The Data Protection Act 1998 governs the way that personal information is held and used by the University.

Please find links to the University's Data Protection policies and guidance below. Extensive notes on data protection issues and the operation of the Data Protection Act are available in the University's Information compliance FAQs. If you wish to request your personal information from the University or seek advice on the data protection implications of a new project, please contact Alan Bell -


Policies - Data Protection


Standard Operating Procedures - Data Protection
  • Data subject access requests - The procedure followed by the University when responding to requests for any person's own information.
  • Data loss - The procedure followed when data loss is suspected.
  • Lost data devices - What to do if you lose or find a lost device and the procedure the University follows so that an owner can reclaim their device or to ensure that unclaimed devices are disposed of securely.
  • Interception of communications - The procedure used in the rare instances the University may wish to intercept communications.
  • Transfer within EEA - The procedure for agreements or other collaborations involving the transfer of personal data within the European Economic Area.
  • Transfer outwith EEA - The procedure for agreements or other collaborations involving the transfer of personal data outwith the European Economic Area.
  • Withdrawal of consent to contact - The procedure used when someone wishes to withdraw their consent for the University to contact them.


Useful information
  • How the University uses your information - students - 2017_18‌ - Information provided to students each year at matriculation.
  • Guidance on searching for information - to help when looking for information to respond to data subject access requests.
  • Guidance by the Director of Legal and the Records Manager on what to include in references.
  • The University's entry on the Public Register of Data Controllers is available here.
  • The case file for each request for personal information received by the University is normally retained for the calendar year in which the request was received + five years