Data Protection

The University processes a range of information about staff, students and other individuals for a variety of purposes that underpin its operations. In doing so, the University is committed to upholding and protecting the rights of data subjects and complying with all relevant data protection legislation. 

The University has published a Data Protection Policy, which sets out the principles that will be applied in meeting these commitments. 

Copies of many of the privacy notices provided to data subjects can be accessed on the privacy notices page

Data Subject Access Requests

Under data protection legislation, data subjects may have a number of rights in respect of their personal data, including the following:

  • Right to access personal data
  • Right to data portability
  • Right to rectification of data
  • Right to be forgotten
  • Right to request a restriction of processing
  • Right to object to processing
  • Right not to be subject to automated decision making

Requests to exercise data subject rights will be considered in line with the Data Subject Rights Procedure, which is set out in brief in the Data Subject Rights Flow Diagram.

Data subjects should consider whether they can achieve the intended result informally using a self-service system or by contacting the relevant department directly. Examples of self-service processes are as follows:

  • HR Self-Service - Access iTrent via the Staff Portal
  • Student Record Self-Service - Access via Nest

A formal request to exercise a data subject right should be sent to  All data subjects should be prepared to provide copies of acceptable ID, which include a driving license or passport, student card or employee card. Where ID cannot be provided, the request will normally be rejected. A response will normally be given to requests under the Data Subject Rights Procedure with one calendar month. This may be extended to two months where the request is complex or where multiple requests have been received by the data subject. 

Personal Data Incidences

Personal data incidences should be reported immediately to an employee's manager and to the Data Protection Officer.

If you have any queries about this page or any other matters relating to data protection, please contact

This page is under constant review and will be regularly updated. It was last updated in October 2023.