Staff data protection notice

Cardiff University is registered as a Data Controller under the Data Protection Act 1998.

This means that we are able to lawfully process personal data for specific purposes and this is a notice for those applying for a post at the University as well as current staff and other agents and contractors relating to what the University does with your information.

The University’s registration number is: Z6549747. View the University’s registration.


During the recruitment process and throughout your employment with us Cardiff University collects, uses and stores (i.e. processes) your personal data. Elements of your personal data will be retained securely by the University in accordance with the University’s Records Retention Schedule for a specified period of time after your employment with us ceases.

The purposes which Cardiff University may process your personal data are as follows:

  • staff administration (including recruitment, appointment, training, promotion, performance assessment, disciplinary matters, health, pensions and other employment related matters)
  • access to, and security of, University facilities (including library services, computing services, sports and conference facilities and welfare services)
  • accounting and financial purposes including pay, workforce planning and other strategic planning activities
  • internal and external auditing purposes
  • meeting health and safety obligations and equality of opportunity monitoring obligations
  • promotion of the University’s academic expertise profile and furtherance of the University’s development programme, as appropriate
  • carrying out statutory duties to provide information to external agencies (see ‘Disclosures’ for further details)
  • collection of CCTV images for the prevention of crime and prosecution of offenders
  • and other activities that fall within the pursuit of the University’s legitimate business and do not infringe your rights and freedoms.

This personal data includes, where necessary, Sensitive Personal Data such as that collected for equality of opportunity monitoring. It also includes your photograph which will be used, where necessary, for the purposes of identifying you in the course of the University’s legitimate business, and will appear on your University ID card. Appropriate provision will be made for those wishing to cover their face for religious reasons.


Where necessary the University will disclose, outside the University, relevant items of your personal data as set out below.

Disclosure toDetails
Government departments and other UK agencies with duties relating to the prevention and detection of crime, apprehension and prosecution of offenders, collection of a tax or duty, or safeguarding national security.In order to meet statutory requirements and otherwise as necessary in the public interest, and with consideration of your rights and freedoms. (Includes HMRC, Department for Work and Pensions, Home Office UK Borders Agency, Passports and Immigration and the Police)
The Higher Education Funding Council (HEFCW) and its agents.Such as the Higher Education Statistics Agency (HESA) and the Quality Assurance Agency. You are advised to refer to the collection notices on the HESA website for further details.
NHS organisations in England and Wales.Where this is necessary for management purposes in connection with the performance of your contractual or honorary contract duties.
Professional bodies (e.g. General Medical Council, Royal Society of British Architects, Law Society).Where this is necessary for course accreditation purposes and/or the performance of your contractual duties.
Potential employers or providers of education whom you have approached.For the purposes of confirming your employment with Cardiff University.
Members of the public.When required by the Freedom of Information Act 2000 and the disclosure does not breach any of the Data Protection Principles.

The University may from time to time make other disclosures without your consent. However, these will always be in accordance with the provisions of the Data Protection Act 1998 and your interests will be considered.

Your rights

Under the Data Protection Act 1998 you have a qualified right to a copy of your personal data held by the University. Any request for such a copy should be made to the Data Protection Officer in the Information Governance Team through a Subject Access Request. There is a standard £10 fee payable for such requests.

You also have the right to object to any aspect of the processing of your personal data by the University. Any such objection should be submitted in writing to the Data Protection Officer in the Information Governance Team.

Your responsibilities

You have a responsibility to keep your personal details accurate and up to date. This can be done by updating your details via the CORE Portal or through notification to the University’s Human Resources Division.

You also have responsibilities under the Data Protection Act 1998 for any personal data relating to other people which you may access whilst at the University. This responsibility is in addition to any obligations arising from professional ethics or codes of conduct.

It is a criminal offence for staff to knowingly and recklessly disclose personal data to anyone who is not entitled to receive it or to seek to obtain data to which they are not entitled. The University will take a serious view of any breach of the Data Protection Act 1998 by any of its members, including the consideration of disciplinary action.

Further information

Further advice is available within these web pages or from the Information Commissioner’s website.

If you have any specific queries about the use of your personal data by the University, or access to it, please contact the Information Governance Team in the

Governance Division
Cardiff University
2nd Floor Friary House
Greyfriars Road
CF10 3AE

Information requests