Data Protection Act 1998

The Data Protection Act 1998 sets out rules for processing personal information relating to living individuals. It applies to some paper records as well as those held in electronic form. The Act gives individuals certain rights. It also imposes obligations on those who record and use personal information to be open about how that information is used and requires them to follow the eight data protection principles.

Personal data must be processed following these principles so that data are:

  1. processed fairly and lawfully and only if certain conditions are met;
  2. obtained for specified and lawful purposes;
  3. adequate, relevant and not excessive;
  4. accurate and where necessary kept up-to-date;
  5. not kept for longer than necessary;
  6. processed in accordance with individual's rights;
  7. kept in a secure manner;
  8. not transferred outside of the EEA without adequate protection.

You are entitled to access the information held about you, except where releasing that information would breach another person's privacy or where an exemption applies. Asking for copies of your personal data in this way is known as making a 'subject access request'.

You also have rights to prevent data processing which is likely to cause substantial and unwarranted damage or distress, to prevent processing for the purpose of direct marketing, and to correct inaccurate personal data.

The Data Protection Act also imposes certain responsibilities on all those who process personal data at the University, whether you are a member of staff holding, using and sharing (or indeed destroying) personal data in your teaching, research or administration, or a student accessing and recording personal data in your studies or other activities. These obligations include holding and using data in a secure manner, making sure that data is handled in line with what individuals have been told, having appropriate arrangements in place for the access to (and sharing of) data, and making sure that individuals' data is accurate and retained for a suitable period. Most importantly, if a data breach occurs (e.g. personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published), this should be reported immediately to the Information Compliance Office so that we may review the circumstances and liaise as necessary with colleagues internally and the relevant external authorities.

The University maintains a Data Protection Notification (registration) with the Information Commissioner, the independent authority responsible for overseeing compliance with the Act. This outlines, in very general terms, the personal data being processed by the University. The University's register entry number is Z6641083 and may be found by searching the Information Commissioner's site:

Please note that the 31 constituent Colleges of the University are separate legal entities for the purposes of the Data Protection Act.