Go to the Students section
Go to the Staff section
Go to the Alumni section
Go to the Study here section
Go to the International section
Go to the About section
Go to the Research section
Go to the Business and Employers section
Go to the Support us section
Download a pdf version
1.1 The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act).
In summary these state that personal data shall:
"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.
"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.
"Processing" refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.
2. Notification of Data Held
2.1 The University shall notify all staff and students and other relevant data subjects of the types of data held and processed by the University concerning them, and the reasons for which it is processed. The information which is currently held by the University and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will be amended.
3. Staff Responsibilities
3.1 All staff shall • ensure that all personal information which they provide to the University in connection with their employment is accurate and up-to-date; • inform the University of any changes to information, for example, changes of address; • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms. The University shall not be held responsible for errors of which it has not been informed.
3.2 When staff hold or process information about students, colleagues or other data subjects (for example, students' course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with the Data Protection Guidelines for Academic Staff.
3.3 Staff shall ensure that
3.4 When staff supervise students doing work which involves the processing of personal information, they must ensure that those students are aware of the Data Protection Principles, in particular, the requirement to obtain the data subject's consent where appropriate.
4. Student Responsibilities
4.1 All students shall
The University shall not be held responsible for errors of which it has not been informed.
4.2 Students who use the University computer facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.
5. Rights to Access Information
5.1 Staff, students and other data subjects in the University have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Information Compliance Officer.
5.2 The University will make a charge of £10 for each official Subject Access Request, except for requests involving Health Records where the University may charge up to £50 for each request if those records are held either wholly or partly in non-electronic form.
5.3 The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Information Compliance Officer to the data subject making the request.
6. Subject Consent
6.1 In some cases, such as the handling of sensitive information or the processing of research data, the University is entitled to process personal data only with the consent of the individual. Agreement to the University processing some specified classes of personal data is a condition of acceptance of a student on to any course, and a condition of employment for staff. (See Appendix 1)
7. Sensitive Information
7.1 The University may process sensitive information about a person's health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the University has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The University may also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy, or for academic assessment.
7.2 The University also asks for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The University will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency.
8. The Data Controller and the Designated Data Controllers
8.1 The University is the data controller under the Act, and the Vice-Chancellor is ultimately responsible for implementation. Responsibility for day-to-day matters will be delegated to the Heads of Faculties and Directors as designated data controllers. Information and advice about the holding and processing of personal information is available from the University's Information Compliance Officer.
9. Assessment Marks
9.1 Students shall be entitled to information about their marks for assessments, however this may take longer than other information to provide. The University may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due to the University.
10. Retention of Data
10.1 The University will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. Information and advice about the recommended retention times are available from the University Records Manager.
11.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Information Compliance Officer by telephone on extension 4354 or by e-mail at firstname.lastname@example.org.
11.2 Any individual, who considers that the policy has not been followed in respect of personal data about him- or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the University Information Compliance Officer and may be pursued through the staff grievance or student complaints procedure.
Appendix 1University Information Processing
The University has notified the Information Commissioner that personal information may need to be processed for the following purposes:
For further information about these regulations, please contact the Information Compliance Officer.