Skip to content

About Data Protection

The University of Bradford collects and processes large amounts of personal data about staff, students, alumni, contractors, research participants and other living individuals to enable the university to undertake a broad range of activities.

Processing of personal data is controlled by the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).

The University of Bradford takes its responsibilities under these laws very seriously.

What is the GDPR?

The GDPR is an EU law which came into force in May 2018 replacing previous data protection legislation.  Even though we are leaving the EU in 2019, the UK Government has made it clear that GDPR will still apply in this country after Brexit.

GDPR Principles

The GDPR is based around six data protection principles:

Personal data shall be:

  1. processed lawfully, fairly and in a transparent manner
  2. collected for specified, explicit and legitimate purposes
  3. adequate, relevant and limited to what is necessary
  4. accurate and, where necessary, kept up to date
  5. kept for no longer than is necessary
  6. processed securely

Organisations must also be able to demonstrate compliance with these principles.

Personal Data

Personal data means any information relating to an identified of identifiable natural person (a living individual). Examples of personal data include:

  • a home address;
  • an email address;
  • a photograph;
  • medical information;
  • educational records;
  • a cookie ID.

Lawful basis

In order to process any personal data, a lawful basis must be satisfied:

  • consent
  • the performance of a contract
  • compliance with a legal obligation
  • vital interests
  • public interest or official authority
  • legitimate interests

Consent is defined as being a freely given, specific, informed and unambiguous indication of a person’s wishes by a statement or by a clear affirmative action, signifying an agreement to the processing of their personal data.

Consent is not regarded as being freely given if a contract is conditional on consent being given to process personal data for other purposes.

Individuals also have the right to withdraw consent easily and at any time.

For special categories of personal data (i.e. data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, health, sex life or sexual orientation, genetic data and biometric data) a further set of lawful basis must also be satisfied. These are specified in Article 9 of the GDPR and Schedule 1 of the Data Protection Act 2018.

To process information relating to criminal offences and criminal convictions, Article 10 of the GDPR or a condition in Schedule 1 of the Data Protection Act 2018 must be met.


Other requirements of the GDPR

The GDPR also sets out other responsibilities:

  • Rights of data subjects – these are outlined below;
  • Introduction of data protection by design and default;
  • Obligations for arrangements with regard to any subcontracted processing of personal data;
  • The requirement to have a record of processing activities listing all personal data processed;
  • To maintain appropriate technical and organisation measures to ensure a level of security appropriate to the risk;
  • To require organisations to report breaches of personal data within 72 hours;
  • Data Protection Impact Assessments for new or high risk processing;
  • A new role of data protection officer for public bodies and other large organisations;
  • Obligations to protect personal data being transferred to countries without personal data.

The GDPR allows individual national governments to make decisions around many areas and these are documented in the Data Protection Act 2018 (DPA).

The DPA also brings into UK law an EU directive relating to the processing of personal data for law enforcement purposes.

You can find out more about how the University processes personal information and the rights you have in the pages below.

Accessing your Information

The General Data Protection Regulation (GDPR) gives individuals a right to access their personal data.

This means that you can request the information that the University holds about you, ask how this information is being processed and to check that your information is being processed in a lawful manner.

If you wish to make a request for a copy of the data held about you, you can complete the Subject Access Request Form and send it to or to the Data Protection Officer, D21a Richmond Building, University of Bradford, Richmond Road, Bradford, BD7 1DP. Alternatively you can make your request directly to the University by email or letter using the same contact details.

Please try to provide as much detail as possible as to what information is being requested and your relationship with the University as this will help us to process the request more efficiently.

Request are normally free of charge, however in certain circumstances a 'reasonable fee' may be charged.  We will always inform you prior to any costs being incurred.

We aim to respond to your request within one calendar month.  We have the right to extend the response date by 2 months depending on circumstances, if this is to happen we will contact you as soon as is practical.

Your Rights

The General Data Protection Regulation (GDPR) gives you, the individual, greater control over how your personal data is used.

The GDPR provides individuals with a number of rights aside from the rights of access covered in the accessing your information section:

  • The right to be informed
    You can see what will happen to your data by reading the privacy notice that you will be provided with when we collect your information. The privacy notice will inform you of the purpose for collection, the legal basis for collection, who we share your information with and how long we keep your information for.
  • The right to rectification 
    If you believe something is wrong with the data we hold, you can submit a request for rectification. There are certain circumstances when we can refuse a request.
  • The right to erasure
    This is also known as 'the right to be forgotten'. This means you can withdraw your consent and ask the University to delete information held. This is not an absolute right and it will only apply in certain circumstances however.
  • The right to restrict processing
    You can ask the University to restrict processing of your data whilst any ongoing issues are investigated. Again this is not an absolute right and will only apply in certain circumstances.
  • The right to data portability
    you can request that data that we hold be easily transferred to another organisation. The right of portability only applies to information an individual has provided to the University.
  • The right to object
    The GDPR gives you a right to object to the processing of their personal data in certain circumstances. Whether it applies depends on our purposes for processing and our lawful basis for processing.

If you wish to exercise any of the above rights please write to or to the Data Protection Officer, D21a Richmond Building, University of Bradford, Richmond Road, Bradford, BD7 1DP.

Reporting a data breach

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. That is, a breach takes place whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable.

The University of Bradford stores the personal data of thousands of students, staff, alumni, and many other individuals who have dealings with the University.

Under new data protection legislation the University has to notify the Information Commissioners Office (ICO) within 72 hours of any personal data breach, which will result in a risk to the rights and freedoms of natural persons.

If you believe that a personal breach or other data protection incident has occurred, contact the Data Protection Officer (DPO) immediately on 01274 233021 or 01274 233358 or by emailing If you are a member of the University, you can also report a breach via ITServiceNow.

Privacy Notices

When the University collects personal information we must tell the people involved the reasons for collecting the information, the purpose we are using it for, the legal basis for processing, how long the information is held for, who the information is shared with, and how they can exercise your rights.

We set out how the University processes your personal data in a number of privacy notices.

Links to the University privacy notices can be seen below.

Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs but also known as privacy impact assessments) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

Completing a DPIA for high risk processing of personal data is required by law but as well as being compulsory, there are actually real benefits to conducting a DPIA:

  • It enables an organisation to identify and address privacy problems at an early stage of a project thereby saving time and money in the long run;
  • It can reduce the amount of personal data collected which makes processes simpler and a project more efficient;
  • It demonstrates to stakeholders that you are taking privacy matters seriously and increases trust in an organisation.

The Information Commissioner's Office has promoted the use of DPIAs as an integral part of taking a privacy by design approach.

The University has developed a Procedure for conducting Data Protection Impact Assessments and Data Protection Impact Assessment Template Form based on best practice guidance from the ICO

Where can I find out more about Data Protection?

If you need any further information about your rights and data protection in general, you may find the following external resources useful.

General Data Protection Regulation

The full official version of the GDPR legislation can be found in the Official Journal of the EU:

Intersoft Consulting have created a more useable version:

Data Protection Act 2018

The DPA can be found on the UK's official legislation website:

Information Commissioner's Office

The Information Commissioner's Office (ICO) is the UK's independent authority in charge of upholding information rights in the interest of the public.  The organisation covers Data Protection, Freedom of Information Act, Environmental Information Regulations and other regulatory legislation.

The Information Commissioner's Office website can be found at