Student data protection notice

As a student at Cardiff, some of your personal data will be stored and processed by the University. 

This page explains how your information is used. You can view the University’s registration on the Data Protection Register for more information. The Information Commissioner's Office also provides useful guidance on data protection.


The University collects your data, including your photograph, during your application and enrolment in order to:

  • organise your studies
  • give access to and ensure the security of University buildings
  • provide student support services (libraries, careers, advice, IT facilities and Students’ Union)
  • carry out legal duties, providing information to others (see disclosures section)
  • provide other activities within the University business including developing and maintaining our alumni programme and research profile
  • conduct equal opportunities monitoring and equality impact assessments to ensure our policies and practices do not discriminate against individuals because of 'Protected Characteristics'.

The University has a code of practice on the use of photographs for identity.  This code sets out when and how you can expect your student card to be used to check your identity.


The University will share your relevant personal data with the following bodies:

Disclosure toDetails
Sponsors (including LEAs and the Student Loans Company) where a contract exists

In accordance with the terms of the contract (which usually relates to attendance and progress reports). This does not include anyone who is paying money toward your studies but where there is no formal contract i.e. parents.

Professional bodies (e.g. General Medical Council, Royal Society of British Architects, Law Society)

In order to confirm your qualifications and accredit your course

Cardiff & Vale University Health Board (and other NHS organisations in England and Wales)

When necessary for your programme, including for students studying Medicine, Biology and Life and Health Sciences. 

Where in the public interest and necessary for public health reasons, including the monitoring and control of infectious diseases. Data Sharing Agreement - TB Screening.

Work placement sites or educational partners involved in joint course provision

Where this is necessary for your programme.

The Higher Education Funding Council Wales (HEFCW) and its agents

Agents include the Higher Education Statistics Agency (HESA) and the Quality Assurance Agency (QAA).  You can find further details on the HESA website, there is also a Welsh language version.

Potential employers or providers of education whom you have approached

To confirm your qualifications.

UK agencies with duties relating to the prevention and detection of crime, collection of a tax or duty or safeguarding national security

In order to allow the assessing and collecting/paying Council Tax, Benefits or Tax.

To aid the police, UK Visas and Immigration Agency or the Foreign and Commonwealth Office.

This happens as necessary in consideration with your rights and freedoms.

Plagiarism detection service providers

In accordance with the contract with the service provider e.g. Turnitin to ensure academic standards.

Any other disclosures that the University makes will be in accordance with the Data Protection Act and your interests will always be considered.

Your rights

You have a right to a copy, or to object to the processing of, your personal data held by the University.  Any requests or objections should be made in writing to the Data Protection Officer through a Subject Access Request and there will be a £10 standard fee.  

Your responsibilities

You have a responsibility to keep your personal details up-to-date via SIMS.  

During the course of your studies you may have access to personal information about others. You are expected to treat this in a responsible and professional manner and are legally required to do this under the Data Protection Act, as well as any professional ethics or codes of conduct.

If you are made aware of personal information in confidence including regarding someone’s mental or physical health then you are expected to not tell anyone without the individual’s consent, unless there are exceptional circumstances.

You should also not seek to gain others’ personal data if you are not entitled. Disciplinary action will be considered for any University member who breaches the Data Protection Act or a duty of confidence. Find out more about the Data Protection Act.

Enrolling students: go back to the step by step enrolment process.

Contact us

If after reading this page you still have queries then please contact:

The Data Protection Officer
Governance and Compliance Division
Cardiff University
McKenzie House
30-36 Newport Road
CF24 0DE

Information requests