The University takes individuals’ privacy very seriously and is committed to compliance with its obligations under data protection law.

Data Protection Law

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA) (together the “Data Protection Legislation”) govern how the University collects and uses individuals’ information and the rights of individuals in respect of that information. The University is obliged to comply with the 6 data personal data principles of the GDPR:

  • Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner
  • Limited to purpose: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (historical research and statistical purposes and public interest archiving excepted)
  • Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accuracy: personal data shall be accurate and, where necessary, kept up to date
  • Limited storage: personal data shall be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed (historical research and statistical purposes and public interest archiving excepted, subject to appropriate safeguards)
  • Integrity and Confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

How does data protection apply to my work?

  • Individuals have the right to see any personal information the University holds about them. They do this by making a subject access request and we have one month.  Avoid complications by following the procedures.
  • We must tell people what we are doing with information about them, including whom we are disclosing it to
  • We must use appropriate security measures to protect personal data and must not keep it for longer than necessary. We must not transfer or share personal information without safeguards.

The University’s Data Protection Policy sets out how the University aims to comply with the Data Protection Legislation. Details are also available to all staff and students as to how personal information is handled – these are provided below.

Further general guidance is available from the Information Commissioner's Office 

Good records management and information security will help the University comply with the Act. The way our staff go about their daily tasks is vital to this. The University Solicitor is the University's Data Protection Officer and is responsible for providing help and guidance on applying the Data Protection Legislation, as well as for co-ordinating data subject rights requests from individuals.

Some individual areas of the University have specific and additional Data Protection and/or Confidentiality Policies, for example, Student Services or the Podiatry Clinic, because their work is of a very specialist nature or may involve people who are not staff or students of the University.

Making a data subject request

Making a request for information: Subject Access Requests

Under the Data Protection Legislation, individuals have the right to make requests to organisations to see any personal data which is held about them. This is called a ‘subject access request’ (SAR).

What is personal data?

Personal data is information relating to an individual, or information that allows the individual to be identified from it.

For example, an individual’s academic or HR record, their payroll data, a dataset containing information that identifies an individual or an email that refers to or relates to an individual are all examples that would be classed as personal data.

How do I make a subject access request?

Please complete the Subject Access Request Form and return it to the University Data Protection Officer, along with evidence of your identity (copy of passport, driving licence, student ID, etc.)

To enable you to get the most out of your request, please be as specific as possible in regards to the information you wish to receive.

You can send the form to us by post or email, or in person to the Vice-Chancellor’s Office. Full details are on the form.

Further guidance on making a subject access request is provided below:

What information am I entitled to?

  • You are entitled to a copy of your personal data, and not data relating to others
  • You can request all of your personal data held, or data from a specific time period, data from specific departments, or a particular type of data
  • You are entitled to any of your personal data currently held by the University – some information may have been destroyed in accordance with the University’s records retention policy

Will I have to pay a fee?

For the majority of cases, there will be no fee applicable for making a subject access request.

However, we reserve the right to apply a fee in some cases, such as requests for duplicate copies of information. The University will inform you if a fee is applicable, and which stage you will have the option to withdraw your request.

When will I receive a response to my subject access request?

The timescale for the majority of subject access requests is one month.

However, we have the right to extend this timescale by a further two months in certain circumstances, for example, if your request is complex or involves a very high volume of data.

If we need to apply an extension, we will contact you to confirm this within one month of receiving your request and explain the reasons why.

Your additional rights under new Data Protection Regulations

The recent changes to Data Protection Legislation provide you with the following rights.

It is important to note, however, that there may be some exemptions to dealing with your request in certain circumstances in relation to these rights.

The requests below will be carried out within a timescale of one month will be.

Right to Rectification

You have the right to request that the University rectify any inaccurate or incomplete information we hold about you. This right is not always applicable and only applies in certain circumstances.

Right to Restriction

This refers to the right to restrict the processing of your personal data, for example, restricting who your data is shared with. This right is not always applicable and only applies in certain circumstances.

Right of Erasure

This is also known as ‘the right to be forgotten’, and concerns the right to have your personal data erased. Again, this right is not always applicable and only applies in certain circumstances.

If you wish to exercise any of these rights or want to query these further, please contact or call the University Data Protection Officer on 01484 473000.

How does the University handle data? -"Privacy Notices"

The University describes in general terms how personal data is handled. These descriptions are called "Privacy Notices" and links to the University’s privacy notices are set out below.

CCTV Code of Practice

Download the PDF regarding CCTV Code of Practice

Download PDF

Data Breach Reporting

Find out more about Data Breach Reporting

Find out more

Guidance for Staff

Find out more about Guidance for Staff

Find out more


Information about changes in data protection law

Find out more