skip to content

Information Compliance


This page provides an overview of the following data protection topics and links to sources of further information.



Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers').  It is based around the notions of principles, rights and accountability obligations.

The law applies to organisations in all sectors, both public and private.  It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.

Since 25 May 2018, the legislation in the UK has been the EU General Data Protection Regulation (GDPR), coupled with the UK Data Protection Act 2018 (DPA 2018) that supplements the GDPR in specific ways.  These two pieces of legislation replaced the Data Protection Act 1998 (DPA 1998) and the numerous Statutory Instruments issued pursuant to it.  There is also supplementary data protection legislation covering specific topics, such as direct marketing.  The legislation is regulated in the UK by the Information Commissioner's Office (ICO) as well as the courts.

The University (like most UK data controllers) is required to pay an annual fee to the ICO and to be included in its register of fee payers (the University's register entry number is Z6641083).  It should be stressed that the University of Cambridge - although a large, complex and devolved organisation that includes two major trading departments (Cambridge Assessment and Cambridge University Press) and various cultural offerings (libraries, museums, theatres, gardens and festivals) as well as 'standard' academic departments and administrative offices - is a single legal entity and so is a single data controller.  Each of the 31 Colleges of the University is a separate legal entity and data controller for the purposes of data protection legislation.



Data controllers processing personal data must follow - and be able to demonstrate that they are following - the data protection principles.

Under the GDPR, there are six principles.  Personal data must be processed following these principles so that the data are:

  1. Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so.

  2. Processed only for specified, explicit and legitimate purposes.

  3. Adequate, relevant and limited.

  4. Accurate (and rectified if inaccurate).

  5. Not kept for longer than necessary.

  6. Processed securely - to preserve the confidentiality, integrity and availability of the personal data.

Under the DPA 1998 there were eight principles but two of these (about the rights of data subjects and transfers of personal data outside the European Economic Area) are covered in different ways in the GDPR.  Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including different types of academic research.


Privacy notices

An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used.  The supply of this information - through documents variously known as 'privacy notices', 'data protection statements', 'data collection notices', 'privacy policies' and numerous other interchangeable terms - takes places in numerous targeted ways depending on the context of the interaction with the individual.  The University's core privacy notices - each titled 'How we use your personal information (for ...)' - are available from the menu on this page.



Under the GDPR, data subjects are given various rights, which are free to exercise:

  • The right to be informed of how their personal data are being used - this right is usually fulfilled by the provision of 'privacy notices' as described above.

  • The right of access to their personal data - accessing personal data in this way is usually known as making a 'subject access request'.

  • The right to have their inaccurate personal data rectified.

  • The right to have their personal data erased where appropriate - also known as the right to be forgotten.

  • The right to restrict the processing of their personal data pending its verification or correction.

  • The right to receive copies of their personal data in a machine-readable and commonly-used format - known as the right to data portability.

  • The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.

  • The right not to be subject to a significant decision based solely on automated decision-making using their personal data.

A response to a rights request normally needs to be sent within one month.  However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions both in the GDPR and in the DPA 2018 (for example, nearly all the rights may not apply if the personal data are being processed solely in an academic research context). These rights build upon and strengthen rights previously given to data subjects under the DPA 1998.


Accountability obligations

Data protection legislation imposes certain accountability obligations on all data controllers. Under the GDPR, the main obligations for large data controllers include:


Data breaches

One of the University's most important accountability obligations under data protection legislation concerns personal data breaches - that is, personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published.  Some typical examples of a personal data breach are:

  • Sending an email or letter containing personal data to the wrong recipient.

  • Accidentally disclosing personal email addresses (e.g. by using cc instead of bcc).

  • Inadvertently publishing University records containing personal data, or login credentials allowing access to them, on the internet.

  • Losing an unsecured laptop or other personal device storing University records containing personal data.

  • Having a University website, email account or drive hacked, with personal data stolen or 'locked down' by the hacker.

Personal data breaches may arise from IT security incidents, but not all IT security incidents are personal data breaches, and vice versa.  Some types of personal data breach have to reported to the ICO and the affected data subjects within short timeframes, so recognising and reporting them internally is crucial.

If an actual or potential personal data breach occurs, this should be reported urgently as follows:

  • If your University Institution has established a local personal data breach reporting mechanism (e.g. to the Departmental Administrator or Computer Officer), you should contact the relevant individual in the first instance.  They will then handle the onward reporting as necessary.

  • If not (or if you are unsure, or if you cannot get hold of the relevant individual), you should contact:

Separately, or in addition, if an IT security incident occurs, this should be reported urgently using the procedures outlined on the Computer Security Incident Response Team (CSIRT) webpage.

Please do not delay and please do not worry about reporting to the wrong place - the specialist staff who receive reports will liaise and coordinate as necessary to ensure that the personal data breach and/or the IT security incident are handled under the correct procedures.



The University's Data Protection Policy was approved by the University Council at its meeting on 19 March 2018.  Section 3.6 outlines the responsibilities of individual members of University staff.

The Policy explains how it relates to associated information governance and information security policies and procedures.  Links to further policies are included on the main guidance page of this website.


Guidance and training

More detailed guidance for University staff on data protection is published:

In addition, an Annual Compliance Checklist will soon be launched to help University departments work through various practical data protection 'housekeeping' tasks.

Data protection training for University staff is available:

  • Through an online course.  Departmental Administrators (and equivalents) can monitor completions within their Institution via University Training Booking System (UTBS) logs.  All staff using personal data in some way in their role are encouraged to complete this online course as part of their induction and thereafter once every two years, but the precise expectations about who should complete it (and how often) in different areas of the University should be set by Heads of Department (and equivalents).  While this online course primarily is aimed at staff, it is also suitable for students needing or wishing to complete basic data protection training.

  • Through a face-to-face course that is run regularly throughout the year.  This can be used to supplement the online course for those staff for whom data protection knowledge is a more important part of their role.

  • On request to the Information Compliance Office, through bespoke training sessions, presentations or briefings for different groups of staff, both academic and non-academic, across all parts of the University.

  • Through specific training courses or activities managed and run locally by individual departments or offices (for example, there is specific training on data protection for users of Amicus, the University's central alumni relations and fundraising system).  Departmental Administrators (or equivalents) should be able to advise on any such courses or activities.

  • In future, through additional face-to-face and/or online modules on topics aimed at specific groups of staff.  These are under consideration.


Data protection and Brexit

Like all areas of law derived in part from the European Union, data protection legislation will be subject to changes following the UK's departure from the EU.

During the transition period (i.e. 1 February - 31 December 2020, unless extended), there will be no changes at all.  The GDPR (as supplemented by the DPA 2018 and various other laws) will continue to apply in full while long-term data protection arrangements are negotiated.

After the transition period (i.e. from 1 January 2021, unless the transition period is extended), the UK Government has made it clear that all the substantive provisions of the GDPR (as supplemented by the DPA 2018 and various other laws) about principles, rights and accountability obligations will continue to apply in the UK regardless of the outcome of the negotiations.  UK legislation is in place/ready to be enacted to ensure this.

However, if the negotiations do not lead to a long-term arrangement that covers data protection matters (whether as part of a new deal or through what is known as a data protection 'adequacy finding' from the European Commission), it is possible that a 'no deal' scenario will re-emerge.  Under this, the main practical change for the University would concern transfers of personal data from organisations and businesses based within the European Economic Area (i.e. the EU countries plus Iceland, Liechtenstein and Norway) to the University.  (Transfers of personal data from the University to organisations/businesses based in the EEA and beyond would not be affected except in very limited circumstances.  Transfers of personal data from EEA-based individuals to the University - such as student/job applicants or conference attendees - also would not be affected.)

The affected transfers to the University might arise, for example, in the context of research collaborations, student placements in European universities or businesses, or external data storage/hosting arrangements.  In order for such transfers lawfully to continue, it would be necessary for the EEA-based organisation/business to assure itself that the personal data it transfers will be 'adequately' protected by the University (as we would be an organisation based in a 'third country' outside the EEA that does not have a relevant 'adequacy finding').  In essence, the current provisions on transfers of personal data outside the EEA would apply but 'in reverse' - that is, with the University as the recipient rather than the sender.  Unless a 'derogation' (exception) applies - which would occur relatively rarely - the simplest and safest way for the EEA-based organisation/business to assure itself of the adequate protection of the personal data would be for it to enter into a contract/contract variation with the University on the basis of the European Commission's standard contractual clauses for transfers, the use of which is explained on the relevant guidance page of this website.

Further guidance has been issued by the UK Government and the ICO on data protection after the end of the transition period.  Specific guidance for relevant University staff will be circulated in due course should this become necessary.