Data protection

Information and resources for University staff and stakeholders on how personal data is processed under the General Data Protection Regulation (GDPR)

On this page

GDPR - Policy

The University is reviewing systems which store and process personal data. Please contact us with any questions.

Data Protection Officer

The Director of LLC&CI acts as the University's Data Protection Officer. In that role, they have access to the University Secretary and COO directly. They may also refer to the Principal and/or the lay Chair of the Audit Committee where appropriate.

Data incidents

Any suspected data incident must be reported to immediately. Further details of the breach reporting process are outlined in the Data Breaches Standard Operating Procedure below: 

Data incidents include:

  • inappropriate access to/loss of personal data
  • damage to the integrity of personal data
  • a compromise in the security of personal data

If in doubt, please tell us. The faster we are aware of any issue, the greater the opportunity to reduce the risk to individuals.

Lost data devices

In the event that data devices are lost or recovered on campus please follow the steps outlined in the Lost Data Devices Standard Operating Procedure below. This SOP applies to all data devices including, but not limited to, USB sticks, phones, MP3 players, portable hard disk drives, laptop computers and tablets.

Anyone losing a device on campus is responsible for seeking its recovery in a timely manner in the knowledge that unclaimed devices will be destroyed according to the procedure below.

Guidance on remote / home working

We recognised that with substantial University operations having moved to be accessed and completed from the home working environment, new and additional information governance matters are raised. We have prepared guidance in the data protection for remote working guide to cover aspects such as the importance of using core University systems for storing and processing data, and how our responsibilities to maintain personal data in an appropriately private and secure fashion remain. Staff and students at remote locations must be particularly careful with extensions, apps and plug-ins that offer additional functionality, but can compromise privacy and data security.

GDPR - information for individuals

The notices below provide general information concerning the University’s use of personal data from different stakeholder groups.

Privacy notices

These privacy notices provide information on how personal data is used in key services within the University.

These notices concern major activities within the University

Higher Education Statistics Agency (HESA)

HESA privacy information - The University, like all universities, must provide personal data concerning students and staff  to HESA each year. The University has signed a data sharing agreement with HESA to ensure appropriate safeguards are in place for that sharing. Their website sets out how they use the personal information they gather in the HESA privacy notices linked above. A subset of this data is included in the Heidi Plus database provided by HESA Services Ltd (HESA's wholly-owned subsidiary), to which we subscribe and which can be accessed by some of our staff who need the data for their work and have had appropriate training in information security.

Heidi Plus includes data relating to individuals who have undertaken higher education courses in the UK and staff working for higher education providers. Any data which we can access through Heidi Plus does not include names and identifiers but could potentially be identifiable data to a third party who already has other information about the individual. Access to this data is granted under strict contractual terms for specific purposes relating to research, administration and equal opportunities monitoring.

If you require further information about any data relating to you which may be held within Heidi Plus, please contact HESA Services Ltd by emailing

Individual rights

View guidance on on how to exercise your rights under GDPR

GDPR toolkit

Tools and templates for use by University staff.

Standard operating procedures


The templates linked below include notes on their use. MS Word versions of these files are available from Information Governance.

a. Privacy notice - A privacy notice provides information to individuals concerning our use of their personal data. It explains why that use is fair, lawful and proportionate. Privacy notices are fundamental to the University demonstrating to people how personal data is used and must be provided when personal data is collected and used.

b. Initial Data Risk Assessment and Data Protection Impact Assessment - An Initial Data Risk Assessment is the form and process which is used to identify whether or not the proposed processing of personal data requires a full risk assessment via a Data Protection Impact Assessment (DPIA). If the answer to any of the questions on the IDRA is ‘Yes’ then a DPIA must be completed and sent to Information Governance for review and sign off. Completion of an IDRA is mandatory where there will be high-risk or high-volume processing of personal data, for the introduction of any new systems or for monitoring and/or surveillance systems (such as CCTV).

A Data Protection Impact Assessment (DPIA) should be completed for new or modified uses of personal data and where it is indicated that one is required through completion of the IDRA.

As with the requirement for completing an IDRA, Data Protection Impact Assessments are mandatory for all high-risk or high-volume processing of personal data and for the introduction of any new systems, software solutions or other systems where personal data will be processed.

c. Consent - Consent under GDPR must be freely given, specific, informed, unambiguous and demonstrable. The template below provides a starting point for seeking informed consent. Information Governance can provide support in its use.

Data sharing/processing agreements

Data agreements are required when working with partners and suppliers and processing personal data.

Standard data sharing/processing agreements

Please contact and/or for assistance in this domain.

Working with international partners/suppliers

Guidance on the requirements when working with international partners and/or suppliers has been produced by Legal and Information Governance and is available below. Please note that the location of data can result in an international transfer (for example, a company or partner uses servers based outwith the European Economic Area). Careful attention to this issue is therefore required when working with other partners.

Retention of information

The University’s retention practices are informed by sectoral guidance from JISC. The JISC business classification scheme also provides the basis for the matrix detailing University activities and why they are lawful (linked above).

The University differs from the JISC model as follows:

  • The trigger for each retention period is normally 'end of the academic session in which' rather than 'last action';
  • Commercial contract information will be retained for 10 years after the end of the session in which the contract closed;
  • Information compliance case files (data subject access requests, freedom of information and environmental information request) will be retained for three years after the close of the session in which the file was closed;
  • Copies of summatively assessed work will normally be destroyed one year after marks are confirmed at examinations board unless a. professional body requirements mandate that they are retained for longer than that; b. the assessment contributes to final degree award where it will normally be retained for one year after the final examinations board; or c. the discipline maintains copies of dissertations or similar work for reference.

The University will vary retention periods as required to meet statutory obligations, for example, those required by UK Visas and Immigration.

Disposal of information

Please see the University's Information security classification for guidance on the appropriate storage, transmission and disposal of information.

Data devices recovered on campus (for example lost property) must be handed into to the University Library. Where devices are not claimed they will be destroyed. USB sticks or recovered devices must not be reused and must not be plugged into University network ports, computers or other devices.


Training may be requested by any School, Professional Service or team at any time by emailing

GDPR Champions

A network of champions has been established to provide local contact on data protection matters in each School and Professional Service. 

Guidance for researchers