Record of Processing Activities - UoD

Record of Processing Activities - University of Derby

Registration Number: Z859984X

Date Registered: 24 May 2004

Registration Expires: 23 May 2024

Data Controller: University of Derby

Address: Kedleston Road, Derby, DE22 1GB

Other Names: Buxton & Leek College, Buxton College, Leek College

The University of Derby is a public authority under the Freedom of Information Act 2000

This register entry describes, in very general terms, the personal data being processed by: University of Derby

Nature of Work: University

The University is organised into 4 academic colleges (College of Health, Psychology and Social Care, College of Science & Engineering, College of Arts, Humanities and Education and College of Business Law and Social Science) in addition there is further education provision through our Buxton and Leek College. These colleges are supported by Central Professional Services (FE Skills and Registry, Legal, Governance and Assurance Services, Digital Solutions, & Systems, Finance and People & Culture, Estates).

The Record of Processing Activity (ROPA) details the categories of data subjects and personal data that we process, as well as the purpose of the processing along with any recipients the personal data may be shared.

Description of Processing

The following is a broad description of the way this organisation / data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.

Purposes for processing information

The University processes personal data for several purposes including:

Categories of data subjects

As a result, the University processes the personal data of:

Categories of personal data

Categories of personal data processed by the University include:

Sensitive Data

It must be noted that University also processes sensitive data, this may include:

Recipients of personal data

In certain circumstances, the University must share personal data with a third party if this is required by law or because it otherwise deems it to be necessary to achieve a specified purpose. The University of Manchester complies with the UK General Data Protection Regulation and the Data Protection Act 2018 when disclosing personal data.

The types/categories of recipients for personal data are:

Transfers of data to a third country

The University has relationships with institutions and agencies outside of the UK which encourage and facilitate international learning and research. Where we transfer personal data outside of the UK as part of these relationships, we ensure appropriate contracts or other safeguards are in place.

Retention of data

The University retains personal data in line with our records retention schedule. The retention schedule can be located through our SharePoint.

Statement of exempt processing

This data controller also processes personal data which is exempt from notification.

Information regarding our technical and organisational measures

Under the data protection legislation, the University has a general obligation to implement technical and organisational measures to show we have considered and integrated data protection into our processing activities, examples of our measures include:

To find out more...

Please read our Data Protection Policy.

Find out more about our privacy notices

Data Protection Officer: James Fussell (

Further information is available from the Information Commissioner’s Office register

Need advice?

You can contact us at