Data Protection FAQ

main content

What is Data Protection?

Data Protection concerns personal data and how it is processed. The Data Protection Act 1998 provides a legal framework to ensure that personal data is processed fairly and lawfully. The University is legally bound to comply with the Act when collecting, processing, storing and destroying personal data. Failure to comply with the Act can result in legal or criminal proceedings as well as financial penalties against the University.

I've made a request for my personal information. How long does it take?

When you submit a request for your personal information, known as a Subject Access Request, the University has 40 calendar days to respond. The University may charge a £10 fee to handle your request.

Requests for exam scripts/marks

Exam scripts are specifically exempt under the Act. However, students are entitled to see associated examiner’s comments, which are not exempt from disclosure. Students should approach the relevant department in the first instance to ask for access to their exam script (either a copy or access to the original). It is at the discretion of the department whether they provide this access. If a department does not wish to provide access to the exam script there is no recourse under Data Protection to force them to do so.

However, if a student wishes to gain access to examiner’s comments and the department does not wish to process this as ‘business as usual’ then students should contact:

Exam marks are not exempt under the Act but if a request for access to examination marks is made before results are announced then the University must respond within:

  • 5 months of the date of the request; or
  • 40 days of the date the results are published,

whichever is the earliest.

This is to prevent students from receiving their results before they are officially announced.

Can I ask for references that have been written about me?

References provided by the University

Under Schedule 7 of the Act, the University is not required to provide confidential references it has provided for the purposes of:

(a) the education, training or employment, or prospective education, training or employment, of the data subject,
(b) the appointment, or prospective appointment, of the data subject to any office, or
(c) the provision, or prospective provision, by the data subject of any service.

However, the University may choose to provide a copy, if a reference is wholly or largely factual in nature, or if you are aware of an appraisal of your work or ability.

References received by the University

These are not exempt under the Act and should be considered for disclosure as normal as part of a Subject Access Request.

The University may contact the author of the reference to ask if they have any objection to the reference being disclosed. The University must consider whether it is reasonable given all the circumstances, to provide the reference. This will be done in line with Information Commissioner Office guidance.

The Information Governance Unit will process any such requests.

Can I release personal information to a third party?

You should always be cautious about releasing personal information. The Data Protection Act exists to ensure that personal data is processed fairly and lawfully. It is important to establish if the person asking for information is the subject of the information, or is acting on behalf of the person the information relates to. In cases when, for example a solicitor is requesting information on behalf of a client, written confirmation from the client that information is to be released is required, as well as confirmation of identity. If you have any doubts as to whether to release data, contact your departmental Data Protection contact or the Information Governance Unit.

In most cases the explicit consent of an individual is required before his/her personal data is passed to a third party, unless the University has a legal or statutory obligation to do so; this is the case with personal data we provide to HESA, UK Borders Agency etc.

The Data Protection statements for staff and students provide further information on this.   

Can I outsource the processing of personal data to a third party?

If you are transferring personal data to a third party, which they are processing on your behalf, a Data Processing agreement must be in place. The agreement should set out the terms of the service between both parties, and act as an undertaking from the third party that it will comply with Data Protection law. This agreement will then be enforceable in law should the terms be breached.

If you are working on a project that would involve the exchange of personal data between the University and a third party and/or processing by an outside contractor please contact  for advice.


How is my personal information protected if it is sent overseas?

The Data Protection Act prohibits the transfer of personal information from the UK to other countries, unless those countries can ensure the same level of protection. Countries within the European Economic Area have similar levels of protection to the UK and are considered to be safe. Some countries outwith the EEA are considered to be safe by the European Commission, further details can be found on the European Commission's website.

Personal data should only be sent to countries outside the European Economic Area if the country concerned has adequate data protection laws, or the company concerned agrees to adhere to appropriate conditions regarding the processing of personal data.

Can I process personal information as part of my research?

If you use data that is linked to identifiable living individuals in a research project then you must comply with the Data Protection Act.  However, if the research activity meets all of the following conditions then the personal data may be exempt from some of the Data Protection principles (second, fifth and sixth).  These conditions are that:

  • You are using the information exclusively for research purposes (includes statistical or historical research purposes). The information must have no other use, not even an incidental use.
  • You are not using the information to support measures or decisions relating to any identifiable living individual (not just the data subject but anyone who may be affected by your research).
  • You are not using the data in a way that will cause, or is likely to cause, substantial damage or substantial distress to any data subject.
  • You will not make the results of your research, or any resulting statistics, available in a form that identifies the data subjects. For example if you use case studies in your research report you may choose to disguise the names of the individuals. However, if you describe their circumstances in detail it may be possible for someone to identify that individual, in which case you would not meet this criterion.

If the research activity meets these conditions then the personal data:

i) May be used for a new purpose

ii) May be kept for a research purpose

iii) Need not be provided under the subject right of access*

*This only applies if:

  • The personal data is processed in compliance with the relevant conditions.
  • The results of research or resulting statistics are not made available in a form which identifies data subjects.

Please note that this FAQ does not provide comprehensive guidance on this topic.  If you intend to use personal data in a programme of research and wish to know more about Data Protection you should contact the Information Governance Unit.

What is personal and sensitive personal data?

Personal data is information that allows an individual to be identified. A name on its own is not necessarily personal data e.g. John Smith. However, if linked with other information e.g. matriculation number or course details, an individual may be identifiable.

Sensitive personal data is information that relates to race/ethnic origin, political opinions, religious beliefs, trade union membership, health (mental or physical) or details of criminal offences. This category of information should be handled with a higher degree of protection at all times.

How should I handle personal data as part of my job?

You must ensure that personal data is held securely at all times and access is restricted to only those who require it. If information is in paper form, it should be kept in locked filing cabinets or equivalent storage when you are not working on it. Electronic data should also be stored in secure areas i.e. restricted network drives. Never leave records containing personal data unattended on your desk, and lock your computer screen if you have to leave your desk.

See also the Records Management Guidance note on Information Security.

What security is required for portable storage devices?

Portable storage devices are particularly susceptible to loss or theft. Therefore, unless it is unavoidable, you should not store personal data on any portable device i.e. laptops, memory sticks etc. If you need to access personal data off-site, consider whether you are able to do so by accessing the University’s secure network remotely. If there is no alternative and you must take personal data off-site on a portable device, you must consult IT Services in advance to discuss encryption.

Read more about the Information Commissioner's Office approach to encryption.

How do I request information about me held by the University?

If an individual requests information about him/herself, that you would usually give out in the normal course of business, you can process this as ‘business as usual’. You need only confirm the identity of the individual making the request. This will often be the case where a student wishes to know routine information about his/her course/academic progress.

However, if you receive a request for information that is not considered to be routine or ‘business as usual’ the individual should be referred to the Information Governance Unit. This will be handled as a Subject Access Request.

If someone wishes to make a request regarding another individual he/she should be referred to the Information Governance Unit.

What is a 'business as usual' request?

A ‘business as usual’ request is a request for information of the sort that you are accustomed to handling on a regular basis.  If you are sure of the identity of the individual making the request and the information being asked for is usually released in the normal course of business, it should be processed as usual. If you receive a request for information that is not considered to be a routine request, the individual should be directed to submit their request to the Information Governance Unit, where it will be processed as a Subject Access Request.

What is the ICO notification?

As a data controller the University is required to register a notification with the Information Commissioner’s Office (ICO) which regulates compliance with the Data Protection Act. The notification lists the standard types of personal data that the University processes and the reasons for processing this data. It also states if information will be shared or transferred outside the EEA. It is a public record and can be viewed on the Information Commissioner’s Office Website

The notification is renewed annually. Prior to this, all departments across the University are required to conduct an audit, to establish the types of personal information that they are collecting, processing and storing. The audit is managed by the Information Governance Unit, which will analyse the departmental returns, and make any necessary changes to the notification.

How can I find out more about Data Protection?

Every department in the University has appointed a member of staff to act as their departmental contact for Data Protection issues. In the first instance you may direct your data protection queries to your department contact. In addition you can send queries to staff in the Information Governance Unit at

More detailed information about the Data Protection Act can be found on the Information Commissioner's website.

Can I ask for CCTV images?

Images of identifiable individuals are considered ‘personal data’ under the Data Protection Act 1998. If you believe the University holds images of you on its CCTV system and you wish to access these, this would be treated as a Subject Access Request.

More information about the use of CCTV by the University

Is a photograph of me considered to be personal data?

Photographs of staff or students would constitute ‘personal data’ as defined by the Data Protection Act. The University must process personal data in accordance with the principles of the Act and must meet certain conditions before personal data can be processed (‘processing’ would include any use of photos including posting them on a website). 

In some departments it will be common practice for photos to be put on websites, and staff and students will happily provide photos with a clear understanding of their intended use.

If a department decides to put photos on a website then at the outset they should ask staff/students to sign a consent form, which outlines the purpose of the exercise and states what the photos will be used for. The photos can then be used only for the purpose stated.

If any individual refuses consent then their photo should definitely not be used.  It should be recognised that there may be many legitimate reasons why people do not want their photograph to be made public via the University website.  If an individual explicitly states that they do not wish their personal data to be used in this way then it should not happen.

What do I need to know about processing personal information for a marketing campaign?

Direct marketing can cover a range of activities, including the offer for sale of goods or services. To conduct a marketing campaign legally, you may have to comply with certain legislation. Depending on how you are marketing, you may be affected by the PECRs, Data Protection or both.

If you are using electronic communications, such as email for a marketing campaign, the PECRs apply.

If you are using or gathering personal information, The Data Protection Act will apply.

If you are using electronic communications for marketing to named individuals, both the PECRs and the Data Protection Act will apply.

Further information on the PECRS can be found at the following link:

Direct Marketing: Impact of the Privacy and Electronic Communications Regulations (PECRs) and Data Protection