The University of South Wales is registered as a data controller with the Information Commissioner’s Office.
The University undertakes to process personal information within the terms of the Data Protection Act 1998. In accordance with the Act, the University must provide the Information Commissioner with details of the processing of personal data carried out by the University through its formal registration (Reference No: Z6472800)
The University undertakes to maintain data in secure conditions and to process and disclose data only within the terms of its Data Protection notification.
The University will process student personal data in order that it can manage its processes, provide education and services and meet certain legal requirements. Processing would include the following actions in relation to personal data: obtaining, recording, storing, organising, maintaining, updating, retrieving, using, disclosing and deleting the personal data. This personal data may include data such as name, address, date of birth, programme and modules studied, fee payments, information about examinations, information relating to services, attendance, assessments and results.
In addition to this, the University may process some sensitive student personal data, such as details about health in order to provide care, and information concerning ethnicity and disability for planning and monitoring purposes. Also, for certain programmes of study, information about past criminal convictions will be processed.
The University requires personal data to provide students with: lectures and other academic provision, access and use of the Library and IT facilities, counselling, medical care, accommodation, student misconduct/complaints processes, advice services and pastoral support, alumni operations, financial advice, disability and employability services.
The University utilises personal information to manage student engagement and to conduct internal research into improving education and educational services and quality and performance monitoring.
The University, via its faculties, corporate support departments, allows access to employees and agents of the University (on a need-to-know basis only).
The University may disclose appropriate personal data, including sensitive personal data, to third parties, where there is legitimate need or obligation, during or after the period of study. Such disclosure is subject to procedures to ensure the identity and legitimacy of such agencies. These third parties may include the following (please note that this is not an exhaustive list):
The University’s partners and contractors
The University may provide personal information to its partners and contractors. In such cases, the University must ensure that this information is managed in accordance with the Act and only for the purpose for which it was provided to the partner/contractor.
Limited personal data will be shared with University of South Wales Students Union for the purposes of administration, welfare and health and safety
Relevant information will be shared with local authorities for purposes relating to council tax administration.
To assist with the registration of students under the 'Individual Electoral Registation’ system, personal data will be provided to the local authority’s Electoral Services department. This data will be used by the local authority to identify those indviduals who have an entitlement to vote. To complete the registration it will then be necessary for the student to complete their registration online.
The University of South Wales uses Turnitin® for the purposes of checking coursework and academic submissions for plagiarism and appropriate citations. Limited personal information may be disclosed to Turnitin when using this system.
Relevant government departments to whom we have a statutory obligation to release information (including the Higher Education Funding Council for Wales (HEFCW) the Higher Education Statistics Agency (HESA) and Council Tax officers)
Further information on uses of information by HESA can be found on the their “website“http://www.hesa.ac.uk/fpn.
Where an external review is requested from the Office of the Independent Adjudicator the University it will be necessary to make available relevant personal for the purposes of an external review.
The Higher Education Achievement Report (HEAR) is a digitally signed electronic document that provides learners with a record of their academic and non-academic achievements which have been verified by the University. The University of South Wales is working with a company called GradIntel to provide this service.
Further information on HEAR can be found on the University website.
The University is required to pass data about its students to the Higher Education Funding Council for Wales (HEFCW) for them to conduct the National Student Survey. This survey gives students the chance to give feedback on their experiences at the University and so informing the choices of prospective students. It is described in detail on the National Student Survey website.
Where students are involved in exchange or placement programmes or where other documentation is required, the University may disclose personal data for general educational, assessment, residency etc. purposes.
Where students have a sponsor (who may pay tuition fees, provide other financial support or permit release from work to undertake the programme of study) scholarship scheme or a loan provider, the University may disclose student personal data to these organisations. In such cases information will only be provided where the University is provided with a contractual agreement for the provision of such information or where the student has given permission for such disclosure.
Information may be passed to credit reference agencies who may keep details of the searches we make about students, and debt collection agencies for specific circumstances.
Other than in the most exceptional of circumstances, the University will not to disclose a student’s personal data to parents, guardians and any other relative without consent from the student.
In situations where students have provided details of an “in case of emergency” contact in the event of a medical problem or emergency then some personal data may be provided.
Further guidance is available on the University web pages
On the day of graduation, certain information (including the student’s name, course, degree attained) will appear in the Award Programme. Students not wishing for their details to be included must opt out by advising the University of their wish some time in advance of the ceremony. Further information is available on the Student Administration.
Photographs and video recordings are taken of graduation ceremonies and by attending attendees permit that any such photos/footage may be publicised on the University’s website.
At the beginning of the academic year each student is required to take a photograph that is then kept on the student’s record and used on their identification card Close up photographs of students are used as a means of identification and photos are used as part of a number of University activities. For example, all ID cards require a photo and the University retains a copy of this photo for the purposes of identification.
Over the course of a student’s time with the University general photos may be taken that may capture academic or student life. Those students not wishing to have their photograph taken should at the outset advise the photographer of their wishes and remove themselves from any pictures. Group photographs taken will assume the permission of individuals pictured for use in University publications and publicity materials, and publications produced by third parties authorised by the University.
The University may provide information to government departments/agencies on matters relating to the prevention and detection of crime, apprehension and prosecution of offenders and/or the collection of tax (Disclosures to include but not limited to; HMRC, United Kingdom Border Agency, Police)
Information may also be provided to Benefit Fraud Sections within Local Authorities and/or the Department of Work and Pensions, about students if it is necessary for the prevention or detection of a crime or the collection of taxes.
In certain instances the University may be informed by the Police or other agencies when students are arrested, charged, convicted or cautioned and the nature of the offence may require that the information is passed to the University Secretary’s Office for further action.
CCTV is in operation across all the University’s properties. Access to the footage is limited to trained staff and to those to who need access to the footage for matters relating to their work or University business.
All staff operating the CCTV system do so in compliance with the appropriate legislation.
The University uses ‘cookies’ to gather information that will improve the user’s experience of the website. The Privacy and Cookies Policy states how information gathered from those viewing its website is used:
Personal data relating to students on specific programmes will be passed to professional bodies which accredit those programmes at the University, those with a regulatory function over our programmes or where qualification on a programme facilitates membership or registration of that body.
If there has been an incident of academic or professional misconduct and/or where the Head of School believes there is a concern related to fitness to practise which may result in a risk to the public, this will also be reported to the appropriate professional body.
Many government bodies and NGOs have statutory powers to require the University to provide personal information.
Others may request information relating to their official functions and the University will normally provide the information requested if it is deemed appropriate to do so.
The University receives many requests for personal data from solicitors acting on a student’s behalf. In such cases, before any personal data is disclosed, the university requires the solicitor to provide consent from the student to demonstrate that they are acting on behalf of that student. Solicitors often refer to this as a form of authority.
In rare cases where a solicitor acting on the other side of a legal case requests information, information will only be provided where the University receives consent or a court order.
A court can compel an organisation to provide it with information it holds, in the event that an order is received, the University will provide the information required.
Disclosures to organisations not listed above will be made in specific legitimate circumstances. Consent from the student will be sought where necessary and students will be informed of such disclosures unless exceptional circumstances apply.
As well as maintaining student records during a student’s time at the University, it continues to processes personal data in connection with alumni management, external relations and development after they have left. The University may also wish to send information about products or services which may be relevant, and to keep alumni informed about University activities.
Alumni who do not wish the University to use their personal data in any of these ways, should write to the alumni office: email@example.com
The University also conducts the Destination of Leavers from Higher Education (DLHE) survey. This is a national survey collecting information on what leavers from higher education programmes are doing six months after qualifying from their HE course. In order to obtain up to date details, personal data is obtained from across the University.
Students must ensure that all personal information provided to the University is accurate and up to date. Changes to contact details can be made by logging into the unilife webpages.
Under the Data Protection Act and the University’s Data Protection Policy students have responsibilities when processing personal data. These include:
• if you are considering processing personal data as part of your studies you must notify and seek approval from your supervisor before any processing takes place
• if you are processing personal data other than as part of your studies and for personal or household purposes you will not be covered under the University’s registration.
In such circumstances you may wish to contact the Information Commissioner to ensure that you are doing so in compliance with the Data Protection Act 1998
If you believe that any part of the University is not complying with either the Data Protection Act 1998 or its own Data Protection Policy, you have the right complain to the University’s Data Protection Officer. Complaints should be submitted to:
Information Compliance Manager,
University of South Wales,
If you are not content with the outcome of its internal processes, you have the right to complain directly to the Information Commissioner’s Office:
Information Commissioner’s Office,
The University processes data relating to its staff for the following purposes:
The University will, where necessary, disclose personal information relating to University employees to external organisations including:
NB. Disclosures to organisations not listed above will be made in specific legitimate circumstances. Consent will be sought where necessary and employees will be informed of such disclosures unless exceptional circumstances apply.
Under the Data Protection Act 1998, you have a right to request and receive a copy of the current personal information held on you by the University and a right to object to data processing that is inaccurate or, causes substantial unwarranted damage or substantial unwarranted distress. On request the University will also inform you of the credit agencies it has contacted and the personal details it has disclosed to them.
Please e-mail: firstname.lastname@example.org, if you have any specific questions relating to the Data Protection Policy, or for details of procedures relating to your rights as a data subject.
Please note that we are reliant on you for much of the data we hold: help us keep your record up-to-date by notifying your Faculty Office or the Human Resource Department of any alterations to your address, personal details, or course enrolments.
The Data Protection Act 1998 is a piece of information rights legislation that covers personal information.
It aims to ensure personal privacy, through giving individuals rights with regards to information about themselves and putting responsibilities on organisations who process this information.
The Act places certain obligations with which the University, as Data Controller, must comply:
Under the Data Protection Act 1998, the University is required to notify the Information Commissioner of the purposes for which it processes personal data. This notification is renewed annually and recorded in the Data Protection Public Register.
The University must ensure that its notification remains up-to-date and personal data must not be processed unless the activity is covered by the current notification.
Data Subjects have a number of rights relating to the information held on them as well as what happens to that data:
The Data Protection Act gives Data Subjects the right to request for, in writing, a copy of information held relating to the individual in electronic format and also in some manual filing systems.
In addition individuals are also entitled to be given a description of the information, what you use it for, who you might pass it on to, and any information you have about the source of the information. This information is provided to individuals at their time of entry into the University and is available on the Information Governance web pages.
A data subject is entitled to write to the University to prevent processing for a specified purpose if that processing of their personal data is likely to cause unwarranted substantial damage or substantial distress to themselves or another person.
Damage can cover financial loss, loss such as pain and suffering, loss of amenity, and loss of reputation. Distress can cover shock, fear, anxiety or grief.
This right cannot be exercised if the data subject consented to the processing, the processing is part of a contract with the data subject, the processing is necessary to protect the vital interests of the data subject, or the University is under a legal obligation to process that data.
An individual is entitled by written notice, to require the University to cease, or not to begin, processing personal data for the purpose of direct marketing. When the University as Data Controller receives such a notice, they must comply as soon as they can. There are no exceptions to this.
The data subject may apply to Court for an order if the data controller fails to comply with the notice.
Direct marketing is defined in the Act for the purposes of this provision as meaning the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
A data subject has the right to require the University not to make a decision that significantly affects them if it is based solely on the processing of data by automatic means.
The examples of this type of activity are assessing credit-worthiness, performance at work or possible employment, and automated assessment for academic work of students. All data subjects will be informed in advance as to whether such processing of their personal data will be undertaken.
Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller
Data owners should be aware that a data subject now has the right to compensation either for damage or damage and distress for any contravention of the Act by the University. If the contravention was in relation to artistic or literary purposes or journalism, then compensation can be for distress alone.
A defence allowed in the Act is that the University has taken 'such care as is in all the circumstances was reasonably required to comply with the requirement concerned’. Data owners should therefore ensure that, where the risk to data subjects is clearly foreseeable, appropriate measures should be taken to comply with the Act in those circumstances.
An individual may apply to the Court for an order that would require the University to rectify, block, erase or destroy data relating to that individual that are inaccurate together with any other personal data relating to the data subject which contain an expression of opinion which the Court finds is based on the inaccurate data. Data is considered as being inaccurate if they are incorrect or misleading as to any matter of fact.
Data owners within the University need to ensure that there are procedures in place for data subjects to correct inaccurate or out of date data, and procedures for staff and students to update basic terms of data.
The University aims to comply fully with its obligations under the Data Protection Act 1998 and takes complaints relating to the institutions adherence to the Act very seriously.
Individuals wishing to report concerns relating to the Data Protection Act 1998, should, in the first instance, contact the University’s Information Compliance Manager who will aim to resolve any issues.
Mr Rhys Davies
Information Compliance Manager
University of South Wales
If the individual feels the complaint has not been dealt with to their satisfaction, the individual can formally complain to the University Secretary.
The University Secretary will review the facts of the complaint and having taken this into consideration will determine whether the University has acted in accordance with/ or contrary to the Act.
Mr. William Callaway,
University of South Wales
The University Secretary will contact the individual making the complaint and advise them of the outcome of the investigation into their complaint.
If at any time the complainant is unhappy with the way their grievance is being handled, the complainant can also contact the Information Commissioner’s Office, who regulates the processing of personal information who is responsible for the regulating the processing of personal information
The ICO can be contacted:
Information Commissioner’s Office
Cheshire SK9 5AF
Tel: 08456 306060 or 01625 545745
To comply with the Act, the University must ensure that it processes data in accordance with the Data Protection Principles:
All Personal Data processed must satisfy at least one of the conditions of Schedule 2 of the Act. The requirements of Schedule 2 can be summarised as follows:
There are special provisions within the Act for processing of sensitive personal data. Within the context of the data protection, sensitive personal data relates to the following:
When handling sensitive personal information, the data controller must ensure that in addition to complying with one of the conditions of the Schedule 2 conditions listed above, they must also comply with one of the following conditions:
The University will, in the course of its work regularly process personal information relating to both staff and students that is sensitive in its nature. Within the context of the University, Departments such as Finance could process information relating to staff membership of the trade unions whilst Campus Services could process sensitive information involving specific student requirements.
The use of modern information systems with integrated databases enables more sharing of data and reduces the need for multiple collection points for that data. Consequently, data owners should exercise great care in ensuring that data processed for one purpose is not processed for a different purpose in breach of this Principle.
Data owners should ensure that only relevant data is processed. Neither the University nor its staff can collect personal information on the premise that it might be useful at some stage in the future. If there is no reason to collect the data for a specified purpose, then it should not be collected.
It is essential that checks for accuracy are made for maintenance of the University’s data. Data owners should put in place procedures for ensuring that the data is verified for accuracy and the data is kept up to date. A basic minimum would be annual updating for both staff and student data, together with rapid updating for specific items of data.
Personal data should not be kept for longer than is required for the purpose for which it has been acquired. The University has policies and procedures in place which cover the retention of personal data relating to data subjects and further guidance can be obtained from the University Records Manager.
The Data Protection Act 1998 gives the data subject increased rights of access to personal data held on them. The Act also provides strict time limits in which data controllers must respond to access requests from individuals.
Subject to some exceptions, requests for personal information must be dealt with within 40 days of the access request being received in the University.
The University as Data Controller must ensure the security and safekeeping of all personal data whether it is held on computer or within manual files. This includes physical security from unauthorised access as well as protection against accidental loss, destruction or damage.
The European Economic Area (EEA) consists of the 15 European member states together with Iceland, Liechtenstein and Norway. Transfers for any other states will not be legal unless their local laws provided data subjects with the same or greater levels of protection as the Data Protection Act.
In order to transfer personal information to a country outside of the EEA, University staff should contact the Information Compliance Officer to receive further clarification.
The Privacy and Electronic Communications Regulations 2003 regulate direct marketing activities by electronic means (by telephone, fax, email/other electronic methods) and the security and confidentiality of these communications, together with rules governing the use of ‘cookies’ and ‘spyware’.
All direct marketing undertaken by the University must be undertaken in compliance with the Privacy and Electronic Communications Regulations 2003.
Queries about Data Protection should be directed to:
University of South Wales