Data protection

​​​​Data Protection

The University of Gloucestershire is registered with the Information Commissioner's Office (ICO) as a 'Data Controller' under data protection legislation, in that it determines the purposes for which and the manner in which personal data is processed. 

The University collects, holds and processes data about its students, employees, applicants, alumni, stakeholders, contractors and other individuals in order to carry out its business and organisational functions. 

The University's registration and notification of its processing of personal data is available as part of the Public Register of Data Controllers maintained by the Information Commissioner's Officer (ICO).  The University's registration number is: Z5286780.

The University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data, and to ensure compliance with appropriate UK and European Union (EU) legislation, including:

General Data Protection Regulation

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force, strengthening data protection for individuals within the EU, bringing privacy laws into the 21st century and giving individuals more control over the way their personal data is used.  The ICO's Guide to the General Data Protection Regulation provides further information.  

Data Protection Act 2018

The Data Protection Act (DPA) 2018 is UK legislation which introduces agreed modifications (derogations) to the GDPR to make it work for the benefit of the UK. It replaces the former Data Protection Act 1998.  More information regarding the DPA 2018 is outlined on the ICO's website.

The GDPR and the Data Protection Act 2018 introduce more stringent requirements for data protection and accountability, and give individuals more control over their personal data.

Data Protection Policy

It is the duty of Data Controllers like the University to comply with the data protection principles.  The Data Protection Policy describes how the University will discharge its duties in order to ensure continuing compliance with data protection legislation, the data protection principles, and the rights and freedoms of data subjects.

Data Protection Policy

Data Protection Officer

If you have any queries or concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer using the contact details below.​​

Data Protection Officer
University of Gloucestershire
Registrar's Directorate
Fullwood House
The Park
Cheltenham, GL50 2RH
Email: dpo@glos.ac.uk

Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach, where feasible.

The Data Breach Policy sets out the procedure to be followed by the university if a personal data breach takes place.

Privacy Notices

You can view all of our privacy notices in the document hub.

Individuals Rights

Individuals have a number of rights under Data Protection legislation:

The right to be informed – Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement which is usually satisfied by the provision of a Privacy Notice. A Privacy Notice should be given whether we receive personal data directly from an individual or indirectly from someone else.

The right of access – Individuals have a right to access their personal data which is commonly referred to as a Subject Access Request.

The right to rectification – Individuals have a right to have inaccurate personal data relating to them to be rectified, or completed if it is incomplete.

The right to erasure – Individuals have a right to have personal data erased which is also known as the right to be forgotten. This right is not absolute and only applies in certain circumstances.

The right to restrict processing – Individuals have the right to request the restriction or suppression of their personal data. This right is not absolute and only applies in certain circumstances.

The right to data portability – Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without it affecting usability.

The right to object – Individuals have the right to object to the processing of their personal data in certain circumstances.

Rights in relation to automated decision making and profiling – Individuals have the right not to be subject to a decision based solely on automated decision-making using their personal data.

The right to communication – Individuals have the right to be told about personal data breaches that pose a high risk of harm to them.

Data Protection legislation states that a response to all rights must be sent without undue delay and at the latest within one calendar month. That period may be extended by two further months if a request is complex or we receive a number of requests from the same individual. If the University proposes to extend the time beyond a month, we will explain to the individual, within one calendar month of receiving a request, why the extension is necessary and when it will be dealt with.

The rights above are not absolute. The legislation sets out the circumstances in which they apply. In addition an exemption may be present in the Data Protection Act 2018 which may apply.

To help us facilitate any of the above requests, it would be helpful if you could complete an Individuals Rights Form, providing as much information as possible, and submit this by email to dataprotection@glos.ac.uk​, or send it to:

Data Protection
Governance and Secretariat Services,
Fullwood House,
The Park
Cheltenham
GL50

In addition, you will need to attached either a hard copy or electronic copy of one form of ID (passport, driving licence, birth certificate or other internationally recognised ID card) for yourself.

You can complete an Individuals Rights Form below. 

Individuals Rights Form