The University of South Wales is registered as a data controller with the Information Commissioner’s Office.
The University undertakes to process personal information within the terms of the Data Protection Act 1998. In accordance with the Act, the University must provide the Information Commissioner with details of the processing of personal data carried out by the University through its formal registration (Reference No: Z6472800)
The University undertakes to maintain data in secure conditions and to process and disclose data only within the terms of its Data Protection notification.
The University processes data relating to its students for the following purposes:
The University, via its Faculties, Academic Registry and other ancillary departments, allows access to employees and agents of the University (on a need-to-know basis only).
Student information is disclosed to a variety of third parties or their agents, notably:
NB. Disclosures to organisations not listed above will be made in specific legitimate circumstances. Consent from the student will be sought where necessary and students will be informed of such disclosures unless exceptional circumstances apply.
The University processes data relating to its staff for the following purposes:
The University will, where necessary, disclose personal information relating to University employees to external organisations including:
NB. Disclosures to organisations not listed above will be made in specific legitimate circumstances. Consent will be sought where necessary and employees will be informed of such disclosures unless exceptional circumstances apply.
Under the Data Protection Act 1998, you have a right to request and receive a copy of the current personal information held on you by the University and a right to object to data processing that is inaccurate or, causes substantial unwarranted damage or substantial unwarranted distress. On request the University will also inform you of the credit agencies it has contacted and the personal details it has disclosed to them.
Please e-mail: firstname.lastname@example.org, if you have any specific questions relating to the Data Protection Policy, or for details of procedures relating to your rights as a data subject.
Please note that we are reliant on you for much of the data we hold: help us keep your record up-to-date by notifying your Faculty Office or the Human Resource Department of any alterations to your address, personal details, or course enrolments.
The Data Protection Act 1998 is a piece of information rights legislation that covers personal information.
It aims to ensure personal privacy, through giving individuals rights with regards to information about themselves and putting responsibilities on organisations who process this information.
The Act places certain obligations with which the University, as Data Controller, must comply:
Under the Data Protection Act 1998, the University is required to notify the Information Commissioner of the purposes for which it processes personal data. This notification is renewed annually and recorded in the Data Protection Public Register.
The University must ensure that its notification remains up-to-date and personal data must not be processed unless the activity is covered by the current notification.
Data Subjects have a number of rights relating to the information held on them as well as what happens to that data:
The Data Protection Act gives Data Subjects the right to request for, in writing, a copy of information held relating to the individual in electronic format and also in some manual filing systems.
In addition individuals are also entitled to be given a description of the information, what you use it for, who you might pass it on to, and any information you have about the source of the information. This information is provided to individuals at their time of entry into the University and is available on the Information Governance web pages.
A data subject is entitled to write to the University to prevent processing for a specified purpose if that processing of their personal data is likely to cause unwarranted substantial damage or substantial distress to themselves or another person.
Damage can cover financial loss, loss such as pain and suffering, loss of amenity, and loss of reputation. Distress can cover shock, fear, anxiety or grief.
This right cannot be exercised if the data subject consented to the processing, the processing is part of a contract with the data subject, the processing is necessary to protect the vital interests of the data subject, or the University is under a legal obligation to process that data.
An individual is entitled by written notice, to require the University to cease, or not to begin, processing personal data for the purpose of direct marketing. When the University as Data Controller receives such a notice, they must comply as soon as they can. There are no exceptions to this.
The data subject may apply to Court for an order if the data controller fails to comply with the notice.
Direct marketing is defined in the Act for the purposes of this provision as meaning the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
A data subject has the right to require the University not to make a decision that significantly affects them if it is based solely on the processing of data by automatic means.
The examples of this type of activity are assessing credit-worthiness, performance at work or possible employment, and automated assessment for academic work of students. All data subjects will be informed in advance as to whether such processing of their personal data will be undertaken.
Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller
Data owners should be aware that a data subject now has the right to compensation either for damage or damage and distress for any contravention of the Act by the University. If the contravention was in relation to artistic or literary purposes or journalism, then compensation can be for distress alone.
A defence allowed in the Act is that the University has taken 'such care as is in all the circumstances was reasonably required to comply with the requirement concerned’. Data owners should therefore ensure that, where the risk to data subjects is clearly foreseeable, appropriate measures should be taken to comply with the Act in those circumstances.
An individual may apply to the Court for an order that would require the University to rectify, block, erase or destroy data relating to that individual that are inaccurate together with any other personal data relating to the data subject which contain an expression of opinion which the Court finds is based on the inaccurate data. Data is considered as being inaccurate if they are incorrect or misleading as to any matter of fact.
Data owners within the University need to ensure that there are procedures in place for data subjects to correct inaccurate or out of date data, and procedures for staff and students to update basic terms of data.
The University aims to comply fully with its obligations under the Data Protection Act 1998 and takes complaints relating to the institutions adherence to the Act very seriously.
Individuals wishing to report concerns relating to the Data Protection Act 1998, should, in the first instance, contact the University’s Information Compliance Officer who will aim to resolve any issues.
Mr Rhys Davies
Information Compliance Officer
University of South Wales
If the individual feels the complaint has not been dealt with to their satisfaction, the individual can formally complain to the Records and Information Compliance Manager.
The Records and Information Compliance Manager will review the facts of the complaint and having taken this into consideration will determine whether the University has acted in accordance with/ or contrary to the Act.
Mr. William Callaway,
University of South Wales
The Records and Information Governance Manager will contact the individual making the complaint and advise them of the outcome of the investigation into their complaint.
If at any time the complainant is unhappy with the way their grievance is being handled, the complainant can also contact the Information Commissioner’s Office, who regulates the processing of personal information who is responsible for the regulating the processing of personal information
The ICO can be contacted:
Information Commissioner’s Office
Cheshire SK9 5AF
Tel: 08456 306060 or 01625 545745
To comply with the Act, the University must ensure that it processes data in accordance with the Data Protection Principles:
All Personal Data processed must satisfy at least one of the conditions of Schedule 2 of the Act. The requirements of Schedule 2 can be summarised as follows:
There are special provisions within the Act for processing of sensitive personal data. Within the context of the data protection, sensitive personal data relates to the following:
When handling sensitive personal information, the data controller must ensure that in addition to complying with one of the conditions of the Schedule 2 conditions listed above, they must also comply with one of the following conditions:
The University will, in the course of its work regularly process personal information relating to both staff and students that is sensitive in its nature. Within the context of the University, Departments such as Finance could process information relating to staff membership of the trade unions whilst Campus Services could process sensitive information involving specific student requirements.
The use of modern information systems with integrated databases enables more sharing of data and reduces the need for multiple collection points for that data. Consequently, data owners should exercise great care in ensuring that data processed for one purpose is not processed for a different purpose in breach of this Principle.
Data owners should ensure that only relevant data is processed. Neither the University nor its staff can collect personal information on the premise that it might be useful at some stage in the future. If there is no reason to collect the data for a specified purpose, then it should not be collected.
It is essential that checks for accuracy are made for maintenance of the University’s data. Data owners should put in place procedures for ensuring that the data is verified for accuracy and the data is kept up to date. A basic minimum would be annual updating for both staff and student data, together with rapid updating for specific items of data.
Personal data should not be kept for longer than is required for the purpose for which it has been acquired. The University has policies and procedures in place which cover the retention of personal data relating to data subjects and further guidance can be obtained from the University Records Manager.
The Data Protection Act 1998 gives the data subject increased rights of access to personal data held on them. The Act also provides strict time limits in which data controllers must respond to access requests from individuals.
Subject to some exceptions, requests for personal information must be dealt with within 40 days of the access request being received in the University.
The University as Data Controller must ensure the security and safekeeping of all personal data whether it is held on computer or within manual files. This includes physical security from unauthorised access as well as protection against accidental loss, destruction or damage.
The European Economic Area (EEA) consists of the 15 European member states together with Iceland, Liechtenstein and Norway. Transfers for any other states will not be legal unless their local laws provided data subjects with the same or greater levels of protection as the Data Protection Act.
In order to transfer personal information to a country outside of the EEA, University staff should contact the Information Compliance Officer to receive further clarification.
The Privacy and Electronic Communications Regulations 2003 regulate direct marketing activities by electronic means (by telephone, fax, email/other electronic methods) and the security and confidentiality of these communications, together with rules governing the use of ‘cookies’ and ‘spyware’.
All direct marketing undertaken by the University must be undertaken in compliance with the Privacy and Electronic Communications Regulations 2003.
Queries about Data Protection should be directed to:
University of South Wales