The University collects the personal data of applicants, staff, students, alumni, visitors, stakeholders, research participants and others. This data is used in a variety of ways and for a variety of purposes in the course of our work.
Data protection laws
The University is subject to the following laws in regard to this data:
- the UK General Data Protection Regulation (UK GDPR) - sets out the data protection principles and legal basis for processing, the rights of data subjects, the obligations of data controllers and processors, international transfers, and enforcement
- the Data Protection Act 2018 (DPA 2018) - sets out the data protection framework for UK law, defining exemptions and the powers of Information Commissioner's Office (ICO), the UK's regulator for data protection and freedom of information law
- the Privacy and Electronic Communications (PECR) - these regulations provide a range of rules around electronic communications. The University will most commonly follow these for direct marketing by email, telephone campaigns and the use of cookies on our websites and emails
The University is registered with the Information Commissioner's Office as a 'data controller'. Breaching the UK's privacy laws can result in enforcement action, including monetary penalties of up to £18 million or 4% of global turnover. Personal misuse of data by a member of staff can result in disciplinary action and a possible criminal record.
Data protection principles
The seven data protection principles are set out in the UK GDPR:
- lawfulness, fairness and transparency - the University explains to its student, staff and customers how it processes their personal data at the point of collection, what the legal basis is for processing and for what purposes the data will be used. In circumstances where the data is not sourced from the individual, information is made available which explains how the data is used
- purpose limitation - the University only uses the personal data it has for the purposes it was collected for unless certain safeguards around re‐use apply
- data minimisation - the University only collects personal data which is relevant to the purposes for which it is collected
- accuracy - the University ensures that personal data is correct, up to date and it is able to be rectify any mistakes quickly
- storage limitation - the University does not retain personal data for longer than it is needed unless certain safeguards around long term or permanent storage apply
- integrity and confidentiality - the University protects their personal data against unauthorised access, loss or destruction by a range of security measures
- accountability - the University will be responsible for its data processing and be able to demonstrate compliance with the other data protection principles