Our data protection policy
The University takes its responsibilities seriously when processing the personal data it collects with regards to staff, students and all others with whom it interacts.
Cardiff University is a Data Controller for the purposes of data protection legislation and is registered with the Information Commissioner's Office.
Personal data is any data from which a living individual can be identified. The processing of personal data is covered by data protection legislation which includes the General Data Protection Regulation and Data Protection Act 2018.
The legislation provides a framework to ensure that organisations process personal data in an open and transparent manner and with due regard to the rights and freedoms of individuals.
Our data protection policy
Data Protection policy
The purpose of the Data Protection Policy is to clarify the requirements of the Data Protection legislation in the context of Cardiff University.
Our privacy notices
To help you understand how your personal data is being processed the University has set out in its data protection notices what information it holds, why it is required, the legal basis for processing and who that data may be passed to. You can also find out how your information is secured and how long it will be retained. Our notices:
- Data protection notice for students and applicants
- Data protection notice for staff
- Data protection notice for alumni and friends
- Data protection notice for enquirers and other contacts
- Data protection notice for research participants
- Step Up to University and Access to Professions privacy notice
- The Discovery Project privacy notice
- REF 2021 data privacy notice for external collaborators
- Privacy Notice Covid-19 testing service
The legislation also gives you the right to see what information an organisation stores about you and request copies of it as well as other rights in respect of the processing of your personal data.
You can find out more about these rights, when they might apply and how to exercise them in your data protection rights.
Data protection officer
The University is required to have a data protection officer who can be contacted if you have any queries, concerns or complaints about the way your personal data is processed. Cardiff University's Data Protection Officer is James Merrifield.
You can contact the data protection officer by writing to:
Data Protection Officer
Compliance and Risk, University Secretary's Office
or at the below email
Information Commissioner's Office
The Information Commissioner’s office is responsible for regulating data protection in the UK. We hope to resolve any of your questions, queries or concerns but if you remain dissatisfied you can contact the Information Commissioner's Office.