Read the University policy on data protection below or view it as a PDF by clicking this link:
This policy provides a framework for ensuring that the University meets its obligations under the General Data Protection Regulation (GDPR) and associated legislation  (‘data privacy legislation’).
It applies to all processing of personal data carried out for a University purpose, irrespective of whether the data is processed on non-university equipment or by third parties.
‘Personal data’ means any information relating to an identifiable living individual who can be identified from that data or from that data and other data. ‘Processing’ means anything that is done with personal data, including collection, storage, use, disclosure and deletion.
More stringent conditions apply to the processing of special category personal data.
‘Special category’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
This policy should be read in conjunction with the accompanying guidance, which provides further detail and advice on practical application, as well as any other documents that impose confidentiality or data management obligations in respect of information held by the University.
This policy does not cover the use of personal data by members of the University when acting in a private or non-University capacity.
 This includes all legislation enacted in the UK in respect of the protection of personal data as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003.
The processing of personal data underpins almost everything the University does. Without it, students cannot be admitted and taught; staff cannot be recruited; living individuals cannot be researched; and events cannot be organised for alumni or visitors.
We are responsible for handling people’s most personal information. By not handling personal data properly, we could put individuals at risk.
There are also legal, financial and reputational risks for the University. For example:
The processing of personal data must comply with data privacy legislation and, in particular, the six data privacy principles.
In summary, they require that personal data is:
In addition, a new accountability principle requires us to be able to evidence compliance with these principles.
The University handles a large amount of personal data and takes seriously its responsibilities under data privacy legislation. It recognises that the mishandling of an individual’s personal data may cause them distress or put them at risk of identity fraud. As a result, it is committed to:
The University seeks to achieve these aims by:
Council has executive responsibility for ensuring that the University complies with data privacy legislation.
It is supported by its General Purposes Committee, which is responsible for keeping under review the University’s policies and compliance with legislation and regulatory requirements.
Data Protection Officer (DPO)
The DPO is responsible for monitoring internal compliance, advising on the University’s data protection obligations and acting as a point of contact for individuals and the ICO.
Vice Chancellor’s and Registrar’s Office: Information Compliance Team
The Information Compliance Team is responsible for:
In fulfilling these responsibilities, the team may also involve, and draw on support from, representatives from sections, departments and divisions.
Heads of department (or equivalent)
Heads of Department are responsible for ensuring that the processing of personal data in their department conforms to the requirements of data privacy legislation and this policy. In particular, they must ensure that:
Others processing personal data for a University purpose eg. staff, students and volunteers
Anyone who processes personal data for a University purpose is individually responsible for complying with data privacy legislation, this policy and any other policy, guidance, procedures, and/or training introduced by the University to comply with data privacy legislation. For detailed guidance, they should refer to the University’s Guidance on Data Protection and any relevant departmental policies and procedures. In summary, they must ensure that they:
The University will investigate incidents involving a possible breach of data privacy legislation in order to ensure that, where necessary, appropriate action is taken to mitigate the consequences and prevent a repetition of similar incidents in future. Depending on the nature and severity of the incident, it may also be necessary to notify the individuals affected and/or the ICO. A breach will occur where, for example, personal data is disclosed or made available to unauthorised persons or personal data is used in a way that the individual does not expect.
Incidents involving failures of IT systems or processes must be reported to the Oxford University Computer Emergency Response Team (OxCert) within 4 working hours of discovery. OxCert will liaise, as appropriate, with the Information Compliance Team.
All other incidents must be reported directly to the Information Compliance Team at the earliest possible opportunity.
The University regards any breach of data privacy legislation, this policy or any other policy and/or training introduced by the University from time to time to comply with data privacy legislation as a serious matter, which may result in disciplinary action. Depending on the nature of the breach, an individual may also find that they are personally liable (for example, it can be a criminal offence for a member of the University to disclose personal information unlawfully).
Questions about this policy and data privacy matters in general should be directed to the Information Compliance Team at: firstname.lastname@example.org
Questions about information security should be directed to the Information Security Team at: email@example.com
This policy, and supporting guidance, will apply with effect from 25 May 2018. It will be reviewed during the 2018/19 academic year to take into account outstanding ICO guidance and the final form of national legislation underpinning the GDPR.
This policy should be read in conjunction with related policies and regulations, including the:
Data Protection Enquiries
Tel: (01865 2)70285