Data Protection & GDPR (UK and EU)

What is the General Data Protection Regulation (GDPR)?

The GDPR superseded national laws including the UK Data Protection Act, unifying data protection and easing the flow of personal data across the 28 EU member states. From the 25 May 2018 all organisations that process the personally identifiable information of EU residents are required to abide by a number of provisions or face significant penalties. From 1 January 2021 the UK GDPR were introduced.

Why is it important to Oxford Brookes?

As a public body the new UK GDPR will increase the obligations of Oxford Brookes University under the current Data Protection Act and will introduce substantial penalties for violations of the regulation, including fines for administrative errors such as incorrect recording and reporting.

Key points of the UK Data Protection law that are relevant to Oxford Brookes University:

Please note that the Information Security Management team is currently producing comprehensive guidance on each of the themes below.

Privacy Notices for staff and students

A key feature of UK GDPR is transparency, and privacy notices are the principle way of delivering this, letting individuals know what personal information Oxford Brookes collects and why, who we may share it with and what your rights under the legislation are.

Personal data is any information that can be used to identify a single, living individual, whether it relates to private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

Fair and lawful processing of information

Oxford Brookes University stores and processes personal information about students, staff and others.

  • When we ask data subjects (students, staff, other individuals) to provide personal information it must be used for a particular, and lawful, purpose and no other incompatible purposes.
  • Personal information should only be kept for as long as it is needed. If this personal information is shared with third parties then data subjects must be informed. Personal information must only be shared when necessary.  

Oxford Brookes is responsible for keeping personal information accurate and up to date.

Privacy by design

All new information systems and business processes that involve the use of personal data must ensure data protection and privacy obligations are met from the planning stage through to delivery and use. While IT Services will assist in this process it is important that all directorate and faculty staff involved in such projects think about the types of personal data involved and what the potential risks (to individuals and the University) could be.

Transparency and Privacy Notices

Data subjects must be informed of our processing activities, privacy notices set out how personal information is used and what data subjects’ rights are. 

For a UK GDPR-compliant privacy notice template please see the ‘Useful Resources’ box to the right of this text.

Record retention and Information lifecycle management

Personal information should only be kept for as long as it is needed and then disposed of securely. For further information please refer to the Records Management webpage.

IT equipment such as laptops should be returned to IT Services when they are no longer needed. 

Information security for personal data (including breach management)

We are all responsible for ensuring that personal information is kept safe. Key cybersecurity risks can be reduced by following security ‘hygiene’ best practices. Our top tips are:

  • Keep all devices (including mobile phones) up to date with the latest update and security ‘patches’.
  • Use strong passwords (min. 12 characters, mixture of letters, numbers and cases) and do not share them with anybody. Consider the use of password management solutions.
  • Beware of phishing, emails (and phone calls) that appear to come from legitimate sources but that are trying to trick you into providing your username and password to criminals.
  • Be cautious when using ‘free’ or public wifi.

Everyone needs to know what to do if there is a data breach. A breach occurs where personal information is shared when it should not be or is otherwise compromised. It is important that staff should let their line manager know at once and contact setting out what has happened if there has been a suspected or actual data breach.  It may be that Information Security can do something to help or reduce the impact of the breach.

Data Subject Rights

Data subjects (students, staff, other third parties) can:

  • Make a subject access request asking Oxford Brookes for copies of any personal information held about them, at no cost. This personal information must be provided in a portable format (so electronically when appropriate) within a calendar month of the request being made. Please note that responding to subject access requests will typically be handled by the IT Services Information Management team.
  • Object to personal data being shared (with a reason particular to their circumstances).
  • Expect personal information to be accurate and for the information to be corrected if it is not.
  • Stop the use of personal information for marketing, cookies profiling (or automated decision making).
  • Ask for personal data to be deleted. Please note that this right does not override Oxford Brookes University’s legal and statutory obligation to retain certain personal data.
  • Raise concerns with the Information Management team or in the future, with the Data Protection Officer (by emailing
  • May complain to the Information Commissioner within the 3 months of the last meaningful contact with Oxford Brookes. The contact details are on the ICO website.

Data Protection and Teaching

Everyone has to keep personal information about students and staff confidential and safe.

  • Any personal information (which includes email addresses, work, minutes of meetings which contain names etc) must be held securely in line with Oxford Brookes' policies [insert link] staff website.
  • Take care when storing personal information on remote devices.
  • Use caution when sending group emails, use individual emails or the bcc field where appropriate.
  • Any potential or actual breaches must be reported to (see 6 above).
  • Any subject access requests (or other requests to exercise data subject rights) made by a student should be sent to

Data Protection and Research

Research data containing personal information is subject to the same legal requirements as any other personal information. (Also there may be other legal considerations such as intellectual property, copyright or design rights to think about.) Researchers should make sure that they:

  • Are aware of the law regarding the collection and use of personal information. Researchers will need to liaise with the Ethics Board and other relevant regulatory organisations as appropriate.
  • Are careful that the data subject cannot be identified in any findings when they are not meant to be (for example because they have a rare characteristic).
  • Have made sure that the subjects of research are clear about how their personal information may be used and that they have received a Privacy Notice which sets out their rights.
  • Have the consent of the research subject in writing to use their personal information.

Should the data subject withdraw their consent for use of their personal information at any time and this has implications for the validity of the research, the researcher is advised to seek the advice of the IT Services Information Management team.

Procurement and Third Party Processing

Oxford Brookes remains responsible for personal information even where the personal data is processed by another organisation  or individual, on our behalf.

  • Any procurement exercise must include appropriate data protection and information security provision.
  • Any contract must make clear which organisation is responsible for the data (the data controller) and which organisation uses the data (the data processor). Contracts must also include certain provisions required by data protection law. Legal Services and the IT Information Management team can provide further guidance on this as required.

It is important to recognise that while certain services and functions may be outsourced, any associated data protection and privacy risks are not. We should ensure that third parties have appropriate technological and organisational security controls in place to safeguard the data of our students and staff.

Contact us

Information Security Office

Oxford Brookes University
Headington Campus
Gipsy Lane
Oxford OX3 0BP

+ 44 (0) 1865 484354

Useful UK GDPR Resources