The Data Protection Legislation (“the DP legislation”) regulates the use of personal data and sets requirements for protecting it. It seeks to balance an individual’s right to privacy with the need of organisations to use information about individuals for legitimate purposes.
The DP Legislation refers to the General Data Protection Regulation (GDPR) which came into force on 25 May 2018 and additional UK data protection legislation which makes further provision about when and why personal data can be processed and the rights of individuals in relation to their personal data. Our approach to data protection compliance is set out in our Data Protection Policy for Staff and BU Representatives (docx, 127kb). That Policy contains references to other key BU policies and processes relevant to data protection, including information security policies.
BU’s Data Protection Officer has overall responsibility for managing data protection within BU and communicating with individuals about our data protection compliance. He can be contacted on firstname.lastname@example.org or 01202 962472.
How we use information collected via our website
For details on this see our website privacy & cookies policy.
How we use information about our staff
For details on this see our Staff and Applicants privacy notice. In addition, the HESA Staff Collection Notice gives information about processing of staff information which we share with HESA (the Higher Education Statistics Agency).
How we use information about our students
For details on this see our Student privacy notice. In addition, the HESA Student Collection Notice gives information about processing of student information which we share with HESA (the Higher Education Statistics Agency).
How we use information about other individuals
Please see our other privacy notices, which relate to:
- Research Participant privacy notice: this describes how and why we process personal data of individuals participating in research projects
- General Enquiries & Public Events privacy notice: this describes how and why we process personal data of individuals who contact us with general enquiries or who attend or express an interest in BU events which are open to the public. This includes information about the basis on which we may send you email information about events and other activities. This does not cover individuals who contact us or attend events in relation to possible applications to study at BU.
- Student Recruitment & Admissions privacy notice: this describes how and why we process personal data of individuals who engage with us in relation to possible applications to study at BU (e.g. through making enquiries or attending events such as our open days). It includes information about the basis on which we may send you email information about events and other activities. It also describes how personal data is processed within our Admissions policy, up to the point at which an individual accepts an offer to study at BU.
Processing of personal data for the purposes of staff recruitment is covered in the Staff Privacy Notice.
Staff responsibilities when handling personal data
As set out in the Data Protection Policy for Staff and BU Representatives (docx, 127kb), all staff have responsibilities in relation to data protection compliance. These include mandatory data protection training. This document provides a summary of the key staff responsibilities in relation to data protection.
Students’ responsibilities when handling personal data
Students will, during their studies with us, come into contact with personal information from many sources (including that of their fellow students or interview and questionnaire participants). We expect students to handle information about other people responsibly. BU will issue further guidance on these expectations in the next few months.
We encourage the use of social media as it can be a valuable tool for communication and learning and can assist in the work of students and staff. Students are reminded that the usual standards of behaviour and conduct that we expect on a day-to-day basis apply equally to the use of social media. For further information on this, please see our Social Media Policy and Procedures for Students (doc, 145kb). Misuse of social media can cause significant distress to others, and we may take action against those responsible.
Individuals’ rights under the DP Legislation
The DP Legislation gives individuals (“data subjects”) a number of rights in relation to organisations who process their data. These include the right to ask for information about how we process your data and to see the data being processed (subject access rights). Following changes to the DP Legislation the rights also include the right to ask for rectification/correction of any inaccurate personal data being processed, and in certain circumstances you will have the right to object to processing of your data and to ask for the processing to be restricted or stopped.
Further information about all of these data subject rights is set out in our Privacy Notices.
Information about how to make a subject access request is set out below. If you wish to exercise any of the other data subject rights, you should contact our Data Protection Officer on email@example.com.
Making a request for a copy of your personal data
Under the DP Legislation, you can ask us to provide you with the personal information we hold about you. This is called a subject access request. To make a request, you can use our Subject Access Request Form (pdf 160kb) and send it to our Information Office. Alternatively, requests can be made by letter or email to the Information Office using the contact details on this page.
There is no fee for making a subject access request.
To ensure compliance with the DP Legislation, and to maintain confidentiality, we will require proof of identity from those seeking to access their personal information. Failure to provide this will result in the information being withheld. Our Subject Access Request Form outlines the documentation we require to satisfy our identity check. Please don’t send any original documentation to us by post.
We will respond to your request within the applicable timeframe under the DPA. This is usually one month from the later of receipt of your request, proof of identity and any clarifications we require from you.
Some of your personal data may be exempt from the right of subject access and so we would not be able to provide it to you. For example, responding to a request may involve providing information that relates to both you and another individual. In these situations, we can only release this information to you if the other individual has consented to this, or it is reasonable in all the circumstances to do so without their consent. The DP Legislation also sets out other specific exemptions from the subject access rights.
For information about the subject access exemptions under the DP Legislation, see the Information Commissioner’s Office webpage.
Requests for exam scripts
The subject access rights in the DP Legislation allow students access to examiners’ comments written on examination scripts. We implement this right of access by allowing all students to obtain a copy of their exam scripts.
To obtain a copy of your own exam script, you should put your request in writing to your Programmes Administrator. Please note that, as with all other subject access requests, we will require proof of identity.
The normal timescales for responding to a subject access request may not apply in relation to requests for exam scripts. If you have any questions about this, please contact the Data Protection Officer on firstname.lastname@example.org
It may also be possible for students to meet with their tutor to discuss their exam script if they are required to retake a particular examination. Providing a copy of the script is not required.