Data Protection Laws and Regulation

UK GDPR Principles

The University is required to follow and be able to demonstrate that they are complying with the principles set out in the UK GDPR, when processing personal data.

The principles are that personal data must be:

1

processed fairly, lawfully and transparently;

Fairly – means that individuals should not be misled or deceived when their personal data is collected
Lawfully – means you must process personal data in accordance with one pre-determined ‘lawful basis’
Transparently – means you must be open and clear to data subjects about the processing of their personal data, so they can make an informed decision about whether to provide that data, or exercise their data subject rights or not. This information is set out in the University’s Privacy Notices

2

personal data must only be used for specified, explicit and legitimate purposes;

3

must only be used in a way that is adequate, relevant and limited to only what is necessary for the purpose it was collected;

4

must be accurate and, where necessary kept up to date;

5

must not be kept for no longer than is necessary for purpose it was collected; and

6

handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

There is also a seventh principle – Accountability. This means that the University has to take responsibility for complying with the principles, and to have appropriate processes and records in place to demonstrate compliance.

Learn more about how the University’s demonstrates compliance with the accountability principle.

Data protection regulation

The Information Commissioners Office (ICO) regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.

You can find out more by visiting the ICO’s website.