skip to content
Please note that the information provided on this page is being updated regularly to reflect changes to data protection legislation arising from the introduction of the General Data Protection Regulation from 25 May 2018. It is accordingly skeletal in places and, at times, links to standalone guidance documents issued as part of the University's GDPR preparations.  Over time the content of those documents will be adapted and added to this page in a consistent format.
  1. What is data protection legislation?
  2. Legal bases for processing personal data
  3. Legal bases for processing special category (sensitive) personal data
  4. Privacy notices
  5. Rights
  6. Data quality
  7. Data protection by design
  8. Data Protection Impact Assessments
  9. Data sharing
  10. Records
  11. Security and data breaches
  12. Direct marketing
  13. Research


1. What is data protection legislation?

Basic information about data protection legislation - principally the General Data Protection Regulation (GDPR) - is supplied in the legislation section of the data protection overview page.

Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). The law applies to organisations in all sectors, both public and private.  It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.  It is based around the notions of principles, individual rights and the accountability obligations of organisations.


2. Legal bases for processing personal data

The first data protection principle states that personal data must be processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so.  The legal bases are set out in Article 6 of the GDPR.  Identifying the right legal basis matters because:

  • It affects some of the rights that data subjects have with regard to their personal data.

  • Those data subjects have to be told up-front about the legal basis or bases being relied upon.

There are six possible legal bases:

  • Article 6(1)(a): with the consent of the data subject.  Consent must be freely given, specific, informed, demonstrable and easily revocable. This is a very high standard and, as such, this legal basis should be relied upon sparingly and usually only when the data processing relates to an ancillary function (e.g. the sending of direct marketing) that can be stopped without causing knock-on problems.  Consent is not an appropriate legal basis for any core processing (e.g. of student or staff data for the purposes of administering studies or employment.)  When offering online-only services to children under the age of 13 and relying on consent as the legal basis, a parental consent is required - but this will apply very rarely in a University context.

  • Article 6(1)(b): the processing is necessary to operate a contractual relationship with a data subject, or to prepare for such a contractual relationship at the initiation of the data subject.  This legal basis applies to much student and staff data processing - it's necessary to fulfil the student or employment contract in the sense of delivering teaching, marking exams, administering HR processes, paying staff, and so on.

  • Article 6(1)(c): the processing is necessary to comply with a legal obligation.  This legal basis applies to the University's compliance with statutory obligations (e.g. with regard to the administration of income tax).

  • Article 6(1)(d): the processing is necessary to protect the vital (life or death) interests of the data subject.  This legal basis applies rarely and usually in specific circumstances (e.g. a medical emergency).

  • Article 6(1)(e): where allowed for under law, the processing is necessary 'for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'.  Processing under this legal basis relates primarily to personal data processed in pursuit of the core statutory public functions of an organisation - so, for the University, some of our student outreach activities, our teaching and most of our research fall under this basis.

  • Article 6(1)(f): the processing is necessary to pursue the legitimate interests of the data controller, where those are not overridden by the data subject’s own interests.  This legal basis is not available 'to processing carried out by public authorities in the performance of their tasks'.  The University is defined as a UK public authority for GDPR purposes, but only insofar as the data processing relates to our core statutory public functions as allowed for under law.  So this legal basis does apply to data processing in the context of many subsidiary functions of the University, such as alumni and supporter relations, routine business correspondence, IT security, and so on.


3. Legal bases for processing special category (sensitive) personal data

The GDPR defines certain types of personal data as more sensitive than others.  These are known as special category personal data and relate to personal data about:

  • Racial or ethnic origin.

  • Political opinions.

  • Religious or philosophical beliefs.

  • Trade Union membership.

  • Genetic data.

  • Biometric data.

  • Health data.

  • Sex life or sexual orientation.

Personal data about (alleged or proven) criminal convictions and offences are not technically defined as special category personal data but are afforded similar protections.

The processing of special category personal data requires another legal bases to be identified.  There are numerous legal bases, both set out in Article 9 of the GDPR and in Schedule 1 to the UK's forthcoming Data Protection Act 2018. Some of the more relevant of these are as follows:

  • Article 9(2)(a): with the explicit consent of the data subject.

  • Article 9(2)(c): the processing is necessary to protect the vital (life or death) interests of the data subject.

  • Article 9(2)(g): the processing is necessary for reasons of substantial public interest.  The various permissible reasons are set out in Schedule 1 to the forthcoming Data Protection Act 2018, and include matters such as equalities monitoring, the prevention and detection of crime or fraud, the provision of counselling, the safeguarding of children and vulnerable individuals, and the progression of legal claims and judicial proceedings.  Many of these necessarily have to take place without the data subject's explicit consent.  Data controllers have to implement certain safeguards if relying on these reasons.

  • Article 9(2)(h): the processing is necessary for medical purposes (including occupational health).

  • Article 9(2)(j): the processing is necessary for research purposes under certain safeguards.

As well as equalities monitoring, academic research and the provision of welfare and support services to staff and students, many of the occasions when special category personal data might need to be processed by the University will relate to requests about individuals from third parties, such as the police.  Staff should contact the Information Compliance Office if they receive such requests.


4. Privacy notices

Whichever legal basis is being relied upon, data subjects need to be informed about how their personal data will be processed.  This is done through statements that usually are known as privacy notices.  These normally have to be supplied information at the time of collecting the data, though there are different timeframes where the personal data have not been directly collected from the data subject; in some such circumstances, the requirement to supply a privacy notice is waived.  In accordance with the second data protection principle, data collected for stated purpose(s) can only legitimately be processed for those purpose(s) - and not for others of which the data subject has not been informed (e.g. information collected on job application forms should be used for the recruitment process, and not to send the applicants general information about forthcoming University events).

The University has a number of core privacy notices aimed at different types of data subject: pre-applicants (whether undergraduate or graduate), applicants, students, alumni and supporters, and job applicants and staff.  These are supplied to individuals at the relevant time as part of centrally managed processes (e.g. application or registration).

The University also has a general privacy notice, which can be used by Institutions, offices, services to supplement the specific information that they will need to supply locally with regard to any particular event, initiative, service or function that they run.  Guidance on writing such 'local privacy notices' is available, as is similar guidance on writing 'local privacy policies' in connection with websites and guidance on CCTV signage (in section 6.4 of the GDPR Toolkit).

The University also has a generic privacy notice aimed at research participants, the use of which is described in the research exemptions page of this guidance.


5. Rights

The GDPR gives individuals various rights with regard to their personal data.  A response to a rights request needs to be sent within one month.  However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions.  The most important thing for staff to note is that such requests can be submitted to anyone working within the University.  Many items of correspondence that technically are basic rights requests can be fulfilled in the normal course of business and of course should continue to be so (e.g. 'please correct my home address'; 'please send me a copy of my exam timetable for this summer'). For anything else, or if you are unsure, the request may need to be handled formally and staff should contact the Information Compliance Office who may handle it centrally.


6. Data quality

The third, fourth and fifth data protection principles are relevant in this regard.

The requirement to not hold data for longer than necessary does not mean that all data need to be destroyed. Suitably weeded staff and student records (or other historically valuable records) can be transferred to the University Archives, where they can be managed in a way which conforms to the requirements of data protection legislation.  Guidance on records management and retention is published separately.


7. Data protection by design

The concept of 'data protection by design' means embedding data protection considerations at an early stage of any new process, project or procedure. It most obviously applies if you are initiating an IT project, such as the implementation of a new system or database, which will involve the processing of personal data, especially special category (sensitive) personal data.  On occasion, adopting a privacy by design approach can trigger the need for a full Data Protection Impact Assessment to assess and document the risks to data subjects and the mitigation measures you might implement.

The following questions should assist staff in taking a data protection by design approach to any new process, project or procedure.

  • Make a note of all the personal data you plan to collect or use.  Are you collecting/using some of the personal data only because you have done so in the past?  Are you collecting/using more than you really need?

  • What does the University’s standard privacy notice say you will do with these data subjects' personal data?  Are your proposed uses included there?  If not, would people be surprised that you were using their personal data in those ways, and how do you plan to tell them about them?

  • Are you clear on what legal basis your proposed data processing takes place?  If you will be relying on the consent of the data subjects (which may be unlikely), how will you collect their consent?  How will you record it?  How easy would it be for you to stop processing if they withdrew their consent?  How could/would you delete their personal data if you needed to?

  • How do you plan to check that the personal data you are collecting/using remains up-to-date and accurate?  Could there be an opportunity for people to check or update their own personal data?

  • What physical security do you plan to make sure the personal data are not copied, lost or stolen?  What technical security do you plan?  How will you know it is effective?

  • Who will you share the personal data with?  Is the way you plan to share personal information secure?  Will people know that you share their personal data in this way (check the privacy notice again)?  Will you have a written agreement with the organisation you are sharing the personal data with?


8. Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is legally required where (proposed) data processing is likely to result in a high risk to the interests of data subjects, in particular where there is planned large-scale profiling, or processing of special category data, or monitoring of public areas.  In short, a DPIA takes the form of a document, completed following consultation with relevant stakeholders including the Data Protection Officer and a sample of the data subjects themselves, that:

  • Describes the nature, scope, context and purposes of the (proposed) processing.

  • Assesses the necessity and proportionality of the (proposed) processing.

  • Identifies and assesses risks to individuals.

  • Identifies any additional measures to mitigate those risks.

The University is in the process of developing a standard DPIA template.  If a completed DPIA reveals that the risks to data subjects cannot be adequately mitigated, the ICO must be consulted for a formal opinion.


9. Data sharing

Guidance on data sharing - including the use of contracts and transfers outside the EEA - is published separately.


10. Records

The GDPR requires large data controllers to maintain records of all the personal processed across the organisation.  The University primarily fulfils this requirement through its Information Asset Register, about which guidance is published separately.


11. Security and data breaches

The sixth data protection principle states that personal data should be processed securely to preserve its confidentiality, integrity and availability.  This principle is explicitly risk-based, meaning that different types of security measure are appropriate for different types of personal data.  A database of medical research data with identifiable participants clearly needs stronger technical (e.g. anti-virus protections and access controls) and organisational (e.g. internal policies about usage) protections than a list of staff members in an academic department.

Examples of security measures include:

  • Anti-virus and anti-malware software, regularly patched and updated.

  • The encryption or password protection of files and folders - whether 'at rest' (i.e. on a University system) or 'in transit' (i.e. on a mobile device or when being sent by email or other means).

  • Access controls - these form an important aspect of 'data protection by default' and can be both:

    • technical - i.e. a system or shared drive/filestore is set up so that only certain staff can see and/or use it or parts of it.

    • organisational - i.e. within reason, staff may be able to see more personal data than they strictly need in order to perform their duties, for example through their access to a shared office drive, but there are policy controls to state they should not try to read or use it - including the University's main Data Protection Policy as well as specific access control forms to systems and drives.

  • Backups and business continuity/emergency management plans.

  • The testing of technical protections - often known as 'friendly probing'.

  • Pseudonymisation - this means removing the 'key' to a dataset and storing it separately and securely: although the individual data subjects could still be identified if the key is matched back to the pseudonymised dataset, that dataset can be used more freely (this is a common technique in many research disciplines).

  • Technical security controls - such as card-accessed buildings, locked rooms, locked filing cabinets.

If security is breached and personal data is lost, stolen, inadvertently disclosed to an external party, or accidentally published, staff should report it internally as soon as possible.  Some types of data breach have to be reported to the ICO within 72 hours.


12. Direct marketing

Direct marketing is defined as the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.  This is a broad definition that is not restricted to commercial organisations offering goods for sale.  The term direct marketing also applies to communications addressed to individuals that promote an organisation's aims and ideals, including advertising events, offering benefits or appealing for funds and support.  It does not apply to purely informational communications (i.e. newsletters that really are limited to news items) or communications sent directly in relation to a particular product or event that an individual has requested/signed up for (including any follow-up surveys).

Many communications sent to alumni and supporters class as direct marketing, as do mailing lists maintained both centrally and by departments to advertise events or activities to members of the public.  Data subjects have the right to object to the receipt of direct marketing - this is an absolute right and opt-outs must be respected.

Separate but related legislation, called the Privacy and Electronic Communications Regulations 2003 (as amended), furthermore states that:

  • Direct marketing by email or text should normally only take place with the individual recipient's prior consent.

  • Before direct marketing by phone, numbers should first be screened against the Telephone Preference Service unless the individual recipients have already consented.

  • There should be a clear unsubscribe opportunity in each email, text or phone communication.

Consents to direct electronic marketing need to be to a GDPR standard (i.e. freely given, specific, informed, demonstrable and easily revocable).  A template form of words for the collection of direct electronic marketing consents is provided in section 3.5 of the GDPR Toolkit.


13. Research

Guidance on the research exemptions, explaining how and where the standard data protection provisions do and don't apply in an academic research context, is published separately.