UK GDPR / DPA 2018

The UK GDPR (Data Protection Act 2018) is a UK law which came into effect on 1 January 2021.  It sets out the key principles, rights and obligations for most processing of personal data in the UK. 

Personal data is information that relates to an identified or identifiable individual.  You should always take into account the information that you are processing together with the means reasonably likely to be used by either the University or another person to identify that individual. 

The Principles relating to the processing of personal data are: 

  • Lawfulness, fairness and transparency
    Processed lawfully, fairly and in a transparent manner in relation to individuals 
  • Purpose limitation
    Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 
  • Data minimisation
    Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 
  • Accuracy
    Accurate and where necessary, kept up to date 
  • Storage limitation
    Held no longer than is necessary for that purpose or those purposes 
  • Integrity and confidentiality
    Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 
  • Accountability
    The controller shall be responsible for and be able to demonstrate compliance 

The University will process personal data for the purpose of its normal business activity and in compliance with the law and other statutory obligations. This will include: 

The payment of salary, pension provision, equality and diversity legislation and the University’s duty to monitor statistics, statistical returns, training and development and the operation of policies and procedures.

Certain information may need to be disclosed to other legitimate parties as part of the University’s obligation to comply with statutory or legal requirements including statistical returns to external bodies including: HESA, Inland Revenue, Pension Bodies and other Government departments, e.g. Child Support Agency and Benefits Agency. These are indicative examples of data processing purposes and are not exhaustive. 

The UK GDPR (Data Protection Act) provides individuals with the right to access information that is kept about them. Staff wishing to exercise their right under the Act should contact the Data Protection Officer at  

This policy is effective from 1 January 2021. 

Staff who process or use any personal information must ensure that they follow the principles of the Act at all times. Staff should familiarise themselves with the contents of this policy and also the Data Protection Code of Practice which can be viewed on the University Data Governance webpage. 

The University is registered as a Data Controller with the Information Commissioners Office (ICO). This means that the University will notify the ICO of certain details about the processing of personal data which are then included on a public register. 

The University and all staff who process or use any personal information are required to be compliant with the policy. 

The Data Protection Officer for the University has responsibility for ensuring the University’s compliance with the Act. 

Data Protection Officer / Corporate Information Governance and Assurance Manager.

The University is committed to complying with the UK GDPR / Data Protection Act 2018 and the EU GDPR and will operate procedures to ensure that appropriate requirements are met. 

The Act contains seven fundamental principles relating to the collection, use and disclosure of data and the right of individuals to have access to personal data concerning themselves. 

The University and all staff who process or use any personal information. 

Need advice?


August 2021
  • Policy updated, web page created.