Records of Processing Activities

In line with its obligations under the UK General Data Protection Regulations and the Data Protection Act 2018 the University must maintain a Records of Processing Activity.

About the Data Controller

The University of South Wales (USW) as a data controller is registered with the Information Commissioner's Office (Registration Number - Z6472800).  

The Data Protection Officer is contactable via the University of South Wales, Pontypridd, CF37 1DL. [email protected].

Why does the University process personal data?

The University processes personal data for the following purposes:

  • To provide education and support to students
  • Staff administration
  • To safeguard the health, safety and security of staff, students and third parties
  • Management and administration of University research
  • Data security and integrity management
  • Financial purposes
  • Statutory returns and other legal obligations
  • Marketing
  • Alumni management
  • The prevention and detection of crime
  • Procurement

What categories of personal data are processed?

The University processes personal data for the purposes listed above.  The University will only process personal data that is required.  Types of personal may include:

  • Personal and family details
  • Education details and student records
  • Lifestyle and social information 
  • Employment details
  • Financial information 
  • Attendance records
  • Vetting checks
  • Disciplinary information
  • Visual images
  • Criminal conviction information 
  • Information relating to an individual's racial or ethnic origin
  • Information relating to political opinion
  • Information relating to religious or philosophical beliefs
  • Trade union membership
  • Genetic and Biometric data
  • Health data
  • Sex life or sexual orientation
Whose personal data does the University process?

The University processes personal data about the following categories of individuals:

  • Enquirers, applicants, students
  • Alumni
  • Governors
  • Applicants, employees, contractors
  • Third parties participating in research, teaching or placements
  • Individuals captured by CCTV
  • Industry and business contacts
  • Suppliers, advisers and consultants
Who are recipients of University personal data?

Periodically personal data may need to be shared with third parties where there is a requirement to do so:

  • Professional and regulatory bodies including examining and accreditation bodies
  • The Students' Union
  • Healthcare, social and welfare organisations
  • Trade unions
  • Internal and external auditors
  • Suppliers, advisers and consultants
  • Current, past or prospective employers
  • International agents
  • Accommodation providers
  • Relevant government departments such as the Office for Students, the Home Office, HMRC and local authorities
  • Courts, tribunals and legal representatives
  • Police forces, and other security and law enforcement organisations
  • Financial organisations, debt collection and tracing agencies

How is information protected when it is sent outside of the EEA?

The University has relationships with institutions and agencies worldwide which make it necessary for data to be transferred outside the EEA. 

Periodically the University uses third party processors who are based outside of the EEA and will necessitate an international transfer.

Where transfers are made the University has in place processes to ensure that they are carried out in compliance with data protection laws.

For how long will the University hold personal data?

The University will hold personal data in line with its Retention Schedule

What steps does the University take to keep personal data secure?

The security of information is a priority for the University and various measures are in place to ensure that data is appropriately protected.  The University has policies and procedures in place and technical measures to ensure that data is protected



Updated August 2022