Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). It is based around the notions of principles, rights and accountability obligations
The law applies to organisations in all sectors, both public and private. It applies to all electronic records as well as many paper records. It doesn't apply to anonymous information or to information about the deceased.
Since 25 May 2018, the legislation in the UK has been the EU General Data Protection Regulation (GDPR), coupled with the UK Data Protection Act 2018 (DPA 2018) that supplements the GDPR in specific ways. These two pieces of legislation replaced the Data Protection Act 1998 (DPA 1998) and the numerous Statutory Instruments issued pursuant to it. There is also supplementary data protection legislation covering specific topics, such as direct marketing. The legislation is regulated in the UK by the Information Commissioner's Office (ICO) as well as the courts.
Under the GDPR, the University (like all data controllers) is required to pay an annual fee to the ICO and to be included in its register of fee payers (the University's register entry number is 27830067 and the current registration period - which is renewed on an annual basis - expires on 12 May 2020).