Division of General Counsel, Governance and Compliance


Biometric data

Biometric data is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.


One of the lawful bases for processing personal data is a person’s consent. Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data controller

The data controller decides the purposes and means of the processing of personal data.

Data minimisation

Data minimisation means ensuring that the personal data that is processed is ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’

Data Processor

The data processor processes personal data on behalf of the Data Controller, in other words, they process personal data for the purposes and means decided by the Data Controller.

Data Protection Principles

Data protection legislation sets out six principles in relation to processing personal data. These state that personal data shall be:

  • processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’); and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Data subject

A data subject is ‘an identified or identifiable natural person.’

Genetic data

Genetic data is “Personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained”.

Lawful bases for processing

Under data protection legislation, the University must have a valid lawful basis in order to process personal data and, in most cases, will also need to be satisfied that it is ‘necessary’ to process personal data to achieve the purpose.

There are six lawful bases for processing:

  1. Public task – this means that the processing is necessary for the University to perform a task in the public interest or as part of its official functions. Under our Royal Charter, the purpose of the University is to advance learning and knowledge by teaching and research to the benefit of the wider community.
  2. Legitimate interests - the processing is necessary for the legitimate interests of the University or a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
  3. Contract – the processing is necessary for a contract the University has with the individual, or because they have asked the University to take specific steps before entering into a contract. When relying on a contract as the legal basis, any processing of personal data must be targeted and proportionate.
  4. Legal obligation – the processing is necessary for the University to comply with the law (not including contractual obligations). This can relate to legal, regulatory and other compliance obligations, as well as matters such as the prevention or detection of crime.
  5. Vital interests – the processing is necessary to protect the vital interest of someone, in other words, to protect someone’s life.
  6. Consent – the individual has given clear consent for the University to process their personal data for a specific purpose.

Personal data

Personal data is defined as “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Personal data breach

A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.


Processing means “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.


Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Purpose limitation

Data protection legislation stipulates that personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Right to access

See ‘Subject access request’.

Right to data portability

The right to data portability gives data subjects the right to receive their personal data that they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

Right to erasure

In some cases, the data subject can request that their personal data is erased by the Data Controller. This is sometimes known as the right to be forgotten.

Right to object to processing

Data protection legislation gives data subjects to right to object to the processing of their personal data in certain circumstances.

Right to rectification

Data protection legislation gives data subjects the right to obtain from the University, without undue delay, the rectification of inaccurate personal data concerning him or her.

Right to restrict processing

In some circumstances, data subjects can restrict or limit how their personal data is processing.

Scientific or historical research

Data protection legislation states that the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. It states that scientific research purposes should also include studies conducted in the public interest in the area of public health. Personal data can be processed for historical research purposes, which includes historical research and research for genealogical purposes, bearing in mind that the data protection legislation does not apply to deceased persons.

Special category data

Special category data is personal data that is more sensitive and needs more protection. In order to lawfully process special category data, the University must have a lawful basis as well as an additional condition for processing. Special category data relates to:

  • Racial or ethnic origin,
  • Political opinions,
  • Religious or philosophical beliefs,
  • Trade Union membership,
  • Genetic data
  • Biometric data (where used for ID purposes)
  • Physical and mental health, and
  • Sex life or sexual orientation.

Storage limitation

Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Subject access request

The data subject can request confirmation as to whether or not personal data concerning him or her are being processed by the University, and, where that is the case, can have access to their personal data.

Technical and organisational measures

Data protection legislation requires that appropriate ‘technical and organisational measures’ are put in place – i.e. measures designed to implement the data protection principles and ensure a level of security of personal data proportionate to the risk. In particular, we should be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.’

Such measures can include: developing IT security systems and new processes to safeguard data, embedding policies and procedures that are mindful of privacy concerns, ensuring data sharing agreements are in place where required, use of pseudonymisation and encryption, ensuring transparency with data subjects, and implementing processes which regularly monitor / assess data processing and compliance.