Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). It is based around the notions of principles, rights and accountability obligations.
The law applies to organisations in all sectors, both public and private. It applies to all electronic records as well as many paper records. It doesn't apply to anonymous information or to information about the deceased.
Since 25 May 2018, the legislation in the UK has been the EU General Data Protection Regulation (GDPR), coupled with the UK Data Protection Act 2018 (DPA 2018) that supplements the GDPR in specific ways. These two pieces of legislation replaced the Data Protection Act 1998 (DPA 1998) and the numerous Statutory Instruments issued pursuant to it. Following the UKs departure from the European Union there have been a number of updates and technical changes to the legislation. The regulation is now referred to as the UK GDPR which came into force on 1 January 2021.
Additionally there is supplementary data protection legislation, covering specific topics, such as direct marketing which is set out in the Privacy and Electronic Communications Regulations 2003. The legislation is regulated in the UK by the Information Commissioner's Office (ICO) as well as the courts.
Under the UK GDPR, the University (like all data controllers) is required to pay an annual fee to the ICO and to be included in its register of fee payers (the University's register entry number is Z6987251and the current registration period - which is renewed on an annual basis.
Data controllers processing personal data must follow - and be able to demonstrate that they are following - the data protection principles.
Under the GDPR, there are six principles. Personal data must be processed following these principles so that data is:
- Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so.
- Processed only for specified, explicit and legitimate purposes.
- Adequate, relevant and limited.
- Accurate (and rectified if inaccurate).
- Not kept for longer than necessary
- Processed securely - to preserve the confidentiality, integrity and availability of the personal data
There is an additional accountability principle, which obliges organisations to demonstrate accountability with complying with the six principles.
Under the previous legislation (DPA 1998) there were eight principles but two of these (about the rights of data subjects and transferring of personal data internationally) are covered in different ways in the UK GDPR. Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes.
An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information - through documents known as 'privacy notices' takes places in numerous targeted ways, depending on the nature of the interaction with the individual.
The University's core privacy notices can be found in the list on the left. This is not an exhaustive list, however privacy notices will be made available to you before we start processing your personal data. If we receive your personal data from another source we will provide the relevant privacy notice to you within a reasonable period after obtaining the personal data, but at the latest within one month.
Under the UK GDPR, data subjects are given various rights, which apply to different types of processing and are free to exercise:
- The right to be informed of how their personal data are being used - this right is usually fulfilled by the provision of 'privacy notices' as described above.
- The right of access to their personal data - accessing personal data in this way is usually known as making a 'subject access request'.
- The right to have their inaccurate personal data rectified.
- The right to have their personal data erased where appropriate - also known as the right to be forgotten.
- The right to restrict the processing of their personal data pending its verification or correction.
- The right to receive copies of their personal data in a machine-readable and commonly used format - known as the right to data portability.
- The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.
- The right not to be subject to a significant decision based solely on automated decision- making using their personal data.
A response to a rights request normally needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions both in the UK GDPR and in the DPA 2018 (for example, nearly all the rights may not apply if the personal data are being processed solely in an academic research context). These rights build upon and strengthen rights previously given to data subjects under the DPA 1998.
Individuals can exercise any of the above rights by contacting firstname.lastname@example.org.
Data protection legislation imposes an accountability obligation on all data controllers. Under the UK GDPR, the main obligations to demonstrate accountability for large data controllers include:
- Implementing policies, procedures, processes and training to promote 'data protection by design and by default'.
- Where necessary, carrying out systematic Data Protection Impact Assessments (DPIAs) on 'high risk' processing activities.
- Having appropriate contracts in place when sharing personal data - especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data outside the EEA.
- Maintaining records of the data processing that is carried out across the organisation.
- Documenting and reporting personal data breaches both to the ICO and the affected data subjects when necessary
- Where necessary, appointing an independent Data Protection Officer to advise on and monitor compliance. The University's DPO can be contacted via email at email@example.com
The University's Data Protection Policy and Data Breach Incident Policy can be found on the University Policy Hub.
From time to time, your personal data may be shared when necessary with external organisations which process your data to assist with the student application and enrolment process. These external organisations will not process your data for any other purpose unless we ask them to, in which case you will be informed. We ensure we have appropriate data processing agreements and contracts in place before sharing your personal data with any data processors. Sometimes, your personal data is processed by these organisations outside the UK (for example, because they use a cloud-based system with servers based outside the UK), and if so, appropriate safeguards are in place to ensure the confidentiality and security of your personal data. Details of third parties we use can be found in the relevant privacy notices. We use the companies listed for assistance with the application and enrolment process:
AGNE (Alphagraphics)Unit 9, Vanguard Court
Sterling Press Ltd
Zenith Packaging Limited
Units 9 - 13 Pontyfelin Industrial Estate
To contact the University of Wolverhampton's Data Protection Officer you can:
- Email via firstname.lastname@example.org
- Phone on 01902 32 1000
- Write to Data Protection Officer, Office of the University Secretary, University of Wolverhampton, Wulfruna Street, Wolverhampton, WV1 1LY