Student data protection notice

As a student at Cardiff, some of your personal data will be stored and processed by the University.

Cardiff University is committed to protecting the rights of students in line with data protection law and this page explains how your information is used, who it may be passed to and what your rights and responsibilities are. The University is registered with the Information Commissioner's Office (ICO) to process personal data and you can view the registration on the ICO's website under the Data Protection Register.

This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.


The University collects and processes your personal data, including your photograph, during your application and enrolment so that it can manage its contractual obligations to you during your studies and in order to meet its statutory responsibilities. Your personal data will be used to:

  • organise your studies;
  • give access to and ensure the security of University buildings;
  • provide student support services (libraries, careers, advice, IT facilities and Students’ Union);
  • carry out legal duties, providing information to others (see disclosures section);
  • provide other activities within the University business including developing and maintaining our alumni programme and research profile;
  • conduct equal opportunities monitoring and equality impact assessments to ensure our policies and practices do not discriminate against individuals because of 'Protected Characteristics'.

The University has a code of practice on the use of photographs for identity. This code sets out when and how you can expect your student card to be used to check your identity.

Personal information may be collected separately by other parts of the University such as by the Sports Centre, Accommodation, and Student Support Services and relevant privacy notices will be provided at the point of collection as required.


The University may share your relevant personal data with the following bodies:

Disclosure toDetails
Sponsors (including Local Education Authorities and the Student Loans Company) where a contract exists with you

In accordance with the terms of the contract (which usually relates to attendance and progress reports). Note this does not include anyone who may be paying money toward your studies and where there is no formal contract i.e. parents, employers. In such circumstances disclosure will only be made with your consent.

Professional bodies (e.g. General Medical Council, Royal Society of British Architects, Law Society)

In order to confirm your qualifications, accredit your course and, where required, in order to maintain the standards of the profession.

Cardiff & Vale University Health Board (and other NHS organisations in England and Wales)

When necessary for your programme, including for students studying Medicine, Biology and Life and Health Sciences.

Where in the public interest and necessary for public health reasons, including the monitoring and control of infectious diseases. Data Sharing Agreement - TB Screening.

Work placement sites or educational partners involved in joint course provision

Where this is necessary for delivery of your programme of study.

The Higher Education Funding Council Wales (HEFCW) and its agents

Agents include the Higher Education Statistics Agency (HESA) and the Quality Assurance Agency (QAA). Further information about what HESA collect and how it will be used can be found via the HESA Student Data Collection Notice on the HESA website.

Potential employers or providers of education whom you have approached

To confirm your qualifications.

UK agencies with duties relating to the prevention and detection of crime, collection of a tax or duty or safeguarding national security

In order to allow the assessment, and payment and collection of relevant taxes i.e Council Tax, and benefits.

To aid the police, UK Visas and Immigration Agency or the Foreign and Commonwealth Office.

This happens only as necessary and in consideration of your rights and freedoms.

Plagiarism detection service providers

In accordance with the contract with the service provider e.g. Turnitin, to ensure academic standards.

Cardiff Students' UnionIn accordance with the University and Students' Union Data Sharing Agreement
Cardiff City CouncilWith your consent at enrolment, for electoral roll and voter registration purposes.

Any other disclosures that the University makes will be in accordance with Data Protection law and your interests will always be considered.

How long your information will be held

Cardiff University will retain you personal information in line with the University Records Management Policy and Records Retention Schedules.

The University will maintain a core student record of your studies that it keeps permanently. Details of what will be held as part of that record can be found at Section 3.6 of the Student Administration and Support Records Retention Schedule.

All graduates automatically become members of the Cardiff University Alumni Community. As such, some personal data is processed by the Alumni Relations Development Team beyond graduation in order to keep you informed of developments and to offer engagement opportunities. Further information on what data is kept and how it will be used is available via the Alumni Privacy Statement.

Security of your information

Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant personal data will be authorised to do so. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more by referring to the University Information Security Policies.

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with Data Protection legislation.

Your rights

You have a right to access your personal information through the Subject Access Request process.

You also have a right to object to the processing of your personal information, to rectify, to erase, to restrict and to port your personal information.  Any requests or objections should be made in writing to the Data Protection Officer using the contact details provided below.

Your responsibilities

You have a responsibility to keep your personal details up-to-date via SIMS.

During the course of your studies you may have access to personal information about others. You are expected to treat this in a responsible and professional manner and are legally required to do this under the Data Protection Act, as well as any professional ethics or codes of conduct.

If you are made aware of personal information in confidence including regarding someone’s mental or physical health then you are expected to not tell anyone without the individual’s consent, unless there are exceptional circumstances.

You should also not seek to gain others’ personal data if you are not entitled. Disciplinary action will be considered for any University member who breaches the Data Protection Act or a duty of confidence. Find out more about the Data Protection Act.

Enrolling students: go back to the step by step enrolment process.

How to raise a query, concern or complaint

If after reading this page you still have queries, concerns or wish to raise a complaint you should contact the Data Protection Officer in the first instance at the following:

Matt Cooper
Data Protection Officer
Assurance Services
Department of Strategic Planning and Governance
Cardiff University
Friary House
Greyfriars Road
CF10 3AE
Tel: 02920 875466

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for investigation. The Information Commissioner can be contacted at: -

Information Commissioner’s Office,
Wycliffe House,
Water Lane,

The Information Commissioner's Office also provides useful advice and guidance on data protection.

Updated: August 2017

Information requests