Data Protection

Gathering data

You must comply with the Data Protection Act whenever you gather or collect personal data for University-related purposes. This includes data obtained for Academic Research.

There are three general rules of compliance that you should follow when collecting data.

Obtain consent

Data Subjects should be told in clear terms, preferably in writing, exactly what information is being collected, what it will be used for and to whom it may be released. A record should be kept to show that the individuals have consented to their data being processed under the Data Protection Act.

All University of Bath students and staff provide their general consent to their personal data being processed for certain, limited, necessary purposes:

If you intend to collect data which is not covered by this general consent, or from individuals who are not students or staff, you must ensure that you obtain their permission.

If the data is going to include any sensitive personal data, specific consent in writing is needed.

For advice and sample consent wording email the Data Protection team at

Limit the Personal Data you collect

Ensure you only collect personal data that is strictly necessary, especially sensitive personal data. Any irrelevant or excessive information should not be retained.

Keep data secure

All personal data gathered must be held securely. Use a Computing Services server to store data wherever possible. Don’t put the data onto a mobile device unless it is secure - password protected and, where appropriate, encrypted.

Restrict access to data and maintain confidentiality by:

  • only allowing other staff to access the data if necessary
  • not transferring data to a third party unless you have consent
  • taking care not to lose data
  • ensuring data is kept securely, whether on or off campus.