This page provides information for all University stakeholders on how personal data is processed under the General Data Protection Regulation (GDPR). The 'GDPR Toolkit' provides information and tools for University staff.
Please contact email@example.com with any questions.
GDPR - Policy
- inappropriate access to/loss of personal data;
- damage to the integrity of personal data; or
- a compromise in the security of personal data.
GDPR - Information for individuals
The notices below provide general information concerning the University’s use of personal data from different stakeholder groups.
- Privacy notice - students - 2017_18
- Privacy notice - applicants for study
- Privacy notice - graduating students
- Privacy notice - alumni
- Privacy notice - staff
- Privacy notice - applicants for employment
- Privacy notice - professional contact information
- Information on how the University deploys cookies on its website
- HESA privacy information - The University, like all universities, must provide information to HESA each year. Their websits sets out how they use information concerning students and staff.
- Privacy notice - Academic and Corporate Governance/University Executive Office
- Privacy notice - Estates and Campus Services
- Privacy notice – External Relations – Marketing and Recruitment
- Privacy notice – External Relations – Public Engagement and Major Events
- Privacy notice - Finance
- Privacy notice - Human Resources - Occupational Health
- Privacy notice - Library and Learning and Culture and Information
- Privacy notice - Research and Innovation Services
- Privacy notice – Student Services – Careers Service – Employers
- Privacy notice – Student Services – Careers Service – Students
- Privacy notice – Student Services – Counselling Services
- Privacy notice – Student Services – Disability Services
- Privacy notice – Student Services – Health Service
- Privacy notice – Student Services – Registry
- Privacy notice – Student Services – Residences
Tools and templates for use by University staff.
Standard Operating Procedures
- Managing requests for information
- Data incident management
- Interception of communications
- Information security classification - guidance to help University staff consider the sensitivity of information and the most appropriate means of storage and transmission
- Requests for personal data from external agencies
- Lost property – USB sticks and data devices
- The trigger for each retention period is normally 'end of the academic session in which' rather than 'last action';
- Commercial contract information will be retained for 10 years after the end of the session in which the contract closed;
- Information compliance case files (data subject access requests, freedom of information and environmental information request) will be retained for three years after close of session in which the file was closed;
- Copies of summatively assessed work will normally be destroyed one year after marks are confirmed at examinations board unless: a. professional body requirements mandate that they are retained for longer than that; b. the assessment contributes to final degree award where it will normally be retained for one year after the final examinations board; or c. the discipline maintains copies of dissertations or similar work for reference.