The University takes individuals’ privacy very seriously and is committed to compliance with its obligations under data protection law.
The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA) (together the “Data Protection Legislation”) govern how the University collects and uses individuals’ information and the rights of individuals in respect of that information. The University is obliged to comply with the 6 data personal data principles of the GDPR:
The University’s Data Protection Policy sets out how the University aims to comply with the Data Protection Legislation. Details are also available to all staff and students as to how personal information is handled – these are provided below.
Further general guidance is available from the Information Commissioner's Office .
Good records management and information security will help the University comply with the Act. The way our staff go about their daily tasks is vital to this. The University Solicitor is the University's Data Protection Officer and is responsible for providing help and guidance on applying the Data Protection Legislation, as well as for co-ordinating data subject rights requests from individuals.
Some individual areas of the University have specific and additional Data Protection and/or Confidentiality Policies, for example, Student Services or the Podiatry Clinic, because their work is of a very specialist nature or may involve people who are not staff or students of the University.
Under the Data Protection Legislation, individuals have the right to make requests to organisations to see any personal data which is held about them. This is called a ‘subject access request’ (SAR).
Personal data is information relating to an individual, or information that allows the individual to be identified from it.
For example, an individual’s academic or HR record, their payroll data, a dataset containing information that identifies an individual or an email that refers to or relates to an individual are all examples that would be classed as personal data.
Please complete the Subject Access Request Form and return it to the University Data Protection Officer, along with evidence of your identity (copy of passport, driving licence, student ID, etc.)
To enable you to get the most out of your request, please be as specific as possible in regards to the information you wish to receive.
You can send the form to us by post or email, or in person to the Vice-Chancellor’s Office. Full details are on the form.
Further guidance on making a subject access request is provided below:
For the majority of cases, there will be no fee applicable for making a subject access request.
However, we reserve the right to apply a fee in some cases, such as requests for duplicate copies of information. The University will inform you if a fee is applicable, and which stage you will have the option to withdraw your request.
When will I receive a response to my subject access request?
The timescale for the majority of subject access requests is one month.
However, we have the right to extend this timescale by a further two months in certain circumstances, for example, if your request is complex or involves a very high volume of data.
If we need to apply an extension, we will contact you to confirm this within one month of receiving your request and explain the reasons why.
The recent changes to Data Protection Legislation provide you with the following rights.
It is important to note, however, that there may be some exemptions to dealing with your request in certain circumstances in relation to these rights.
The requests below will be carried out within a timescale of one month will be.
Right to Rectification
You have the right to request that the University rectify any inaccurate or incomplete information we hold about you. This right is not always applicable and only applies in certain circumstances.
Right to Restriction
This refers to the right to restrict the processing of your personal data, for example, restricting who your data is shared with. This right is not always applicable and only applies in certain circumstances.
Right of Erasure
This is also known as ‘the right to be forgotten’, and concerns the right to have your personal data erased. Again, this right is not always applicable and only applies in certain circumstances.
If you wish to exercise any of these rights or want to query these further, please contact firstname.lastname@example.org or call the University Data Protection Officer on 01484 473000.
The University describes in general terms how personal data is handled. These descriptions are called "Privacy Notices" and links to the University’s privacy notices are set out below.