Skip to content
Skip to navigation menu


Data Protection

Cardiff  University is a 'Data Controller', which means that it is registered with the Information Commissioner to process personal data for specific purposes (Registration Z6549747). Personal data is any data from which a living individual can be identified.

The processing of personal data is covered by the Data Protection Act 1998. This governs what personal data the University can collect, how it may use the data and to whom it can disclose the data - the 8 data protection principles.  The Act also gives individuals the right to see their own personal data held by any Data Controller and other rights in respect of the processing of their personal data.

For further information about how the University uses your personal data, please see the University's Data Protection Notice for Students and Data Protection Notice for Staff  .

The University is regularly required to provide the Higher Education Statistics Agency (HESA) with information about its staff and students.  The types of information disclosed and the use that HESA makes of that information is described  on the HESA web site:  

If you would like to see the personal data that Cardiff University holds about you, you will need to apply under the Data Protection Act.  The procedure is known as a Subject Access Request and there is a £10 standard charge.

The University has produced guidance notes on several aspects of the Data Protection Act as it applies to personal data processed by staff and students.  Please follow the link to guidance on the left hand side.

The University's Data Protection Policy can be downloaded using the Resource link above right.

Freedom of Information

Please also see the University IT Regulations webpage which provides the most recent version of the IT Monitoring Notices.