Skip to content

Governance and Structure

​​​​​The University Executive Committee is responsible for all matters associated with the development and management of the university.

Data protection policy

Last updated: 18 May 2023


1.1 The University of Gloucestershire (the ‘University’) collects, holds and processes data about its students, employees, applicants, alumni, stakeholders, contractors and other individuals in order to carry out its business and organisational functions.

1.2 Data Protection legislation defines ‘personal data’ as any information relating to an identified, or an identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data also includes any expression of opinion about the data subject and what is intended for them.

1.3 The University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.

Purpose and Scope

2.1 The purpose this policy is to ensure compliance with the UK General Data Protection Regulation (GDPR) and related European Union (EU)1 and national legislation (‘Data Protection legislation’). Data Protection legislation applies to the processing of personal data about living identifiable individuals (‘data subjects’).

2.2 The University of Gloucestershire is registered with the Information Commissioner’s Office (ICO) as a Data Controller. The policy incorporates guidance from the ICO, and outlines how the University will discharge its duties and obligations to comply with Data Protection legislation.

2.3 This policy applies to all parts of the University and to all personal data held and processed by the organisation. This includes data held in any system or format, whether electronic or manual.

2.4 This Policy applies to all members of staff except when acting in a private or non-University capacity. The term ‘staff’ means anyone working in any context within the University. This includes but is not limited to temporary, honorary, visiting, casual, voluntary and agency workers, students employed by the University, and external members of committees. This Policy also applies to all locations from which personal data is stored and accessed including off-campus.

2.7 This policy applies to all students when processing personal data on behalf of the University, but not in any other situation including when acting in a private or non-University capacity.

2.8 This policy also covers any staff and students who may be involved in research or other activity that requires them to process or have access to personal data. If this occurs, it is the responsibility of the relevant School or Unit to ensure the data is processed in accordance with Data Protection legislation and that students and staff are advised about their responsibilities. In addition, students and staff undertaking research must adhere to the Research Ethics: A Handbook of Principles and Procedures, which provides information on ethical approval of research, privacy and confidentiality.

2.9 This policy is not, and should not be confused with, a Privacy Notice (a statement which informs data subjects how their personal data is used by the University).

2.10 This policy should be read in conjunction with responsibilities and obligations outlined in the following documents, which supplement this policy where applicable:

  • Staff employment contracts and comparable documents which impose confidentiality obligations in respect of information held by the University;
  • Any other contractual obligations or staff policies which impose confidentiality or data management obligations in respect of information held by the University;
  • IT and information security policies, procedures and terms and conditions which concern the confidentiality, integrity and availability of University information including rules about IT acceptable use, user accounts, internet, email, and network and wireless facilities.

Policy Statement

3.1 The University is committed to complying with Data Protection legislation through its everyday
working practices.

3.2 Complying with Data Protection legislation may be summarised as, but is not limited to:

3.3 In accordance with Data Protection legislation, additional conditions and safeguards will be applied to ensure that special category data (sensitive personal data) is handled appropriately. Special category personal data is information relating to an individual’s:

3.4 Criminal convictions or offences (alleged or proven) are not technically defined as special category personal data but are afforded similar protections.

4. Data Protection Principles

4.1 Data Protection legislation requires that the University, its staff and others who process or use any personal information, comply with the data protection principles.

4.2 The data protection principles state that personal data should be:

4.3 Accountability is central to Data Protection legislation, and Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the UK regulator, the ICO.

5. Data Subject Rights

5.1 The rights given to data subjects under Data Protection legislation are:

5.2 Under Data Protection Regulation legislation, data subjects have the right of access to their personal data held by the University.

5.3 Any individual who wishes to exercise this right should make the request through submitting a Subject Access Request Form available on the University’s website at: , or by contacting

6. Roles and Responsibilities

6.1 As a Data Controller (or when acting as a joint Data Controller or a Data Processor), the University has a corporate responsibility for the following:

6.2 The University Executive Committee is responsible for reviewing and approving this policy.

6.3 University Council is responsible for assessing the overall risk profile of the University and ensuring appropriate resources and processes are in place and implemented to enable compliance with Data Protection legislation.

6.4 The University’s Data Protection Officer is responsible for:

6.5 Governance and Secretariat Services (Within the Registrar’s Directorate), in collaboration with other relevant service areas, is responsible for:

6.6 Directors, Heads of School, and Heads of Professional Departments are responsible for:

6.7 Compliance with Data Protection legislation is the personal responsibility of all members of the University who process personal data.

6.8 New members of staff are required to complete mandatory information governance online training as part of their University induction.

6.9 Staff members, as appropriate for their role and in order to enable the University to comply with Data Protection legislation, are responsible for:

6.10 The responsibilities outlined under paragraph 6.9 apply to individual students when processing personal data on behalf of the University.

6.11 Any breach of this policy may be treated as misconduct under the University’s relevant disciplinary procedures and could lead to disciplinary actions or sanctions.

Policy Review

7.1 This policy will be updated as necessary to reflect best practice, relevant case law, and to ensure compliance with any changes or amendments to Data Protection legislation.

7.2 This policy was approved by University Executive Committee in May 2018.  The policy was last reviewed in August 2021.  It is next scheduled for review in August 2024, or sooner if there is any significant change in Data Protection legislation.  

* The accountability obligations include: implementing appropriate data protection policies; implementing data protection by design and default in projects, procurement and systems; using appropriate contracts with third party Data Controllers and Data Processors; holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data; reporting certain personal data breaches to the ICO; conducting Data Protection Impact Assessments where required; and ensuring adequate levels of protection when transferring personal data out of the European Economic Area

Was this article helpful?