ÀÏ°ÄÃÅÁùºÏ²Ê¿ª½±

Please view our data privacy glossary below.

Applicable data protection legislation

The UK Data Protection Act 1998, the EU General Data Protection Regulation ((EU) 2016/679) and any applicable equivalent or replacement legislation.

Consent

Agreement which is freely given, specific, informed and unambiguous.

Data Breach

A personal data breach means the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

Data Controller

The person or organisation that determines when, why and how to Process Personal Data.

Data Privacy Impact Assessment

Also: DPIA. A standard assessment used to identify and reduce risks of a data processing activity.

Data Processor

Any person, company or organisation (other than an employee of the data controller) who processes Personal Data on behalf of a Data Controller.

Data Protection Officer (DPO)

An internal, statutory role, required to monitor and promote compliance with data protection legislation.

Data Subject

Any living, identified or identifiable individual about whom we hold Personal Data.

Data Subject Rights

The rights granted to Data Subjects by the applicable data protection legislation, including the right of access to their Personal Data, the right to correct it, and the right to deletion (see below, section 12).

Personal Data

Any information identifying a Data Subject or from which we could identify a Data Subject. Personal Data includes “Special Categories” of sensitive personal data and Pseudonymised Data but not anonymised data (data where any identifying elements have been removed).

Special Categories of Personal Data

A special subset of Personal Data, being any information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

Processing or Process

Any activity that involves the use of Personal Data, whether manual or electronic, including obtaining, recording or holding the data, organising, amending, transferring, retrieving, using, disclosing, erasing or destroying it.

Privacy Notices

Separate notices setting out information that may be provided to Data Subjects when the University collects information about them. These notices may apply to a specific group of individuals (for example, employees) or they may cover a specific purpose (such as filming on campus).

Pseudonymised Data

Data which has been modified to replace information that directly or indirectly identifies an individual with artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is kept separately and secure.

Third Party

Anyone other than the Data Subject and the Data Controller.

Under the Freedom of Information Act 2000, the ÀÏ°ÄÃÅÁùºÏ²Ê¿ª½± has to ensure that it makes certain information publicly available through a Publication Scheme.  This scheme is a clear and structured way of presenting all of the information that it is obligated to provide.

The University's Publication Scheme covers:

• Who we are and what we are about
• What we spend and how we spend it
• What our priorities are and how we are doing
• How we make our decisions 
• Our Policies and Procedures
• Lists and registers
• The services we offer
• Student charter

Our Publication Scheme is in line with the guidelines issued by the Information Commissioners Website (ICO).

In most cases, copies of these documents will be available in hard copy upon request.  However, the University does reserve the right to restrict some documents from being obtainable in this format. The Published Information Group chaired by the Director of External Relations meets regularly to review the information available through the scheme and ensures updates take place where and when necessary.

Subject Access Requests

You have the right to ask whether we are using or storing your personal information. You can also ask for copies of your personal information.

This is called the right of access and is commonly known as making a Subject Access Request (SAR). Before you submit a request it may help to read the guidance on requesting personal data from the .

You can submit a SAR using the  

Under the UK General Data Protection Regulations (UK GDPR) a response will be issued within one calendar month upon receipt of the request. Please ensure you provide two scanned copies of identification which can be sent to datagovernance@uos.ac.uk. The time limit of one calendar month is paused until ID is received and verified. We may need to contact you to seek further clarity and information on the request.

Freedom of Information

Under the rights established by the Freedom of Information Act 2000, any individual from anywhere in the world has the right to request access to any recorded information being held by the ÀÏ°ÄÃÅÁùºÏ²Ê¿ª½±. It should be noted, however, that some categories of information are exempt and will not be passed on - personal information, for example.

Please note that all information on the ÀÏ°ÄÃÅÁùºÏ²Ê¿ª½± website is provided free of charge. Other information may be provided free of charge, but we reserve the right to make an administrative charge if necessary.

We have made a lot of information available in the Publication Scheme webpages. Please check if the information you require is here before you make an information request.

How to make an information request

The University has a code of practice to outline what it does to meet its freedom of information obligations under the FoIA. You can submit a Freedom of Information request using the and we will endeavour to provide a response within 20-working days.

What to do if you are dissatisfied with a response

If you are dissatisfied with any aspect of the response, you receive you may ask the ÀÏ°ÄÃÅÁùºÏ²Ê¿ª½± to conduct an internal review. Requests for internal review should be submitted using the or by emailing Data Governance.

This process is available for anyone wishing to appeal our decision or the process used in answering a request made under one of the following pieces of legislation:

• Data Protection Act 2018 and GDPR (General Data Protection Regulations)
• The Freedom of Information Act 2000
• The Environmental Information Regulations 2004

This process should only be used in conjunction with information requests and should not be used for any other appeal or complaint.

Your request should be made within 40 working days after receipt of our response. Unless there are extenuating circumstances, requests made more than 40 days after the response will not be considered.

If your request for a review of our response, or handling of this, is not resolved to your satisfaction, you have the right of appeal to the Information Commissioner for a decision. Before doing so, you must exhaust this Internal Review Process.

The Information Commissioner’s Office can be contacted as follows:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
/ casework@ico.org.uk

Data Sharing Agreement - SU and ÀÏ°ÄÃÅÁùºÏ²Ê¿ª½±

All staff are expected to complete the University’s online Data Protection training module. The module is mandatory for anyone who has direct responsibility for handling data.