy-by-design measures when processing personal data, by implementing appropriate technical and organisational measures such as pseudonymisation, in an effective manner, to ensure compliance with data-protection principles.

The University must ensure therefore that by default only personal data which is necessary for each specific purpose is processed. The obligation applies to the volume of personal data collected, the extent of the processing, the period of storage and the accessibility of the personal data. In particular, by default, personal data should not be available to an indefinite number of persons. All staff should ensure that they adhere to those measures.

The University must also conduct DPIAs in respect of high-risk processing before that processing is undertaken.

A DPIA should be conducted by staff members in consultation with their IAO (and the findings discussed with, risk assessed and approved by the DPO) in the following circumstances:

1. The use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);

2. Automated processing including profiling;

3. Large scale processing of sensitive (special category) data; and

4. Large scale, systematic monitoring of a publicly accessible area.

A DPIA must include:

1. A description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate;

2. An assessment of the necessity and proportionality of the processing in relation to its purpose;

3. An assessment of the risk to individuals; and

4. The risk-mitigation measures in place and demonstration of compliance.

When conducting a DPIA please use the University template and guidance here.

The University is subject to certain rules and privacy laws when performing marketing activities to applicants, students, alumni and any other potential user of its services.

For example, a data subject’s prior Consent is required for electronic direct marketing (for example, by email, text or automated calls). Please refer to Appendix 1 for further information regarding requirements when obtaining consent.

The limited exception for existing customers (e.g. current students) known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar services (e.g. a post-graduate course or a professional qualification), and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

The right to object to direct marketing must be explicitly offered to the data subject at all stages of communication and in an intelligible manner so that it is clearly distinguishable from other information.

A data subject’s objection to direct marketing must be promptly honoured. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

For electronic marketing the University must follow PECR guidance. Different rules apply to marketing by post. A detailed marketing procedure guide can be found here (to follow). 

Individuals who wish to make a complaint relating to how the University handles personal data can do so either: 

Via email at 

Or via post at

Information Governance Team
Offices of the Vice Chancellor
University of Wolverhampton
Wulfruna Building
Wulfruna Street
Wolverhampton WV1 1LY 

Relevant Documents click here:

Document Retention Schedule

Data Breach Policy

Acceptable Use of IT Facilities

Encryption Policy

Information Security Policy

Principle 1 of UK GDPR – Processing personal data lawfully, fairly and transparently

1. Lawfulness and fairness 

You may only process personal data fairly and lawfully and for specified purposes. These conditions are not intended to prevent processing, but ensure that we process personal data for legitimate purposes without prejudicing the rights and freedoms of data subjects. The University may only process personal data if the processing in question is based on one (or more) of the legal bases set out below. There are a separate set of legal bases for processing Special Category information, which are outlined in Section b.

The legal bases for processing personal data under Article 6 of the UK GDPR are as follows:

A. The data subject has given their Consent;

B. The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into the contract;

C. Necessary for compliance with a legal obligation to which the controller is subject;

D. To protect the data subject’s vital interests of the data subject or another natural person (i.e. matters of life or death);

E. Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

F. Necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. (If legitimate interests is being used as the condition for processing a legitimate interests test must be carried out prior to the processing commencing).

You must identify the legal basis that is being relied on for each processing activity, which will be included in the Privacy Notice provided to data subjects.

(A) Consent

You should only obtain a data subject's Consent if there is no other legal basis for the processing.  Consent requires genuine choice and genuine control.

A data subject consents to processing of his/her personal data if he/she indicates agreement clearly either by a statement or positive action to the processing. Silence, pre-ticked boxes or inactivity are therefore not sufficient for obtaining Consent. If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.

Data subjects must be able to withdraw Consent to processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented, or if the Consent is historic.

You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.

Consent is required for electronic marketing and some research purposes.

(B) Legal bases for Processing Sensitive Personal Data, including Special Category Data

Special category data is personal data that needs more protection because it is sensitive. In order to lawfully process special category data, a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9 must be identified. These do not have to be linked.

There are 10 conditions for processing special category data in Article 9 of the UK GDPR. Five of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018.

You must determine your condition for processing special category data before you begin this processing under the UK GDPR, and you should document it. In many cases you also need an appropriate policy document in place in order to meet a UK Schedule 1 condition for processing in the DPA 2018.

You need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data.

The legal bases for processing special category data under Article 9 of the UK GDPR are as follows:

A. The data subject has given explicit Consent (requiring a clear statement, not merely an action);

B. The processing is necessary for complying with employment law;

C. The processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving Consent;

D. The processing relates to personal data which are manifestly made public by the data subject;

E. The processing is necessary for the establishment, exercise or defence of legal claims;

F. The processing is necessary for reasons of substantial public interest (provided it is proportionate to the particular aim pursued and takes into account the privacy rights of the data subject);

G. The processing is necessary for the purposes of preventive or occupational medicine, etc. provided that it is subject to professional confidentiality

H. The processing is necessary for reasons of public interest in the area of public health, provided it is subject to professional confidentiality;

I. The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if it is subject to certain safeguards (i.e. pseudonymisation or anonymisation where possible, the research is not carried out for the purposes of making decisions about particular individuals (unless it is approved medical research) and it must not be likely to cause substantial damage/distress to an individual and is in the public interest).

Processing Special Category data represents a greater intrusion into individual privacy than when processing personal data. You must therefore take special care when processing Special Category data and ensure that you comply with the data protection principles (as set out in the main body of this policy) and with this policy, in particular in ensuring the security of the sensitive personal data.

Examples of criminal convictions data processed by the University will include:

1. Details of disability for the purposes of assessing and implementing reasonable adjustments to the University’s policies, criteria or practices.

2. Details of racial/ethnic origin, sexual orientation, religion/belief for the purposes of equality monitoring.

Personal data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences should be treated in the same way to special category data.

Examples of criminal convictions data processed by the University will include:

1. Checks conducted by the Disclosure and Barring Service for the purposes of assessing eligibility of staff or students to engage in work with children and vulnerable adults, as permitted by

Transparency (notifying data subjects)

Under the UK GDPR the University is required to inform data subjects of processing activities regarding their personal data by providing detailed, specific information to them depending on whether the information was collected directly from data subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand what happens to their personal data.

Whenever we collect personal data directly from data subjects, for example for the recruitment and employment of staff and for the recruitment and enrolment of students, at the time of collection we must provide the data subject with all the prescribed information which includes:

A. The name and contact details of our organisation.

B. The name and contact details of our representative (if applicable).

C. The contact details of our data protection officer (if applicable).

D. The purposes of the processing.

E. The lawful basis for the processing.

F. The legitimate interests for the processing (if applicable).

G. The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

H. The recipients or categories of recipients of the personal data.

I. The details of transfers of the personal data to any third countries or international organisations (if applicable).

J. The retention periods for the personal data.

K. The rights available to individuals in respect of the processing.

L. The right to withdraw consent (if applicable).

M. The right to lodge a complaint with a supervisory authority.

N. The source of the personal data (if the personal data is not obtained from the individual it relates to).

O. The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

P. The details of the existence of automated decision-making, including profiling (if applicable).

When personal data is collected indirectly (for example, from a third party or publically available source), you must also provide this information to the data subject. The data subject must be provided with all the information required by the UK GDPR as soon as possible after collecting/receiving the data. You must also check that the personal data was collected by the third party in accordance with the UK GDPR and on a basis which contemplates our proposed processing of that personal data.

Principle 2 of UK GDPR - Purpose Limitation

Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.

You cannot therefore use personal data for entirely new, different or incompatible purposes from those disclosed when it was first obtained unless you have informed the data subject of the new purposes. Where the further processing is not based on the data subject’s Consent or on a lawful exemption from data-protection law requirements, you should assess whether a purpose is incompatible by taking into account factors such as:

1. The link between the original purpose/s for which the personal data was collected and the intended further processing;

2. The context in which the personal data has been collected – in particular the University-data subject relationship. You should ask yourself if the data subject would reasonably anticipate the further processing of his/her personal data;

3. The nature of the personal data in particular whether it involves special categories of personal data (i.e. sensitive) or personal data relating to criminal offences/convictions;

4. The consequences of the intended further processing for the data subjects; and

5. The existence of any appropriate safeguards e.g. encryption or pseudonymisation.

Provided that prescribed safeguards are implemented, further processing for scientific or historical research purposes or for statistical purposes will not be regarded as incompatible. Safeguards include ensuring data minimisation (e.g. pseudonymisation or anonymisation where possible), the research will not be carried out for the purposes of making decisions about particular individuals and it must not be likely to cause substantial damage/distress to an individual, unless it is approved medical research.

Principle 3 of the UK GDPR – Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You should not therefore amass large volumes of personal data that are not relevant for the purposes for which they are intended to be processed. Conversely, personal data must be adequate to ensure that we can fulfil the purposes for which it was intended to be processed.

You may only process personal data when performing your duties that require it and you should not process personal data for any reason unrelated to your duties.

You must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the University’s data retention schedule.

Principle 4 of the UK GDPR - Accuracy

Personal data must be accurate and, where necessary, kept up to date. You should ensure that personal data is recorded in the correct files.

Incomplete records can lead to inaccurate conclusions being drawn and in particular, where there is such a risk, you should ensure that relevant records are completed. Inaccurate records can also lead to data breaches.

You must check the accuracy of any personal data at the point of collection and at regular intervals thereafter. You must take all reasonable steps to destroy or amend inaccurate records without delay and you should up-date out-of-date personal data where necessary (e.g. where it is not simply a pure historical record).

Where a data subject has required his/her personal data to be rectified or erased, you should inform recipients of that personal data that it has been erased/rectified, unless it is impossible or significantly onerous to do so. 

Principle 5 of the UK GDPR – Storage limitation

You must not keep personal data in a form that allows data subjects to be identified for longer than needed for the legitimate educational/research or University business purposes or other purposes for which the University collected it. Those purposes include satisfying any legal, accounting or reporting requirements. Records of personal data can be kept for longer than necessary if anonymised.

You will take all reasonable steps to destroy or erase from the University’s systems all personal data that we no longer require in accordance with all relevant University records retention schedules and policies.

You will ensure that data subjects are informed of the period for which their personal data is stored or how that period is determined in any relevant Privacy Notice.

Principle 6 of the UK GDPR – Security, Integrity and Confidentiality

The University is required to implement and maintain appropriate safeguards to protect personal data, taking into account in particular the risks to data subjects presented by unauthorised or unlawful processing or accidental loss, destruction of, or damage to their personal data. Safeguarding will include the use of encryption and pseudonymisation where appropriate. It also includes protecting the confidentiality (i.e. that only those who need to know and are authorised to use personal data have access to it), integrity and availability of the personal data. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.

You are also responsible for protecting the personal data that you process in the course of your duties. You must therefore handle personal data in a way that guards against accidental loss or disclosure or other unintended or unlawful processing and in a way that maintains its confidentiality. You must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure.

You must comply with all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction.

You must comply with all applicable aspects of our IT Security Policy, and comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Law standards to protect personal data.

You may only transfer personal data to third-party service providers (i.e. data processors) who provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Law and who agree to act only on the University’s instructions. Data processors should therefore be appointed subject to the University’s standard contractual requirements for data processors.


Automated Decision-Making (ADM): when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.

Criminal offence data: any information relating to criminal allegations, convictions and offences. In order to process personal data relating to criminal convictions or offences, staff must have both a lawful basis for processing the information and either legal authority or official authority for processing.

Data Controller: the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the UK GDPR. The University is the Data Controller of all personal data relating to it and used delivering education and training, conducting research and all other purposes connected with it including business purposes.

Data Protection by Design and Default: The UK GDPR requires controllers to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. In essence, this means we have to integrate or data protection into our processing activities and business practices, from the design stage right through the lifecycle.

Data Protection impact assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.

Data Protection Officer (DPO): the person appointed as such under the UK GDPR and in accordance with its requirements. A DPO is responsible for advising the University (including its employees) on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with the University’s polices, providing advice, cooperating with the ICO and acting as a point of contact with the ICO.

Data Subject: a living, identified or identifiable individual about whom we hold personal data.

Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed.

Personal Data can include the following:

A. Name and address (postal and email)

B. Date of birth

C. Statement of fact

D. Any expression or opinion communicated about an individual

E. Minutes of meetings, reports

F. Emails, file notes, handwritten notes, sticky notes

G. CCTV footage if an individual can be identified by the footage

H. Employment and student applications

I. Spreadsheets and/or databases with any list of people set up by code or student/staff number

J. Employment or education history

K. Online identifier, IP address

Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.

Privacy by Design and Default: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the UK GDPR.

Privacy Notices: separate notices setting out information that may be provided to data subjects when the University collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee, student and donor privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.

Processing or Process: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Special category data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access including a living individuals:

A. Race or ethnicity

B. Religious or philosophical beliefs

C. Political opinions

D. Membership of a trade union

E. Genetic data

F. Biometric data

G. Health data

H. Sex life

I. Sexual orientation

Version Approved Date Review Date Author Approved by 
2.1 November 2020 November 2023  Office of the University Secretary  Board of Governors