Main data protection provisions and topics

Please note that the information provided on this page is updated regularly to reflect developments in data protection legislation and practice.

1. What is data protection legislation?
2. Lawful and fair - legal bases for processing personal data
3. Lawful and fair - legal bases for processing special category (sensitive) personal data
4. Privacy notices
5. Rights
6. Data quality
7. Data protection by design
8. Data Protection Impact Assessments
9. Data sharing and using data processors
10. Records of data processing
11. Security and personal data breaches
12. Direct marketing
13. Research
14. References
15. Disclosure requests
16. Publishing staff and student profiles and contact details
17. AI and data protection

1. What is data protection legislation?

Basic information about data protection legislation is supplied in the legislation section of the data protection overview page.

Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). The law applies to organisations in all sectors, both public and private.  It applies to all electronic records as well as many paper records

Data protection legislation doesn’t apply to anonymous information or to information about the deceased.  The law is binary with regard to anonymised information - if it is not possible to link the information back to a living individual (whether using solely the information to hand or after coupling it with other information held by the data controller or in the public domain) then the legislation does not apply at all.  In reality, of course, anonymisation is a grey scale.  The test of anonymisation in binding UK case law is whether the risk of re-identification is 'reasonably likely', taking into account the normal (non-criminal) tools and public sources available to a motivated person who is trying to re-identify the individuals from the anonymised information in question.

Data protection legislation is based around the notions of principles, individual rights and the accountability obligations of organisations.

2. Lawful and fair - legal bases for processing personal data

The first data protection principle states that personal data must be processed fairly, lawfully and transparently.

Fairness is about using personal data in ways that data subjects would reasonably expect and thinking through any adverse impacts on them.  Transparency is about telling data subjects how their data will be used, usually through a privacy notice.

Lawfulness, meanwhile, has two aspects.  The first aspect means, straightforwardly, not doing anything with personal data that would be unlawful.  This includes committing obvious criminal offences such as stealing personal data in order to sell it to fraudsters, but also encompasses more subtle forms of unlawfulness, such as using personal data in a manner that breaches the right to privacy in the Human Rights Act 1998, infringes copyright legislation, or creates an actionable breach of confidence (an 'actionable' breach essentially means an indefensible one - certain breaches of the common law of confidentiality are permissible, for example on public interest grounds).

The six legal bases

The second aspect of lawfulness means only processing personal data if there is a valid 'legal basis' for doing so.  The legal bases are set out in Article 6 of the UK GDPR.  Identifying the right legal basis matters because:

• It affects some of the rights that data subjects have with regard to their personal data.
• Those data subjects have to be told up-front about the legal basis or bases being relied upon.

There are six possible legal bases:

Article 6(1)(a): with the consent of the data subject

Consent must be freely given, specific, informed, demonstrable and easily revocable. This is a very high standard and, as such, this legal basis should be relied upon sparingly and usually only when the data processing relates to an ancillary function (e.g. the sending of direct marketing) that can be stopped without causing knock-on problems.  Consent is not an appropriate legal basis for any core processing (e.g. of student or staff data for the purposes of administering studies or employment).

A template form of words for the collection of new data processing consents by University departments is as follows:

Please [sign/electronically sign/tick], date and [return by UMS/return by email/submit] the below declaration:

I consent to the [department name] using my personal data for [describe the specific purpose] and understand that I can withdraw my consent at any time.

When offering online services to children under the age of 13 and relying on consent as the legal basis, a parental consent is required - but this will apply very rarely in a University context.  If it does, a template form of words to be used for this purpose is as follows:

If you are aged under 13, we will need consent from your parent or guardian in order to sign you up for [this service]. Please provide us with their email or postal address so that we can write to them to collect this.  We will not be able to offer you [the service] until we receive consent from your parent or guardian.

Article 6(1)(b): the processing is necessary to operate a contractual relationship with a data subject, or to prepare for such a contractual relationship at the initiation of the data subject

This legal basis applies to much student and staff data processing - it's necessary to fulfil the student or employment contract in the sense of delivering teaching, marking exams, administering HR processes, paying staff, handling applications for additional courses/initiatives/funding, and so on.

Article 6(1)(c): the processing is necessary to comply with a legal obligation

This legal basis applies to the University's compliance with statutory obligations (e.g. with regard to the administration of income tax).

Article 6(1)(d): the processing is necessary to protect the vital (life or death) interests of the data subject

This legal basis applies rarely and usually in specific circumstances (e.g. a medical emergency).

Article 6(1)(e): where allowed for under law, the processing is necessary 'for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'

Processing under this legal basis relates primarily to personal data processed in pursuit of the core statutory public functions of an organisation - so, for the University, some of our student outreach activities, our teaching and most of our research fall under this basis.

Article 6(1)(f): the processing is necessary to pursue the legitimate interests of the data controller, where those are not overridden by the data subject’s own interests

This legal basis is not available 'to processing carried out by public authorities in the performance of their tasks'.  The University is defined as a public authority for UK GDPR purposes, but only insofar as the data processing relates to our core statutory public functions as allowed for under law.  So this legal basis does apply to data processing in the context of many subsidiary functions of the University, such as alumni and supporter relations, routine business correspondence, IT security, and so on.  Processing based on the legitimate interests legal basis normally proceeds following a 'legitimate interests assessment' which means a careful consideration of: the purpose (identifying the legitimate interest); the necessity of the processing; and a balancing of the purpose/necessity against the interests of the data subject(s).

Where appropriate, you can still give people options about how their personal data will be used when relying on a legal basis other than consent.  For example, it might be appropriate to allow individuals to opt out of a certain aspect of personal data use (e.g. the publication of a profile about them) while still requiring those same data for other uses (e.g. the use of that profile for internal management purposes).

3. Lawful and fair - legal bases for processing special category (sensitive) personal data

Certain types of personal data are defined in data protection legislation as more sensitive than others.  These are known as special category personal data and relate to personal data about:

• Racial or ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade Union membership.
• Genetic data.
• Biometric data.
• Health data.
• Sex life or sexual orientation.

Personal data about (alleged or proven) criminal convictions and offences are not technically defined as special category personal data but are afforded similar protections.

The processing of special category personal data requires another legal basis to be identified.  There are numerous legal bases, set out both in Article 9 of the UK GDPR and in Schedule 1 to the DPA 2018. Some of the more relevant of these are as follows:

• Article 9(2)(a): with the explicit consent of the data subject.
• Article 9(2)(c): the processing is necessary to protect the vital (life or death) interests of the data subject.
• Article 9(2)f): the processing is necessary for legal claims/defences and court proceedings.
• Article 9(2)(g): the processing is necessary for reasons of substantial public interest.  The various permissible reasons are set out in Schedule 1 to the DPA 2018, and include matters such as equalities monitoring, the prevention and detection of crime or fraud, the provision of counselling and the safeguarding of children and vulnerable individuals.  Many of these necessarily have to take place without the data subject's explicit consent.  Data controllers have to implement certain safeguards if relying on these reasons, including the creation of an Appropriate Policy Document.  The University's document explains how and when we use these legal bases.
• Article 9(2)(h): the processing is necessary for medical purposes (including occupational health).
• Article 9(2)(j): the processing is necessary for research purposes under certain safeguards.

As well as equalities monitoring, academic research and the provision of welfare and support services to staff and students, many of the occasions when special category personal data might need to be processed by the University will relate to requests about individuals from third parties, such as the police.

4. Privacy notices

Whichever legal basis is being relied upon, data subjects need to be informed about how their personal data will be processed.  This is done through statements that usually are known as privacy notices.  These normally have to be supplied information at the time of collecting the data, though there are different timeframes where the personal data have not been directly collected from the data subject; in some such circumstances, the requirement to supply a privacy notice is waived.  In accordance with the second data protection principle, data collected for stated purpose(s) can only legitimately be processed for those purpose(s) - and not for others of which the data subject has not been informed (e.g. information collected on job application forms should be used for the recruitment process, and not to send the applicants general information about forthcoming University events).

Core privacy notices

The University has a number of core privacy notices aimed at different types of data subject.  These are supplied to individuals at the relevant time as part of centrally managed processes (e.g. application or registration).

Supplementary privacy notices

These core privacy notices can be supplemented as necessary by individual Institutions who wish to inform their own students, or a specific cohort of their own students, about a particular type of personal data use that is only of relevance to them.  Such supplementary notices could be included on a form collecting information from the relevant students, or within a departmental or course handbook.  In all instances the notice should be factually accurate.  In brief, the topics to cover are: (a) the specific purpose of the personal data use; (b) any specific data sharing arrangements; (c) any specific data retention arrangements; and (d) a link to the core student privacy notice so as to remind those students of the wider context.  The same principle applies to supplementary notices issued by individual Institutions and aimed at specific groups of applicants, staff, alumni, etc.

Local privacy notices

The University also has a general privacy notice, which can be used by Institutions, offices and services alongside the specific information that they will need to supply locally with regard to any particular standalone event, initiative, service or function that they run.  Guidance on writing such 'local privacy notices' is available.

CCTV signage

Running a CCTV system involves capturing personal data and signage is required to act as a privacy notice.  A template form of words for signage for those University departments/buildings running their own CCTV is as follows:

The University of Cambridge operates CCTV on these premises for the purposes of safety and security.  For further information please phone [contact number].

Website privacy notices (privacy 'policies')

Website users need to be supplied with a privacy notice (usually known in this context as a privacy policy) explaining how their personal data (e.g. their IP address) will be used when visiting that website, and how cookies are used to make the website function (often the cookies information is published separately and cross-referenced from the website privacy policy).  Because of the multiple website templates and content management systems in use across the University, each separate website needs to ensure either that it links to the main University website privacy policy or, where necessary, that it has issued its own policy.  Guidance on writing privacy policies in connection with University websites is available.

Notices in the context of research studies

The University also has issued a generic privacy notice aimed at research participants, the use of which is described on the research page of this guidance.

5. Rights

Data protection legislation gives individuals various rights with regard to their personal data.  A response to a rights request normally needs to be sent within one month (there is provision to extend this deadline in the case of complex requests).  However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions.

The most important thing for staff to note is that such requests can be submitted to anyone working within the University.  Many items of correspondence that technically are basic rights requests can be fulfilled in the normal course of business and of course should continue to be so (e.g. 'please correct my home address'; 'please send me a copy of my exam timetable for this summer').  For anything else, or if you are unsure, the request may need to be handled formally and staff should contact the Information Compliance Office.

Upon receipt of a formal request (whether directly or forwarded from another part of the University), the Information Compliance Office:

• Will send an acknowledgement to the requester, seek proof of their identity where required, and advise them of the statutory deadline.
• Will handle all internal processes by coordinating searches (and/or other activities e.g. making investigations as to the accuracy of personal data or the technicalities of data deletion) with those staff in University Institutions who may have direct access to the personal data in question. We do not conduct 'covert' searches when handling such requests - staff will know that, and will in all likelihood need to help with, any searches made of their own emails and IT accounts. 
• Will liaise with any third parties, apply any relevant exemptions, and make any necessary redactions, before replying directly to the requester.

Staff should note that it is a criminal offence to alter, deface, block, erase, destroy or conceal personal data that have been requested under subject access rights with the intention of preventing disclosure.

It should be stressed that (nearly) all data protection rights are qualified:

• Some rights only apply in particular circumstances (e.g. the right to data portability only applies if the data processing is wholly automated and based on the consent or contract legal bases).
• There are specific exemptions from the rights when they do apply (e.g. certain materials - like examination scripts or documents about negotiations with the data subject - are exempt from the right of subject access, and certain rights - like the right to erasure - do not normally apply if the personal data is being processed for certain purposes, such as the prevention and detection of crime).
• Rights requests may be refused if they are manifestly unfounded (e.g. there is no evidence of data inaccuracy despite the claim of the data subject) or manifestly excessive (e.g. the right of erasure is exercised in a disproportionate way given the context).
• Fulfilling a subject access request should not reveal the personal data of third party individuals.  Where the personal data of the requester is irretrievably mixed up with the personal data of a third party individual, the 'mixed' personal data should only be disclosed to the requester if the third party individual has consented to disclosure or if it is reasonable in all the relevant circumstances to disclose without their consent.

6. Data quality

The third, fourth and fifth data protection principles are relevant in this regard.

The requirement to not hold data for longer than necessary does not mean that all data need to be destroyed. Suitably weeded staff and student records (or other historically valuable records) can be transferred to the University Archives, where they can be managed in a way which conforms to the requirements of data protection legislation.  Guidance on records management and retention is published separately.

7. Data protection by design

The concept of 'data protection by design' means embedding data protection considerations at an early stage of any new process, project or procedure. It most obviously applies if you are initiating an IT project, such as the implementation of a new system or database, which will involve the processing of personal data, especially special category (sensitive) personal data.  On occasion, adopting a data protection by design approach can trigger the need for a full Data Protection Impact Assessment to assess and document the risks to data subjects and the mitigation measures you might implement.

The following questions should assist staff in taking a data protection by design approach to any new process, project or procedure.

• Make a note of all the personal data you plan to collect or use.  Are you collecting/using some of the personal data only because you have done so in the past?  Are you collecting/using more than you really need?
• What does the University’s standard privacy notice say you will do with these data subjects' personal data?  Are your proposed uses included there?  If not, would people be surprised that you were using their personal data in those ways, and how do you plan to tell them about those uses?
• Are you clear on what legal basis your proposed data processing takes place?  If you will be relying on the consent of the data subjects (which may be unlikely), how will you collect their consent?  How will you record it?  How easy would it be for you to stop processing if they withdrew their consent?  How could/would you delete their personal data if you needed to?
• How do you plan to check that the personal data you are collecting/using remains up-to-date and accurate?  Could there be an opportunity for people to check or update their own personal data?
• How will you control access to the personal data to ensure that only those who need to read or use it can do so?
• What physical security do you plan to make sure the personal data are not copied, lost or stolen?  What technical security do you plan?  How will you know it is effective?
• Who will you share the personal data with?  Is the way you plan to share personal information secure?  Will people know that you share their personal data in this way (check the privacy notice again)?  Will you have a written agreement with the organisation you are sharing the personal data with?
• How long will you need to use the personal data for?  What will you do after that point - delete it, anonymise it, archive it?

8. Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is legally required where (proposed) data processing is likely to result in a high risk to the interests of data subjects, in particular where there is planned large-scale profiling, or processing of special category data, or monitoring of public areas.  In short, a DPIA takes the form of a document, completed following consultation with relevant stakeholders including the Data Protection Officer and a sample of the data subjects themselves, that:

• Describes the nature, scope, context and purposes of the (proposed) processing.
• Assesses the necessity and proportionality of the (proposed) processing.
• Identifies and assesses risks to individuals.
• Identifies any additional measures to mitigate those risks.

If a completed DPIA reveals that the risks to data subjects cannot be adequately mitigated, the ICO must be consulted for a formal opinion.

The University has developed a standard DPIA template.  The template explains when a DPIA is needed, who should complete it, and what should be done with it.

9. Data sharing and using data processors

Guidance on data sharing and using data processors - including the use of contracts and international transfers - is published separately.  The below section on disclosure requests also refers.

10. Records of data processing

Large data controllers are required to maintain records about all the personal processed across the organisation.  The University primarily fulfils this requirement through its Information Asset Register, about which guidance is published separately.

11. Security and personal data breaches

Security

The sixth data protection principle states that personal data should be processed securely to preserve its confidentiality, integrity and availability.  This principle is explicitly risk-based, meaning that different types of security measure are appropriate for different types of personal data.  A database of medical research data with identifiable participants clearly needs stronger technical (e.g. anti-virus protections and access controls) and organisational (e.g. internal policies about usage) protections than a list of staff members in an academic department.

Examples of security measures include:

• Anti-virus and anti-malware software, firewalls, and automated intrusion detection/prevention systems, regularly patched and updated.
• The encryption or password protection of files and folders - whether 'at rest' (i.e. on a University system) or 'in transit' (i.e. on a mobile device or when being sent by email or other means).
• Access controls - these form an important aspect of 'data protection by default' and can be both:
  • Technical - i.e. a system or shared drive/filestore is set up so that only certain staff can see and/or use it or parts of it.
  • Organisational - i.e. within reason, staff may be able to see more personal data than they strictly need in order to perform their duties, for example through their access to a shared office drive, but there are policy controls to state they should not try to read or use it - including within contractual terms and conditions of employment and the University's main Data Protection Policy, as well as specific access control forms to systems and drives.
• Backups and business continuity/emergency management/disaster recovery plans.
• The testing of technical protections - often known as 'penetration testing'.
• Pseudonymisation - this means removing the 'key' to a dataset and storing it separately and securely: although the individual data subjects could still be identified if the key is matched back to the pseudonymised dataset, that dataset can be used more freely (this is a common technique in many research disciplines).
• Physical security controls - such as card-accessed buildings, locked rooms and locked filing cabinets.
• Policy responsibilities and confidentiality obligations for staff handling personal data.
• Procedures for the secure deletion and destruction (or anonymisation) of personal data when it is no longer required.

Extensive further guidance and training on information security is available from UIS.  This includes tools for both IT staff and non-technical users to aid their assessments of information security risks and data protection compliance measures on a system-by-system basis, including the Information Security Risk Assessment (ISRA) and the UK GDPR Systems Checklist.  It has also issued a set of minimum security requirements for University services. Links to all of these resources are available from the main page.

Personal data breaches

If security is breached and personal data is lost, stolen, inadvertently disclosed to an external party, or accidentally published, staff should report it internally as soon as possible.  Some types of data breach have to be reported to the ICO within 72 hours.

The University's procedures for the handling of potential or actual personal data breaches, in accordance with its Data Protection Policy, are as follows.  Note that the Cambridge Colleges, as independent data controllers, all have their own processes and do not follow the below.

• Notification of an incident having occurred is received by the University's Information Compliance Office.
• The Information Compliance Office logs the breach and assesses the immediate circumstances:
  • In some cases, it is obvious that a basic personal data breach has occurred (e.g. an email has been sent to the wrong recipient) and the Information Compliance Office will advise on straightforward remedial actions, if these have not been taken already (e.g. asking the incorrect recipient of the email to delete it).
  • In other cases, more detailed/technical investigations may be required to ascertain the facts of what has happened, involving colleagues who understand the information in scope and/or the checking of logs by specialist IT security staff in UIS, and to determine what remedial actions are required and which colleagues need to be informed.  Sometimes this work is necessary to ascertain whether or not there is any evidence that a personal data breach has actually occurred (as opposed to a security vulnerability having been identified that has not been exploited).  The Information Compliance Office will liaise as necessary with the Colleges' Data Protection Officer if the breach involves a shared University/Colleges system.
• Once the facts of the personal data breach are understood, the Information Compliance Office follows the Information Commissioner's Office guidance to ascertain whether the breach needs to be reported to them as the regulator of data protection law in the UK.  Personal data breach reports need to be made to the ICO if the breach poses a risk to the data subjects, and this has to be done within 72 hours of becoming aware of the breach (which may be different to the time at which an apparent security vulnerability is first identified, or at which a particular incident/issue is first reported).
• The Information Compliance Office liaises with the University's Data Protection Officer about any breach which might or does need reporting to the ICO before doing so.  Relevant University colleagues are also informed.  The Information Compliance Office and the DPO will also determine whether there is a high risk to the data subjects such that they need to be informed about the personal data breach directly.
• The Information Compliance Office submits the report to the ICO where necessary, and advises on or runs the process of informing the data subjects where necessary.  Sometimes the data subjects are told about a breach despite it not meeting the formal high risk threshold.
• Once immediate breach management actions have been carried out, the Information Compliance Office, the DPO and any other relevant colleagues will consider lessons learnt, wider issues and potential process or policy improvements arising from particular breaches where applicable.  If a breach has been reported to the ICO, the ICO Case Officer may also advise on further actions.

12. Direct marketing

What is direct marketing?

Direct marketing is defined as the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.  This is a broad definition that is not restricted to commercial organisations offering goods for sale.  The term direct marketing also applies to communications addressed to individuals that promote an organisation's aims and ideals, including advertising events, offering benefits or appealing for funds and support.

The term direct marketing does not apply to:

• Normal postal or email correspondence and phone calls.
• Postal or email correspondence that is not directed at individuals (e.g. advertising brochures sent for the attention of an organisation, without a named recipient, or 'business-to-business' marketing emails sent to generic organisational addresses).
• Purely informational or 'housekeeping' communications (e.g. newsletters that really are limited to news items or factual emails about the downtimes for an online service).
• Communications sent directly in relation to a particular product or event that an individual has requested/signed up for (including any follow-up surveys, which class instead as market research). 
• On the whole, internal communications, by email and other means, advising current staff and students of University/departmental information, news, opportunities and events.

Many communications sent to alumni and supporters do class as direct marketing, as do various mailing lists maintained both centrally and by departments (including the museums and libraries run by the University) to advertise events, activities or initiatives to members of the public (including, for example, attendees at public events or academics at other universities).  Note that initial communications directed to particular individuals inviting them to join such mailing lists themselves can class as direct marketing.  Furthermore, post or emails sent by 'political' societies or other campaigning groups to particular individuals promoting or soliciting support for their views will normally class as direct marketing from those societies/groups.  Data subjects have the right to object to the receipt of direct marketing - this is an absolute right and opt-outs must be respected.

What is electronic direct marketing?

Separate but related legislation, called the Privacy and Electronic Communications Regulations 2003 (as amended, PECR), furthermore states that:

• Direct marketing by email (or text) should normally only take place with the individual recipient's prior consent (i.e. they have opted in to receive the emails or texts).  Technically, this rule applies when the email address is a 'personal' one created by the individual (e.g. @gmail.com, @hotmail.co.uk or @yahoo.com) rather than a 'corporate' one supplied by their employer (e.g. @barclays.co.uk, @deloitte.com or @cam.ac.uk).  However, due to the mixed nature of the email address types on many mailing lists, it is usually advisable to proceed with caution and assume that consent will be required from all individuals on the list.
• The exception to the need for consent when sending direct marketing emails or texts is known as the 'soft opt-in'.  This will come into play rarely in a University context.  It applies when an individual has bought a product or service, and supplied their email address, and was given but did not take the opportunity to opt out of marketing messages; it only applies to the future marketing of similar products or services.
• Before direct marketing by phone, numbers should first be screened against the Telephone Preference Service unless the individual recipients have already consented.
• There should be a clear unsubscribe opportunity in each email, text or phone communication.

PECR consents to direct electronic marketing need to be to a UK GDPR standard (i.e. freely given, specific, informed, demonstrable and easily revocable).  A template form of words for the collection of new direct electronic marketing consents is as follows:

We’d like to keep in touch with you to [keep you informed about our activities/invite you to future events].  Please tick the boxes below to indicate the formats in which you are happy to be contacted (you can change these at any time by contacting [email address] or automatically unsubscribing to emails or texts):

[  ]  Email

[  ]  Text

[  ]  Phone

If you are considering refreshing consents for any existing email lists, which are likely to be those aimed at alumni or members of the public, check:

• Whether you really are sending direct marketing emails in the first place - if you're not, there's no need for consent.
• Whether you hold adequate consent already - if people actively signed up to your list in the first place, or took another positive action to indicate their desire to receive the emails, the standard of consent is likely to be adequate and there's no need to refresh it.  In a small number of cases, you may also be able to rely on the 'soft opt-in' as described above.
• If you conclude you do need to refresh your consents, you will need to ask people to opt-in to the continued receipt of the emails.  If you do not hear back, you cannot contact them again by email (though you can by post).  So make sure you really do need to take this approach before you embark upon it.

13. Research

Guidance on academic research and data protection, explaining how and where the standard data protection provisions do and don't apply in an academic research context, is published separately.

14. References

Providing references about staff or students clearly involves the processing of their personal data.  Detailed guidance on providing references is available from the HR Division - although this page refers to staff and employees, the guidance there applies equally to the provision of references about students.

The following specific data protection issues should be borne in mind when providing references:

• Many data subjects ask to see copies of references written about them.  There is, however, a wide-ranging exemption from disclosing these under the right of subject access.  Referees nonetheless are advised to write references on the assumption that the data subject may one day see a copy (including under alternative legal regimes for specific situations, such as the disclosure rules governing Employment Tribunals).
• References should be accurate, up to date and evidence-based.  They should distinguish between statements of fact and statements of opinion.
• Referees should avoid including any special category personal data in their reference (e.g. about sickness absence) unless they have the explicit consent of the data subject.
• It is helpful to clarify within the reference whether you are writing on behalf of the University or in a personal capacity.  If a reference is written on behalf of the University, a copy usually should be placed on the data subject's departmental personnel/student file.  If writing personally, a copy should be retained by the individual referee.
• In general, copies of references should not normally be retained for more than 6 years after the departure of the data subject from the University.  However, if a new reference request is received in relation to the data subject within that 6-year period, it is acceptable to keep a copy of that new reference for a further six years, and so on.
• There may be variations to the above norms in the case of references given in relation to individuals working towards or in regulated professions (e.g. medicine).

15. Disclosure requests

Many staff will receive requests from third party organisations to disclose information comprising the personal data of students, employees, alumni and so on.  Many such disclosures - whether in relation to single individuals or groups/cohorts - are part of the normal functioning of the University.

If a disclosure request is received that is outside the course of normal University business, the key points to consider are as follows:

• Is urgent disclosure required to protect the vital (life-or-death) interests of the data subject?  If so, it is permissible to disclose.
• Is there a pre-existing process that, while not forming part of your own role, represents a formal/standard route for the information (which may include personal data) to be requested or accessed?  If so, it should be followed.  Examples include:
  • Passing media enquiries to the Communications Office.
  • Passing Freedom of Information requests to the Information Compliance Office.
  • Pointing degree verification requests to the Student Registry website.
  • Passing correspondence about insurance claims/complaints to the Insurance Section of the Finance Division.
  • Passing requests for confirmation of salary/pay from mortgage companies, or from government bodies (such as HMRC, the Department of Work and Pensions, or the Child Maintenance Service) to the Payroll Section of the Finance Division.
• If the disclosure is not urgent and a pre-existing process for handling the enquiry does not exist, has the data subject been told that such a disclosure of their personal data might be made, whether as part of the University's core privacy notices or otherwise?  If not, as a rule of thumb, you should consider contacting the data subject in advance to seek their consent to the disclosure or at least forewarn them of it.  (But see below.)

However:

• Some disclosures are required by law without necessarily informing the data subject or seeking their consent (e.g. if the third party has a court order or statutory authority to compel the provision of information).
• Some disclosures are discretionary but permitted by law without necessarily informing the data subject or seeking their consent (e.g. requests from the police, other law enforcement agencies or taxation authorities).

Staff should seek help with any unusual disclosure request - especially one involving a court order or from the police - from the Information Compliance Office.  They will liaise as necessary with the Legal Services Division and other relevant offices as necessary to ensure the request is dealt with appropriately and legally.

16. Publishing staff and student profiles and contact details

Nearly all University staff and students are happy to have their name, contact details, profile and photo published on a publicly accessible departmental (or equivalent) website.  However, all new starters should be given the opportunity to opt out of this by their department (or other office/section running the website in question).  This opportunity could be mentioned in a group email, an announcement in a departmental newsletter or welcome session, an item in a departmental new starter induction form, or any other communication method.  A suggested form of words is as follows:

We would like to include your [name/contact details/profile/photo] on our publicly accessible website at [URL]. Please let us know by [date] if you do not wish some or all of your details to be included.

Note that all staff and students can be included in internal listings, directories and intranet pages.

If a member of staff or a student is to be featured in (including by being recorded/photographed for) a website news story, a magazine/newsletter or a public exhibition of some sort, these basic opt-out provisions are insufficient and the separate guidance on the seeking of contributor consents should be followed (see under 'Forms and Agreements').

17. AI and data protection

Guidance on AI and data protection is published separately.