Skip to main content

Data protection notice for students and applicants

This notice sets out how we deal with the personal information of people who are applying to, or studying at, the university.

This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.

Identity of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with Data Protection legislation. In order to carry out its functions and obligations in respect to your study at the university, it is necessary for the university to collect, store, analyse and sometimes disclose your personal data.

Cardiff University collates information about you at application and enrolment stage in order to assess your application, organise your studies and give access to services whilst at the university. The university will also use some of the information for analysis and monitoring.

The university is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

What personal information do we collect about you?

The following gives an indication of the types of information which are currently collected and processed at different stages from application, through to enrolment and throughout your time at the university:

  • your name and your student number
  • details of your qualifications achieved and currently being undertaken
  • details of relevant criminal convictions
  • identity document/s such as your passport information
  • any student photograph*
  • your permanent and term time addresses and your contact details including email and other electronic identifiers
  • your gender and date of birth
  • your nationality
  • disability or other medical information
  • trusted (emergency) contact details**
  • your attendance at the university (including any suspension or exclusion information)
  • how your studies are funded, including fee information and any sponsorship details
  • equality of opportunity monitoring data which will include sensitive categories of data for (eg ethnicity, religion, sexual orientation)
  • details of your academic record including qualifications, skills, experience and educational and employment history
  • details of your examination and assessment results during your time at the University
  • details of any pastoral, financial, care or academic support given prior to, or during, your time at University
  • details of any disciplinary or conduct issues
  • details of any professional body registration
  • feedback on university experience you provide to external organisations (e.g. NSS) ***

This personal data includes categories of data classed as ‘special categories’ such as that collected for equality of opportunity monitoring such as ethnicity, religious beliefs or sexual orientation.

The university collects this information in a variety of ways. For example, data might be collected through the application process, or obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the enrolment; or through interviews, meetings or other assessments.

We will also hold information supplied by third parties such as references and information from criminal records checks (if necessary for your course).

*Your photograph will be used, where necessary, for the purposes of identifying you in the course of the university’s legitimate business, and will appear on your university Student ID card. Appropriate provision will be made for those wishing to cover their face for religious reasons.

**Where you provide us with trusted contact details you should let that person know that you are sharing that information with the university.

*** NSS information is shared with us by the Office for Students (OfS) via the responses you provide to the Ipsos MORI survey.

What is our legal basis for processing your personal data?

There are a number of legal ways in which we can process your data, the most relevant of which are set out below:

Legal basisExplanation
(1)By applying or enrolling as a Cardiff University student, we will be required to collect, store, use and otherwise process information about you for any purposes connected with teaching, support, research, administration, your health and safety and for other reasons deemed necessary for the purpose of entering into or for the performance of your contractual agreement with the university. We will also use your information for certain purposes after you cease to be student. See GDPR Article 6(1)(b)


Processing is carried out with your explicit consent. When we rely on your consent to process we will do so to provide a positive opt-in in a clear and concise manner with an explanation as to how you can withdraw your consent. See GDPR Article 6(1)(a).


Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests - but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate interests. See GDPR Article 6(1)(f).


Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university (see GDPR Article 6(1)(e)) and for statistical and research purposes.


Processing is necessary for compliance with a legal obligation to which the Data Controller is subject


Processing of Special Categories data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (see GDPR Article 9(2)(j))

(7)Processing of your personal data is deemed necessary in order to protect the vital interests – of the data subject or of another natural person. For example, in the case of a medical emergency where you are unable to provide consent.

Personal information may be collected separately by other parts of the university such as by the Sports Centre, and Student Support Services and relevant privacy notices will be provided at the point of collection as required.

For what purposes will your information be used?

The purposes and related legal basis (number in brackets) under which Cardiff University may process your personal data, (although given the complexity of the relationships that the university has with its students, this is not exhaustive):

  • administration (including application, enrolment, assessment, disciplinary matters, health matters) (1)
  • to organise your studies (1)
  • the production and, as appropriate, distribution of research and educational materials (4)
  • access to, and security of, university facilities (including library services, computing services, sports and conference facilities (1)
  • to consider and provide support for disability or health related adjustments (5)
  • to assist in pastoral and welfare needs (e.g. the counselling service) (3,4)
  • internal and external auditing purposes (5)
  • meeting health and safety obligations and equality of opportunity monitoring obligations (5,6)
  • promotion of the university’s academic expertise profile and furtherance of the university’s development programme, as appropriate (4)
  • to enable the Students' Union to provide you with access to its facilities and support services (3)
  • to provide support and opportunities to enhance your prospects in terms of your future education and career and to  populate your Higher Education Achievement Report (4)
  • collection of CCTV images for the prevention of crime and prosecution of offenders and other purposes as per our CCTV Code of Practice (3)
  • provide other activities within the university business including developing and maintaining our alumni programme (3) and research profile (4)
  • for consideration of ‘fitness to practise’ or ‘fitness to study’ issues (4)
  • to produce management statistics and to conduct research into the effectiveness of our programmes of study (4,6)
  • carrying out statutory duties to provide information to external agencies or in life or death situations (see ‘Sharing information with others’ for further details) (4, 5, 7)
  • from time-to-time, other activities that fall within the pursuit of the university’s legitimate business and do not infringe your rights and freedoms (3)
  • Orientation (including virtual orientation) (3)
  • to provide you with any advice and information which you have requested (2)
  • to contact you with further information we think you might be interested based on, where possible, the course(s) you have applied for (3)
  • to monitor the effectiveness of marketing material by analysing opened mail returns and click-throughs (3)
  • to create lookalike audiences for the purposes of advertising to users with similar characteristics on platforms such as Facebook, Instagram, Twitter, Snapchat or TikTok. You can update your preferences by accessing your privacy settings on these sites. (3)

Sharing information with others

The university may share your relevant personal data with external organisations.

Disclosure to


Sponsors (including Local Education Authorities and the Student Loans Company) where a contract exists with you.

In accordance with the terms of the contract (which usually relates to attendance and progress reports). Note this does not include anyone who may be paying money toward your studies and where there is no formal contract (eg with parents or employers). In such circumstances disclosure will only be made with your consent.

Professional bodies (e.g. General Medical Council, Royal Society of British Architects, Solicitors Regulation Authority, Nursing Midwifery Council).

In order to confirm your qualifications, accredit your course and, where required, in order to maintain the standards of the profession.

Cardiff and Vale University Health Board (and other NHS organisations in England and Wales).

When necessary for your programme, including for students studying Medicine, Biology and Life and Health Sciences.

Where in the public interest and necessary for public health reasons, including the monitoring and control of infectious diseases. Data Sharing Agreement - TB Screening.

Under your direction when you are in receipt of mental health services from Cardiff University to access further support from NHS services.

Work placement sites or educational partners involved in collaborative course or training programme provision.

Where this is necessary to consider your application and for delivery of your programme of study.

The Higher Education Funding Council Wales (HEFCW) and its agents

Agents include JISC, acting as data controller for the Higher Education Statistics Agency (HESA), and the Quality Assurance Agency (QAA). Further information about the relationship between JISC and HESA, what HESA collect and how it will be used can be found via the Student Collection Notice on the HESA website.

To allow students to provide feedback on their university experience through the National Student Survey (NSS), which is run independently by Ipsos MORI. We also engage and share NSS responses with a third party, who will provide analysis of these responses, in order to improve our education services.

Potential employers or providers of education whom you have approached.

To confirm your qualifications.

UK agencies with duties relating to the prevention and detection of crime, collection of a tax or duty or safeguarding national security.

In order to allow the assessment, and payment and collection of relevant taxes eg Council Tax, and benefits.

To aid the police, UK Visas and Immigration Agency or the Foreign and Commonwealth Office.

This happens only as necessary and in consideration of your rights and freedoms.

Plagiarism detection service providers.

In accordance with the contract with the service provider (eg Turnitin) to ensure academic standards.

Cardiff Students' Union.

In accordance with the university and Students' Union Data Sharing Agreement. (note: not for those students enrolled on continuing and professional education or development courses.)

Cardiff City Council.

With your consent at enrolment, for electoral roll and voter registration purposes.

Any other disclosures that the university makes will be in accordance with Data Protection law and your interests will always be considered.

How long your information will be held

Cardiff University will retain your personal information in line with the university Records Management Policy and Records Retention Schedules.

The university will maintain a core student record of your studies permanently. Details of what will be held as part of that record can be found at Section 3.6 of the Student Administration and Support Records Retention Schedule.

All graduates automatically become members of the Cardiff University Alumni Community (except for those enrolled on continuing and professional education or development courses. As such, some personal data is processed by the Alumni Relations Development Team beyond graduation in order to keep you informed of developments and to offer engagement opportunities. Further information on what data is kept and how it will be used is available via the Alumni Privacy Statement.

Security of your information

Data protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant personal data will be authorised to do so. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more by referring to the university Information Security Policies.

Some processing may be undertaken on the university’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the university’s behalf will be bound by an obligation to process personal data in accordance with data protection legislation.

Your data protection rights

Under Data Protection legislation you have a number of rights such as a right to request a copy of your personal data held by the university. To find out more about your rights and how you can exercise them, please see our web page your data protection rights.

Your responsibilities

You have a responsibility to keep your personal details up-to-date via SIMS .

During the course of your studies you may have access to personal information about others. You are expected to treat this in a responsible and professional manner and are legally required to do this under the data protection legislation, as well as any professional ethics or codes of conduct. Where, in the support of your studies, you submit to the university the personal information of others (eg as part of an extenuating circumstances application) you should ensure that you have the permission of those individuals to do so.

If you are made aware of personal information in confidence including regarding someone’s mental or physical health then you are expected to not tell anyone without the individual’s consent, unless there are exceptional circumstances.

You should also not seek to gain others’ personal data if you are not entitled. Disciplinary action will be considered for any university member who breaches the Data Protection Act or a duty of confidence. Find out more about the Data Protection Act

Do we transfer information outside the UK?

Generally, information you provide to us is stored on our secure servers, or on our cloud-based systems. These are located within the UK or in countries/areas which are considered to have adequate privacy and information security provisions, such as the EEA. However, there are times when we will need to store information outside these locations and where we do we will carry out transfer risk assessments where required to ensure that appropriate security measures are taken to protect your privacy rights. This may mean imposing contractual obligations on the recipient of your personal information where no other relevant safeguards exist. Technical measures such as encryption will also be considered.

How to raise a query, concern or complaint

If you still have queries, concerns or wish to raise a complaint details of how you can contact the university data protection officer and Information Commissioner’s Office are available on our Data protection page.

Updated: February 2023