Data Protection Policy

Updated on 13 May 2020

The University data protection policy concerns the processing of personal data produced, acquired, or maintained by the institution and its employees in the course of the University’s business

On this page


The University of Dundee acknowledges its responsibilities concerning the processing of personal data and will endeavour to ensure that its activities align with the UK General Data Protection Regulation (UK GDPR)  and associated legislation.

All staff and students are required to respect the requirements of legislation in this domain and ensure that they do not undertake activities that are contrary to those requirements.


This policy is for the attention of all staff and students of the University of Dundee insofar as they are required to process personal information during the course of their employment or studies.

The rights of individuals apply to any person about whom the University holds personal data.


This document represents the University’s commitment to the appropriate processing of personal data and to respect the rights of individuals in relation to their personal information.


The definitions of ‘personal data’ and ‘special categories of personal data’ used by the University are those provided in the UK GDPR.

Lawful processing

The UK GDPR requires the University to set out why it asserts that it's the processing of personal data and special categories of personal data are lawful. The University maintains the data protection webpage containing this information. This page will be updated from time to time.

Data Protection Officer

As a Scottish Public Authority the University is required to designate a Data Protection Officer who holds the authority and has the responsibilities detailed in Articles 37, 38 and 39 of the UK GDPR. Details of the Data Protection Officer have been published on the data protection webpage and will be updated from time to time.

Data controller

The University will normally be the data controller for personal data processed further to its activities. It may also act as a joint data controller or data processor where appropriate.


  • The Secretary of the University has overall responsibility for data protection compliance.
  • The Data Protection Officer has those responsibilities set out in the UK GDPR and supports institutional compliance accordingly.
  • The Library & Learning Centre and Culture & Information provide guidance and operational support on data protection matters.
  • Legal provides advice to the University as required/appropriate.
  • University Executive Group, Deans, School Managers and Directors of the University are responsible for the stewardship of data in their areas. They ensure that the processing of any personal data in their Schools or Services, or in any special projects or initiatives they may lead on behalf of the University, is conducted appropriately and in compliance with relevant legislation. This includes ensuring that individuals can exercise their rights in respect of their data.
  • Employees of the University are responsible for ensuring any processing of personal data in the course of their duties or by students under their supervision is conducted in accordance with the UK GDPR and other applicable legislation.
  • Students processing personal data, for example as part of research work or independent study, must ensure that they have sought and implemented advice concerning the personal data implications of their studies and the methods used to further those studies.

Individual rights

  • The University respects the rights of individuals in respect of their personal data. Anyone wishing to access, erase, or limit the use of their information should contact the relevant School or Service in the first instance.
  • Anyone unsure of who to contact or wishing to raise concerns about the use of their information should contact dataprotection@dundee.ac.uk. They may also wish to contact the Information Commissioner’s Office.

Additional information

Additional information on how the University uses personal data can be found in privacy notices published on the data protection webpage on relevant sections of the University’s website, or provided to individuals directly (for example, when participating in research projects).

Change control

Change Date Authority
Approval 13 October 2010 Senate
Updated to reflect new guidance and contact details. 15 May 2015 Secretary of University
Revised for GDPR April/May 2018 Head of Information Governance
Considered by Data Records and Information Committee (DRIC) 2 May 2018 DRIC
Approved under delegated authority 10 May 2018 Secretary of University



Information Governance

Corporate information category Data protection