This page provides information for all University stakeholders on how personal data is processed under the General Data Protection Regulation (GDPR). The 'GDPR Toolkit' provides information and tools for University staff.
Please contact firstname.lastname@example.org with any questions.
GDPR - Policy
- Data protection policy - GDPR
- University activities – basis for lawful processing of personal data
- The University is reviewing systems which store and process personal data. Please contact us with any questions.
- New - see below for updated guidance on remote / home working
- inappropriate access to/loss of personal data;
- damage to the integrity of personal data; or
- a compromise in the security of personal data.
We recognised that with substantial University operations having moved to be accessed and completed from the home working environment, new and additional information governance matters are raised. We have prepared guidance (Guidance on remote working) to cover aspects such as the importance of using core University systems for storing and processing data, and how our responsibilities to maintain personal data in an appropriately private and secure fashion remain. Staff and students at remote locations must be particularly careful with extensions, apps and plug-ins that offer additional functionality, but can compromise privacy and data security.
GDPR - Information for individuals
The notices below provide general information concerning the University’s use of personal data from different stakeholder groups.
- Privacy notice - students 2019_20
- Privacy notice - applicants for study
- Privacy notice - graduating students
- Privacy notice - alumni
- Privacy notice - staff
- Privacy notice - applicants for employment
- Privacy notice - professional contact information
- Privacy notice - criminal conviction data
- Privacy notice – equal opportunities data
- Privacy notice - Academic and Corporate Governance/University Executive Office
- Privacy notice - Estates and Campus Services
- Privacy notice – External Relations – Marketing and Recruitment
- Privacy notice – External Relations – Public Engagement and Major Events
- Privacy notice - Finance
- Privacy notice - Human Resources - Occupational Health
- Privacy notice - Library and Learning and Culture and Information
- Privacy notice - Library and Learning Centre - Mobile Library App
- Privacy Notice - School of Medicine - MSC Clinical Academics Survey
- Privacy notice - Research and Innovation Services
- Privacy notice – Student Services – Careers Service – Employers
- Privacy notice – Student Services – Careers Service – Students
- Privacy notice – Student Services – Counselling Services
- Privacy notice – Student Services – Disability Services
- Privacy notice - Student Services - Enquiry Centre
- Privacy notice – Student Services – Health Service
- Privacy notice – Student Services – Registry
- Privacy notice – Student Services – Residences - 2019_20
These notices concern major activities within the University
- Learning analytics (managed by the Library and Learning Centre)
- Mobile Library App (managed by the Library and Learning Centre)
- Current Research Information System - Discovery (managed by the Library and Learning Centre)
- Information on how the University deploys cookies on its website (managed by External Relations)
- Video conferencing and communication
You will also find privacy notices attached to different aspects of the University's activities such as when you complete a survey or make an enquiry.
Higher Education Statistics Agency (HESA)
HESA privacy information - The University, like all universities, must provide personal data concerning students and staff to HESA each year. The University has signed a data sharing agreement with HESA to ensure appropriate safeguards are in place for that sharing. Their website sets out how they use the personal information they gather in the HESA privacy notices linked above. A subset of this data is included in the Heidi Plus database provided by HESA Services Ltd (HESA's wholly-owned subsidiary), to which we subscribe and which can be accessed by some of our staff who need the data for their work and have had appropriate training in information security.
Heidi Plus includes data relating to individuals who have undertaken higher education courses in the UK and staff working for higher education providers. Any data which we can access through Heidi Plus does not include names and identifiers but could potentially be identifiable data to a third party who already has other information about the individual. Access to this data is granted under strict contractual terms for specific purposes relating to research, administration and equal opportunities monitoring.
If you require further information about any data relating to you which may be held within Heidi Plus, please contact HESA Services Ltd by emailing email@example.com.
Tools and templates for use by University staff.
Standard Operating Procedures
- Managing requests for information
- Data incident management
- Interception of communications
- Information security classification - guidance to help University staff consider the sensitivity of information and the most appropriate means of storage and transmission
- Requests for personal data from external agencies
- Lost property – USB sticks and data devices
- Template for new systems and services - https://uod.box.com/s/tgh0h2x35g38jab0k6mb1uuzvljusyi3
- Template for research projects - https://uod.box.com/s/80hwatqrf5i5e9hntjd42jxil94h274s
- The trigger for each retention period is normally 'end of the academic session in which' rather than 'last action';
- Commercial contract information will be retained for 10 years after the end of the session in which the contract closed;
- Information compliance case files (data subject access requests, freedom of information and environmental information request) will be retained for three years after close of session in which the file was closed;
- Copies of summatively assessed work will normally be destroyed one year after marks are confirmed at examinations board unless: a. professional body requirements mandate that they are retained for longer than that; b. the assessment contributes to final degree award where it will normally be retained for one year after the final examinations board; or c. the discipline maintains copies of dissertations or similar work for reference.