Skip to content

About Data Protection at the University

Although the General Data Protection Regulation was originally a European law and we have now left the European Union, a specific version of the GDPR has been approved by the UK parliament to retain its main principles in domestic law.

The key principles, rights and obligations remain the same as in the EU GDPR but there are specific changes. This specific British version is known as the UK GDPR which sits alongside an amended version of the Data Protection Act 2018 in setting out the data protection legislative landscape in the UK.

The University is obliged to have a Data Protection Officer. This is Matt Stephenson who can be contacted at

The key principles of data protection law is set out below.

GDPR principles

The GDPR is based around six principles to ensure that personal data is:

  1. Processed lawfully, fairly and in a transparent manner
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and, where necessary, kept up to date
  5. Kept for no longer than is necessary
  6. Processed securely

Organisations must be able to demonstrate they are compliant with these principles.

Personal data

Personal data means any information relating to an identified of identifiable person. Examples of personal data include:

  • A home address
  • An email address
  • A photograph
  • Location information
  • Medical information
  • Educational records

Lawful basis

The legal basis ensures that lawfully, fairly and transparent. For the University to process any personal data, one of the following criteria must apply:


Consent is when a person freely agrees to the processing of their personal data by a statement or clear affirmative action.

Consent is not regarded as being freely given if a contract is conditional on consent being given to process personal data for other purposes.

Individuals have the right to withdraw consent at any time.

The performance of a contract

The information is processed

Compliance with a legal obligation

We are legally bound to process the information . This does not include contractual obligations.

To process information relating to criminal offences and criminal convictions, Article 10 of the GDPR or a condition in Schedule 1 of the Data Protection Act 2018 must be met.




Vital interests

Processing the information is necessary to protect someones life.

Public interest or official authority

Processing the information is in the public interest or is necessary for an official function.

Legitimate interests

Processing the information is in the legitimate interest of the University or a third party. This may be overidden by a good reason to protect the subjects personal data.

For special categories of personal data (i.e. data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, health, sex life or sexual orientation, genetic data and biometric data) a further set of lawful basis must also be satisfied. These are specified in Article 9 of the GDPR and Schedule 1 of the Data Protection Act 2018.

Additional responsibilities

The GDPR also sets out other responsibilities:

  • Rights of data subjects – these are outlined below;
  • Introduction of data protection by design and default;
  • Obligations for arrangements with regard to any subcontracted processing of personal data;
  • The requirement to have a record of processing activities listing all personal data processed;
  • To maintain appropriate technical and organisation measures to ensure a level of security appropriate to the risk;
  • To require organisations to report breaches of personal data within 72 hours;
  • Data Protection Impact Assessments for new or high risk processing;
  • A new role of data protection officer for public bodies and other large organisations;
  • Obligations to protect personal data being transferred to countries without personal data.

The GDPR allows individual national governments to make decisions around many areas and these are documented in the Data Protection Act 2018 (DPA).

The DPA also brings into UK law an EU directive relating to the processing of personal data for law enforcement purposes.