Data Protection
CARDIFF UNIVERSITY - NOTICE TO ALL STUDENTS REGARDING THE DATA PROTECTION ACT 1998
This notice is for all students of Cardiff University and is to confirm that Cardiff University is registered as a Data Controller under the Data Protection Act 1998, and to explain the purposes for which we hold information about you (your personal data). If you wish to obtain further information about the University’s registration, it can be viewed at http://www.ico.gov.uk/search.html (University registration number: Z6549747). Further information can also be obtained from the Information Commisioner's Office.
If you have any queries about the use of your personal data by the University please contact the Data Protection Officer, Mrs Ruth Robertson, Governance and Compliance Division, Cardiff University, McKenzie House, 30-36 Newport Road, Cardiff, CF24 0DE, or email RobertsonR@Cardiff.ac.uk.
Purposes
You will be asked to confirm various personal and academic details at enrolment to both Registry and your own School(s). The University processes your personal data collected at both the application stage and at annual enrolment for the purposes of:
- administration of your studies;
- access to, and security of, University facilities (including University Residences);
- provision of student support services (such as library services, computing services, advice services and the operation of the Students’ Union)
- carrying out statutory duties to provide information to external agencies (see ‘Disclosures’ for further details);
- and other activities that fall within the pursuit of the University’s legitimate business (including the development and maintenance of an Alumni Programme).
This personal data includes your photograph which will be used, where necessary, for the purposes of identifying you in the course of the University’s legitimate business, and will appear on your University ID card. The University has a Code of Practice on the Use of Photographic Identity which sets out when and how you can expect your ID card to be used to check your identity.
Disclosures
Where necessary the University will disclose, outside the University, relevant items of your personal data as set out below.
| Disclosure to: Sponsors (including LEAs and the Student Loans Company) where a contract exists | Details: In accordance with the terms of the contract (which usually relate to attendance and progress reports). This does not include third parties (such as parents) who may be paying for your studies but with whom no formal contract exists. |
| Professional bodies (e.g. General Medical Council, Royal Society of British Architects, Law Society) | For the purposes of confirming your qualifications and the accreditation of your course |
| Cardiff & Vale University Health Board (and to other NHS organisations in England and Wales) | Where this is necessary for the purposes of your study. This is mostly applicable to students in the Wales College of Medicine, Biology, Life and Health Sciences. |
| Work placement sites or other educational partners involved in joint course provision | Where this is necessary for the purposes of your study. |
| The Higher Education Funding Council (HEFCW) and its agents | Such as the Higher Education Statistics Agency (HESA) and the Quality Assurance Agency. You are advised to refer to the collection notices on the HESA website for further details: HESA . |
| Potential employers or providers of education whom you have approached | For the purposes of confirming your qualifications. |
| Local government Council Tax assessment departments | For the purpose of assessing and collecting Council Tax. |
| UK agencies with duties relating to the prevention and detection of crime, apprehension and prosecution of offenders, collection of a tax or duty, or safeguarding national security | (such as Benefit or Tax Inspectors, the Police, the UK Borders Agency or the Foreign and Commonwealth Office), as necessary, and with consideration of your rights and freedoms. |
| Plagiarism detection service providers | Minimum details necessary and in accordance with the contract with the service provider, e.g. Turnitin UK, in order to uphold academic standards by detection of plagiarism. |
The University may from time to time make other disclosures without your consent. However, these will always be in accordance with the provisions of the Data Protection Act 1998 and your interests will be considered.
Your Rights
Under the Data Protection Act 1998 you have a right to a copy of your personal data held by the University. Any request for such a copy should be made to the Data Protection Officer (details above). There is a standard £10 fee payable for such requests. You also have the right to object to any aspect of the processing of your personal data by the University. Any such objection should be submitted in writing to the Data Protection Officer (Details above).
Your Responsibilities
You have a responsibility to keep your personal details accurate and up to date and should notify the University of any changes via SIMS Online.
Students at the University may, during the course of their studies, have access to personal information about other individuals. Students are, and have always been, expected to treat this in a responsible and professional manner. You have responsibilities under the Data Protection Act 1998 for any personal data relating to other people which you may access whilst at the University. This responsibility is in addition to any obligations arising from professional ethics or codes of conduct. Information relating to an individual’s mental or physical health or other information obtained in the expectation of a duty of confidence, should be treated as confidential and generally not disclosed without the subject’s consent. Further information on the Data Protection Act can be found here.
It is an offence for students to knowingly and recklessly disclose personal data to anyone who is not entitled to receive it or to seek to obtain data to which they are not entitled. The University will take a serious view of any breach of the Data Protection Act 1998 by any of its members, including the consideration of disciplinary action.