Data protection: overview

The University Group must comply with legislation protecting privacy rights in every jurisdiction where the University operates. As the University and its constituent legal entities are UK data controllers, and also data processors for certain activities, the territorial scope of UK data protection legislation applies to all processing of personal data by and for the University, regardless of where the processing takes place.  

As of 1 January 2021, the European Union (EU) General Data Protection Regulation (GDPR) has been embedded into UK law as the UK GDPR alongside the revised UK Data Protection Act, 2018 (DPA), Privacy and Electronic Communications Regulations 2003 (PECR).

In addition, we must comply with the European Union (EU) General Data Protection Regulation (GDPR) in relation to personal data collected before 31 December 2020 and when offering goods and services to people in the EU or monitoring their behaviour in the EU.  

In Dubai we apply the UK GDPR, DPA and PECR together with United Arab Emirates federal laws that protect personal privacy. 

We comply with the Malaysia Personal Data Protection Act 2010, alongside the UK GDPR, DPA and PECR for activities involving our Malaysia campus. 

Across the Heriot-Watt University Group we will ensure that all members of the University community enjoy the same high standards of privacy in their interactions with us wherever in the world they may be.

When handling someone else’s personal information, ask yourself: if this was your personal data, would you be happy for everyone else to see it?

Keep personal data and other confidential information securely

  • In locked cabinets or drawers: remove the keys and keep them securely.
  • Protect electronic documents with strong passwords combining upper and lower case letters and numbers or symbols.
  • Lock your computer screen [press Windows key and L] or log out when you are leaving your desk.
  • Don’t leave paper records containing confidential information where others can see them when they come into your office.
  • Never take personal or confidential data off campus e.g. on smartphones, tablets, laptops or memory sticks unless it is securely protected e.g. in encrypted format.
  • Don’t keep data on your computer hard drive. Use your “home” drive or a restricted access folder in your shared drive as these are backed up.
  • Protect your Heriot-Watt University passwords and don’t share with others.

Take control of your communications

  • Use only your University email account for work emails.
  • If you have to send confidential information by email, encrypt or password protect the email and attachments.
  • Double check your recipient’s email address before you press the Send button to ensure the message gets to the right person and not their namesake!
  • Don’t respond to email requests for your password or bank details.
  • Be cautious about opening email attachments even from colleagues– if in doubt scan for viruses.
  • If you use social media for work, use the privacy settings to protect personal and confidential data.
  • Check that you don’t surrender IPR to the service provider.
  • Keep back up copies of important records on University systems as external services can and do disappear!

Destroy information confidentially when no longer needed

  • Use the University’s records retention schedules which set out what information needs to be kept for how long. Ask us for advice and help.
  • Never dispose of information which is not intended for publication in the waste or recycling bin. Use your School/Section shredder or confidential records destruction service instead.
  • Ensure that information is completely erased from obsolete computer hardware and portable storage devices. Deleting the data is not sufficient. Ask your local IT team for the best method of removing data permanently.

Find more information about our policies, procedures and information governance and IT policies.  We also provide readers with additional guidance on our Information Security page.

We have developed a suite of pages that provide guidance on various aspects of data protection legislation.  We also provide readers with a copy of our Data Protection Policy 2018.

Key information

Data Protection