Data protection

​​Data Protection

The University of Gloucestershire is registered with the Information Commissioner's Office (ICO) as a 'Data Controller' under data protection legislation, in that it determines the purposes for which and the manner in which personal data is processed. 

The University collects, holds and processes data about its students, employees, applicants, alumni, stakeholders, contractors and other individuals in order to carry out its business and organisational functions. 

The University's registration and notification of its processing of personal data is available as part of the Public Register of Data Controllers maintained by the Information Commissioner's Officer (ICO).  The University's registration number is: Z5286780.

The University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data, and to ensure compliance with appropriate UK and European Union (EU) legislation, including:

General Data Protection Regulation

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force, strengthening data protection for individuals within the EU, bringing privacy laws into the 21st century and giving individuals more control over the way their personal data is used.  The ICO's Guide to the General Data Protection Regulation provides further information.  

Data Protection Act 2018

The Data Protection Act (DPA) 2018 is UK legislation which introduces agreed modifications (derogations) to the GDPR to make it work for the benefit of the UK. It replaces the former Data Protection Act 1998.  More information regarding the DPA 2018 is outlined on the ICO's website.

The GDPR and the Data Protection Act 2018 introduce more stringent requirements for data protection and accountability, and give individuals more control over their personal data.

Data Protection Policy

It is the duty of Data Controllers like the University to comply with the data protection principles.  The Data Protection Policy describes how the University will discharge its duties in order to ensure continuing compliance with data protection legislation, the data protection principles, and the rights and freedoms of data subjects.

Data Protection Policy

Data Protection Officer

If you have any queries or concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer using the contact details below.​​

Data Protection Officer
University of Gloucestershire
Registrar's Directorate
Fullwood House
The Park
Cheltenham, GL50 2RH

Right of Access

Individuals have a number of rights under Data Protection legislation including the right of access to their personal data which an organisation holds on them.  This is what is known as a Subject Access Request (SAR).  SARs must be made in writing, and the University needs to be able to verify your identity.  Upon receipt of a SAR, the University has one calendar month in which to provide the information. 

If you wish to submit a request, please complete and return the SAR form below:

Subject Access Request Form   

Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach, where feasible.

The Data Breach Policy sets out the procedure to be followed by the university if a personal data breach takes place.

Privacy Notices

You can view all of our privacy notices in the document hub.