The University Group must comply with the European Union General Data Protection Regulation (GDPR), UK Data Protection Act, 2018 and other relevant legislation protecting privacy rights. As the University is a UK Data Controller, and also a Data Processor for certain activities, the territorial scope of this legislation, and therefore of this policy, applies to all processing of personal data by and for the University, regardless of where the processing takes place.
The University must also comply with relevant legislation, such as the Malaysia Personal Data Protection Act, 2010, in other jurisdictions where the University operates.
The law and your rights
- Their rights under data protection law and how to use them
- What the University is doing to comply with its legal obligations under data protection law
Misuse of personal data, through loss, disclosure, or failure to comply with the Data Protection Principles and the rights of data subjects, may result in significant legal, financial and reputational damage. This may include penalties of up to €20 million or 4% of worldwide annual turnover for serious breaches of the law, claims for compensation and loss of recruitment and research income.
Who is affected by our policy? Who does it impact on?
- Prospective applicants
- Applicants to programmes and posts
- Current and former students
- Employees (current and former)
- Family members where emergency or next of kin contacts are held
- Workers employed through temping agencies (including casual workers)
- Court and Committees of the Court members
- Research subjects and external researchers
- Visiting scholars and volunteers
- Donors (potential and actual)
- Customers Conference delegates
- People making requests for information or enquiries
- Professional contacts and representatives of funders
- Partners and contractors
Users of personal data: Our policy applies to anyone who obtains, records, can access, store or use personal data in the course of their work for the University. Users of personal data include employees and students of the University, contractors, suppliers, agents, University partners and external researchers and visitors.
Where does our policy apply?
What are the responsibilities of the University under Data Protection law?
- Processed lawfully, fairly and in a way that is transparent to the data subject ('lawfulness, fairness and transparency')
- Collected or created for specified, explicit and lawful purposes and not be further processed in a manner that is incompatible with those purposes. ('purpose limitation') Adequate, relevant and limited to what is necessary for those purposes ('data minimisation')
- Accurate and kept up to date ('accuracy')
- Retained in a form that can identify individuals for no longer than is necessary for that purpose ('storage limitation')
- Kept safe from unauthorised access, processing, accidental or deliberate loss or destruction ('integrity and confidentiality')
What does the processing of data fairly and lawfully mean?
- Only collect and use personal data in accordance with the lawful conditions set down under the GDPR;
- Document each condition we rely on; maintain this information within a formal set of Records of Processing Activities; regularly review and update these records and make them available to the Information Commissioner’s Office, other supervisory authorities and data subjects on request
- Treat people fairly by using their personal data for purposes and in a way that they would reasonably expect
- Ensure that if we collect someone's personal data for one purpose e.g. to provide advice on study skills, we will not reuse their data for a different purpose that the individual did not agree to or expect e.g. to promote goods and services for an external supplier
- Rely on consent as a condition for processing personal data only where:
- We first obtain the data subject’s specific, informed and freely given consent
- The data subject gives consent, by a statement or a clear affirmative action that we document
- The data subject can withdraw their consent at any time without detriment to their interests
What we mean by informing data subjects of what we are doing with their personal data?
- The identity and contact details of the University and the Data Protection Officer
- What personal data we collect
- For what purposes we collect and use their data
- What lawful conditions we rely on to process data for each purpose and how this affects their rights
- Whether we intend to process the data for other purposes and their rights to object
- The sources from which we obtain their data, where we have received the data from third parties
- Whether we use automated decision making, including profiling, and if so the impact on data subjects and their rights to object
- Whether they need to provide data to meet a statutory or contractual requirement and if so, the consequences of not providing the data
- Our obligations to protect their personal data
- To whom we may disclose their data and why
- Which other countries we may we may send their data to, why we need to do this and what safeguards apply in each case
- Where relevant, what personal data we publish and why How data subjects can update the personal data that we hold
- How long we intend to retain their data
- How to exercise their rights under data protection law
What do we have to do in order to uphold individual's rights as data subject?
- Obtain a copy of the information comprising their personal data, free of charge (where feasible) within one month of their request (see also our pages on requesting personal data)
- Correct personal data and ensure it is complete
- Have their personal data erased when it is no longer needed if the data has been unlawfully processed or if the data subject withdraws their consent, (unless there is an overriding legal or public interest in continuing to process the data)
- Restrict the processing of their personal data until a dispute about the data’s accuracy or use has been resolved, or when the University no longer needs to keep personal data but the data subject needs the data for a legal claim
- Data portability; where a data subject has provided personal data to the University by consent or contract for automated processing and asks for a machine readable copy or have it sent to another data controller
- Object to and prevent further processing of their data for the University’s legitimate interests or public interest unless the University can demonstrate compelling lawful grounds for continuing
- Prevent processing of their data for direct marketing
- Stop the University processing data obtained for online services such as social media, where consent for the processing was previously given by or on behalf of a child, who withdraws their consent
- Object to decisions that affect them being taken solely by automated means
- Claim compensation for damages caused by a breach of data protection law
What we mean by applying 'data protection by design and default' principles to all our personal data processing
- Use proportionate privacy and information risk assessment, and where appropriate data protection impact assessment, to identify and mitigate privacy risks at each stage of every project or initiative involving processing personal data and in managing upgrades or enhancements to systems and processes used to process personal data
- Adopt data minimisation: we will collect, disclose and retain the minimum personal data for the minimum time necessary for the purpose
- Anonymise personal data wherever necessary and appropriate, e.g. when using it for statistical purposes, so that individuals can no longer be identified
How we plan to protect personal data
- Control access to personal data so that staff, contractors and other people working on University business can only see such personal data as is necessary for them to fulfil their duties
- Require all University staff, contractors, students and others who have access to personal data in the course of their work to complete basic data protection training, supplemented as appropriate by procedures and guidance relevant to their specific roles
- Set and monitor compliance with security standards for the management of personal data as part of the University's wider framework of information security policies and procedures
- Reduce risk of disclosure by pseudonymising personal data where possible, Provide appropriate tools for staff, contractors, students and others to use and communicate personal data securely when working away from the University, for instance through provision of a secure Virtual Private Network, encryption and cloud solutions
- Take all reasonable steps to obtain assurance that all suppliers, contractors, agents and other external parties who process personal data for the University will comply with auditable security controls to protect our data and enter into our Data Processor Agreements
- Maintain Data Sharing Agreements with educational partners and other external bodies with whom we may need to share personal data to deliver academic programmes, shared services or joint projects to ensure proper governance, accountability and control over the use of such data
- Maintain records of processing activities
- Where transferring personal data to another country outside the European Union put in place appropriate agreements and auditable security controls to maintain privacy rights; allow personal data to be transferred to other countries only if it maintains the same level of protection for the privacy rights of the data subjects concerned
- Ensure that our students are aware of how data protection law applies to their use of personal data in the course of their studies or research and how they can take appropriate steps to protect their own personal data and respect the privacy of others
- Manage all subject access and third party requests for personal information about staff, students and other data subjects in accordance with our procedures for responding to requests for personal data
- Make appropriate and timely arrangements to ensure the confidential destruction of personal data in all media and formats when it is no longer required for University business
How long we will keep data?
- Destroy records securely or
- Transfer them to either our own storage space and or storage provider for a limited period or
- Transfer them to our Archive Section given the public interest, scientific, historical or statistical purposes
When managing access to archives containing personal data we will apply appropriate technical and organisational measures to safeguard the rights and freedoms of the data subjects concerned:
- Apply exemptions to public rights of access to information as appropriate in accordance with the data subjects' rights to privacy
- Redact personal data, e.g. by pseudonymisation,
- Withhold access to specific categories of record, such as student records, for the lifetime of the student and their identifiable next of kin
How we will manage data security breaches
The use of privacy notices
Privacy notices are a method by which our University can explain to data subjects what we do with their personal data. Our University has Privacy statements for:
- Privacy notice for Prospective students
- Privacy notice for Current students
- Privacy notice for Employees, casual workers, job applicants, candidates and contractors
A pdf version of our Data Protection Policy is available for download.