Data Protection


All members of the University are responsible for ensuring compliance with the Data Protection Act 1998.

The Information Commissioner can impose fines of up to £500,000 on organisations for breaching the Act and serious breaches may also see individuals involved being prosecuted.

Managing data in compliance with the Act

There are three broad stages of processing data that you need to be aware of to ensure compliance with the Eight Principles of the Act:

Data security

Keeping data secure is essential to complying with the Data Protection Act. Security is also essential when working off campus and on mobile devices.

Specific guidance

Responding to requests for information

The University has to respond to Subject Access Requests within 40 days. Follow our guidance for dealing with requests to help us deal with them efficiently.

Academic research

Academics who supervise students whose research uses personal data should be aware of exemptions to processing research data under the Act and the guidance they should give.

Photography and filming

Ensure you comply with the Act when taking photographs or making film recordings on behalf of the University or on campus.

Academic Appeals

Guidance on the types of information that a student can request to help them gather evidence for an Academic Appeal.

Examiner comments and Examination board minutes

Staff and external examiners should take care to understand what information from exam papers is available under a Subject Access Request.

Personal references

individuals may have the right to see references which the University has written about them or received in respect of them.

Although references may be marked in such a way as to infer confidentiality, (‘private & confidential’ or ‘for the attention of the addressee and the relevant interviewing panel only’), confidentiality can never be guaranteed.

If you are writing a reference you should assume that it may be disclosed to the Data Subject.