Policy and handbook
All staff members, students and visitors must comply with the University Data Protection Policy.
The University of Edinburgh (“the University”) is committed to data protection by default and by design and supports the data protection rights of all those with whom it works, including, but not limited to, staff, students, visitors, alumni and research participants. This policy sets out the accountability and responsibilities of the University, its staff and its students to comply fully with the provisions of the General Data Protection Regulation (“the GDPR”) and the Data Protection Act 2018 (“the DPA”) and recognises that handling personal data appropriately and in compliance with data protection legislation enhances trust, is the right thing to do and protects the University’s relationship with all its stakeholders.
The University holds and processes personal data about individuals such as employees, students, graduates and others, defined as ‘data subjects’ by the law. Such data must only be processed in accordance with the GDPR and the DPA.
The University has appointed a Data Protection Officer (DPO) to monitor and advise on compliance with the GDPR and the DPA. However, responsibility for compliance and the consequences of any breaches cannot legally be transferred to the DPO but instead remains with the business area. Information and advice can be obtained from the DPO and from the local Data Protection Champion in every College, School, Department and Support Area.
This policy covers the following areas:
- Purpose of the policy
- Scope of the policy
- Status of the policy
- Responsibilities under the policy
- Data protection by design and default
- Responsibility of management and data users
- Handling of personal data by students
- Data subject rights
- Internal data sharing
- Transfers of personal data outside the EEA
- Direct marketing
- Data protection training
- Data protection breaches
A glossary of all definitions used can be found here:
Purpose of policy
This policy sets out the responsibilities of the University, its staff and its students to comply fully with the provisions of GDPR and the DPA. It is accompanied by a Data Protection Handbook (‘the Handbook’) with provides information and guidance on different aspects of data protection. This policy and the Handbook form the framework which everybody processing personal data should follow to ensure compliance with data protection legislation.
The data protection handbook
The University policy is accompanied by a Data Protection Handbook (‘the Handbook’) which provides information and guidance on different aspects of data protection. The Handbook and the Policy form the framework which everybody processing personal data should follow to ensure compliance with data protection legislation.
This policy applies to all staff and students in all cases where the University of Edinburgh or its students are the data controller or a data processor of personal data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the equipment used.
Status of the policy
The policy has been approved by the University Executive on 14 May 2018. In common with previous data protection policies, this policy does not form part of the formal contract between the University and staff or students, but compliance with it is a condition of employment and of the Student Contract to abide by the University’s rules and policies. Any failure to follow the policy can therefore result in disciplinary proceedings.
Individuals with honorary contracts or ‘visitor’ status are expected to comply with this policy insofar as they are processing data for and on behalf of the University. Information can be found in the Policy for the Award of Honorary Status.
Responsibilities under the policy
The University as data controller has a corporate responsibility to implement and comply with data protection legislation. This corporate responsibility is delegated to Data Stewards in each area. Thus, in determining the purposes for which, and the manner in which, personal data is processed, the University must adhere to the six Data Protection Principles (“the Principles”) as set out in the legislation. Details of these six principles are found in the accompanying Handbook.
This section will set out the main requirements for compliance.
All users of personal data within the University must ensure that personal data is always held securely and not disclosed to any unauthorised third party either accidentally, negligently or intentionally. The Information Security Policy, the Policy on Taking Sensitive Information and Personal Data outside the Secure Computing Environment and the Computing Regulations must be read in conjunction with this Data Protection Policy.
More information can be found in section 4 of the Handbook.
When the University collects personal data from individuals, the requirement for ‘fairness and transparency’ must be adhered to. This means that the University must provide data subjects with a ‘privacy notice’ to let them know how and for what purpose their personal data are processed. Any data processing must be consistent or compatible with that purpose. A template and guidance for privacy notices can be found here:
More information can be found in section 5 of the Handbook.
Conditions of processing/lawfulness
In order to meet the ‘lawfulness’ requirement, processing personal data must meet at least one the following conditions:
- The data subject has given consent.
- The processing is required due to a contract.
- It is necessary due to a legal obligation.
- It is necessary to protect someone’s vital interests (i.e. life or death situation).
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- It is necessary for the legitimate interests of the controller or a third party.
For special categories of personal data, at least one of the following conditions must be met:
- The data subject has given explicit consent.
- The processing is necessary for the purposes of employment, social security and social protection law.
- The processing is necessary to protect someone’s vital interests.
- The processing is carried out by a not-for-profit body.
- The processing is manifestly made public by the data subject
- The processing is necessary for legal claims
- The processing is necessary for reasons of substantial public interest.
- The processing is necessary for the purposes of medicine, the provision of health or social care or treatment or the management of health or social care systems and services.
- The processing is necessary for public health
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to certain safeguards which are explained in the Handbook
More information can be found in section 6 of the Handbook.
Personal data must not be kept longer than necessary for the purposes for which it was originally collected. This applies to all personal data, whether held on core systems, local PCs, laptops or mobile devices or held on paper. If the data is no longer required, it must be securely destroyed or deleted. The University’s Privacy Notices give an indication as to how long personal data must be kept and are based on both legal and business requirements:
University Privacy Notices
More information can be found in section 7 of the Handbook.
Data protection by design and default
Under the GDPR and the DPA, the University has an obligation to consider the impact on data privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the potential negative impact processing can have on the data subjects’ privacy.
Data protection impact assessment
When considering new processing activities or setting up new procedures or systems that involve personal data, privacy issues must always be considered at the earliest stage and a Data Protection Impact Assessment (DPIA) must be conducted. The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce privacy risks during the design stages of a process and throughout the lifecycle of the initiative. This will ensure that privacy and data protection control requirements are not an after-thought.
How to request an assessment and guidance for DPIAs can be found here:
Anonymisation and pseudonymisation
Further mechanisms of reducing risks associated with handling personal data are to apply anonymisation or pseudonymisation. Wherever possible, personal data must be anonymised or, where that is not possible, pseudonymised.
Guidance on how and when to anonymise and pseudonymise can be found here:
More information on data protection by design and default can be found in section 15 of the Handbook.
Responsibilities of management and data users
Heads of Schools and Colleges and Managers of Administrative and Support Services have a responsibility to ensure compliance with the GDPR, the DPA and this policy, and to develop and encourage good information handling practices within their areas of responsibility. All users of personal data within the University have a responsibility to ensure that they process the data in accordance with the Principles and the other conditions set down in the legislation. The Handbook provides detailed guidance to assist with fulfilling these obligations.
Every College, School and Department must nominate one or more Data Protection Champion. These individuals are the first point of contact for data protection questions in their area, escalate difficult questions to the Data Protection Officer and act as a channel of communication between the Data Protection Officer and their area. Heads of Schools may choose to delegate the management of, but not the responsibility for, data protection matters to their School Data Protection Champion. The DPO will perform periodic audits to ensure compliance with this policy and the legislation.
Handling research data
Before commencing any research which will involve obtaining or using personal data and special categories of personal data, the researcher must give proper consideration to this policy and the guidance contained in the Handbook and how these will be properly complied with. The researcher must ensure that the fairness, transparency and lawfulness principle is complied with and that privacy by design and default is applied. This means that wherever feasible, research data must be anonymised or pseudonymised at the earliest possible time.
More information can be found in section 12 of the Handbook.
Handling of research data by students
The use of personal data by students is governed by the following:
- Where a student collects and processes personal data in order to pursue a course of study with the University, and this course of study is not part of a University-led project, the student rather than the University is the data controller for the personal data used in the research.
- However, the domestic use exemption applies – if the data is extracted from a database already held by the University, the University remains the data controller for the database, but the student will be the data controller for the extracted data.
- Once a thesis containing personal data is submitted for assessment, the University becomes data controller for that personal data.
- Where a research student processes personal data whilst working on a project led by a University research group, the University is the data controller.
Academic and academic-related staff must ensure that students they supervise are aware of the following:
- A student should only use personal data for a University-related purpose with the knowledge and express consent of an appropriate member of academic staff (normally, for a postgraduate, this would be the supervisor, and for an undergraduate the person responsible for teaching the relevant class/course).
- The use of University-related personal data by students should be limited to the minimum consistent with the achievement of academic objectives. Wherever possible data should be anonymised so that students are not able to identify the subject.
More information can be found in section 13 of the Handbook.
Data subject rights
The GDPR and the Act contain eight data subject rights the University must comply with – the rights to information (see Privacy Notices section), subject access, to rectification, to object, to erasure, to portability, to restrict processing and in relation to automated decision-making and profiling. These rights can be restricted for personal data used in research.
Subject access requests and the right to data portability
Individuals have the right to request to see or receive copies of any information the University holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine readable format so it can be forwarded to another data controller. The University must respond to these requests within four weeks.
It is a personal criminal offence to delete relevant personal data after a subject access request has been received.
Individuals receiving a subject access request must follow the subject access request procedures contained in section 11 the Handbook.
Right to erasure, to restrict processing, to rectification and to object
In certain circumstances data subjects have the right to have their data erased. This only applies
- where the data is no longer required for the purpose for which it was originally collected, or
- where the data subject withdraws consent, or
- where the data is being processed unlawfully.
In some circumstances, data subjects may not wish to have their data erased but rather have any further processing restricted.
If personal data is inaccurate, data subjects have the right to require the University to rectify inaccuracies. In some circumstances, if personal data are incomplete, the data subject can also require the controller to complete the data, or to record a supplementary statement.
Data subjects have the right to object to specific types of processing such as processing for direct marketing, research or statistical purposes. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right.
Individuals receiving any of these requests should not act to respond but instead should contact the Data Protection Officer immediately.
Rights in relation to automated decision making and profiling
In the case of automated decision making and profiling that may have significant effects on data subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to the Data Protection Officer immediately.
More information can be found in section 11 of the Handbook.
When personal data is transferred internally, the recipient must only process the data in a manner consistent with the original purpose for which the data was collected. If personal data is shared internally for a new and different purpose, a new privacy notice will need to be provided to the data subjects.
When personal data is transferred externally, a legal basis must be determined and a data sharing agreement between the University and the third party must be signed, unless disclosure is required by law, such as certain requests from the Department for Work and Pensions or Inland Revenue, or the third party requires the data for law enforcement purposes.
More information can be found in section 8 of the Handbook.
Transfers of personal data outside the EEA
Personal data can only be transferred out of the UK when there are safeguards in place to ensure an adequate level of protection for the data.
For transfers of personal data to a receiving party in the United States of America, the Privacy Shield Agreement between the European Union and the United States of America provides sufficient protection. Before transferring data, the Privacy Shield website should be consulted to determine whether the receiving party is on the Privacy Shield List. Staff involved in transferring personal data to other countries must ensure that an appropriate safeguard is in place before agreeing to any such transfer.
More information can be found in section 10 of the Handbook.
Direct marketing does not only cover the communication of material about the sale of products and services to individuals, but also the promotion of aims and ideals. For the University, this will include notifications about events, fundraising, selling goods or services. Marketing covers all forms of communications, such as contact by post, fax, telephone and electronic messages, whereby the use of electronic means such as emails and text messaging is governed by the Privacy and Electronic Communications Regulations 2003 (PECR). The University must ensure that it always complies with relevant legislation every time it undertakes direct marketing and must cease all direct marketing activities if an individual requests it to stop.
More information can be found in section 16 of the Handbook.
Data protection training
The University Executive Committee agreed on 12 February 2018 that it should be mandatory for all staff members to complete the Data Protection Training module on Learn. In addition, all academic members of staff must complete the module on Research under the GDPR. The module can be found here:
Data protection breaches
The University is responsible for ensuring appropriate and proportionate security for the personal data that it holds. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. The University makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples of personal data incidents might occur through:
- Loss or theft of data or equipment
- Ineffective access controls allowing unauthorised use
- Equipment failure
- Unauthorised disclosure (e.g. email sent to the incorrect recipient)
- Human error
- Hacking attack
Any data protection incident must be brought to the attention of the University’s Data Protection Officer who will investigate and decide if the incident constitutes a data protection breach. If a reportable data protection breach occurs, the University is required to notify the Information Commissioner’s Office as soon as possible, and not later than 72 hours after becoming aware of it. Any member of the University community who encounters something they believe may be a data protection incident must email the Data Protection Officer immediately at email@example.com with ‘breach’ in the subject line.
Details of how to report a breach and the information that will be required are included in section 17 of the Handbook.
The Data Protection Officer
The Data Protection Officer is responsible for advising the University on compliance with data protection legislation and monitoring its performance against it.
The University’s named Data Protection Officer details are published at:
Enquiries regarding subject access requests must be addressed to: