Skip to main content

Data Protection

Information Assurance

Data Protection

The University of Worcester is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.

Data protection legislation (UK GDPR and the Data Protection Act 2018) places obligations on the University and the way it handles personal data.  In turn members of the University have responsibilities to ensure personal data is processed fairly, lawfully and securely. 

The following and associated pages provide the following information:

  • Information relating to how the University processes the information of individuals (see Privacy Notices)
  • Expectations of members of the University in terms of processing personal data (see Policy Documents)
  • How to make, recognise and respond to, a request for access for personal data (see Requests for Personal Data)
  • What to do in the event of a suspected personal data breach (see Personal Data Breach)
  • If you are considering undertaking a new form of data processing you should complete a Data Protection Impact Assessment
  • Information about the University’s CCTV provision (see CCTV)

Data Protection Officer

The University’s Data Protection Officer is the University Secretary & Clerk to the Board of Governors – Helen Johnstone, email:

University Registration with the ICO

The University’s registration number is Z5445506 and a copy of the University’s certificate of registration can be viewed here

Data Protection Basics

This provides basic guidance on how you should handle personal data under the data protection legislation. It applies to all personal data processing, both electronic (including emails) and manual (i.e. paper records).

  • When you process personal data you must ensure that it is accurate, relevant and not excessive in relation to your needs.
  • When processing personal data you need to ensure that you have identified the appropriate lawful basis for processing that data – see the Records of Processing associated with each of the Privacy Notices.  Consent is only required where indicated on the Record of Processing.
  • Once you have identified your lawful basis for processing you will need to provide the individual with a Privacy Notice (see Guidance on Writing Privacy Notices)
  • Ensure that you keep personal data in accordance with the University’s Records and Document Retention Schedule.
  • Do not disclose any information about an individual to a third party (e.g. external organisation, parent, partner) without first checking that the individual consents to such disclosure. In the case of a parent, partner or family member the University will not release any information without the consent in writing of the individual. In the case of a request from the police, please contact the Data Protection Officer. (See Requests for Personal Data).
  • Do not write any comment about any individual that is unfair or untrue and that you would not be able to defend if challenged. You must assume that anything that you write about a person is subject to release under a Subject Access Request and will be seen by that person.
  • Be vigilant if you are undertaking work off campus using personal data such as individualised research data, reference requests, or examination scripts or results. Strict security measures must be applied to the transportation and storage of all such data. Advice on encryption and mobile working should be sought from the IT Helpdesk. (See Information Security).
  • Ensure that all personal data is kept secure, not only from unauthorised access, but from fire and other hazards (See Information Security).
  • Use the confidential waste collection boxes or the contract shredding service to dispose of any document containing personal data, whether or not you consider it to be confidential.(see Information Security).
  • Apply password protection to computers, screensavers and documents. Where possible ensure that you lock personal data away when not in use or you are absent from your desk.
  • Immediately report any data breaches involving the disclosure or potential disclosure of personal data, further information and guidance can be found here.

For any queries regarding Data Protection please contact the Information Governance Officer

Back to top