Data protection



The University of Gloucestershire is registered with the Information Commissioner's Office (ICO) as a 'Data Controller' under data protection legislation, in that it determines the purposes for which and the manner in which personal data is processed. 

The University collects, holds and processes data about its students, employees, applicants, alumni, stakeholders, contractors and other individuals in order to carry out its business and organisational functions. 

The University's registration and notification of its processing of personal data is available as part of the Public Register of Data Controllers maintained by the Information Commissioner's Officer (ICO).  The University's registration number is: Z5286780.

The University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data, and to ensure compliance with appropriate UK and European Union (EU) legislation, including:

Data Protection Act 1998

The Data Protection Act (DPA) 1998 is UK legislation which governs the processing of personal information relating to living individuals.  The Act gives certain rights to individuals and it requires those who process personal data to adhere to eight data protection principles.  More information regarding the DPA 1998 is outlined in the ICO's Guide to Data Protection.

General Data Protection Regulation

On 25 May 2018, data protection legislation will change, when the new General Data Protection Regulation (GDPR) comes into force, which strengthens and unifies data protection for individuals within the EU, bringing privacy laws into the 21st century and giving individuals more control over the way their personal data is used.  The ICO's Guide to the General Data Protection Regulation provides further information.  

Data Protection Bill 2017

The Data Protection Bill 2017, which is currently passing through UK Parliament, introduces agreed modifications (derogations) to the GDPR to make it work for the benefit of the UK.  Once enacted by Parliament, it will replace the DPA 1998. 

The GDPR and the Data Protection Bill introduce more stringent requirements for data protection and accountability, and give individuals more control over their personal data.

Data Protection Policy

It is the duty of Data Controllers like the University to comply with the data protection principles.  The Data Protection Policy describes how the University will discharge its duties in order to ensure continuing compliance with data protection legislation, the data protection principles, and the rights and freedoms of data subjects.

Data Protection Policy

Data Protection Officer

The University's Data Protection Officer is:

Sue MacGregor
Data Protection Officer
University of Gloucestershire
Registrar's Directorate
Fullwood House
The Park
Cheltenham, GL50 2RH

If you have any queries or concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer using the contact details above.

Right of Access

Individuals have a number of rights under Data Protection legislation including the right of access to their personal data which an organisation holds on them.  This is what is known as a Subject Access Request (SAR).  SARs must be made in writing, and the University needs to be able to verify your identity.  Upon receipt of a SAR, the University has one calendar month in which to provide the information. 

If you wish to submit a request, please complete and return the SAR form below:

Subject Access Request Form   

Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach, where feasible.

The Data Breach Policy sets out the procedure to be followed by the university if a personal data breach takes place.

Privacy Notices

Other Policies and Notices

Data protection policy   
Data processing consent notice 2017-2018  
Data processing consent notice 2016-2017
Learning analytics policy