Information governance
The EU's new General Data Protection Regulation (GDPR) governs all data that companies hold on individuals. Find out what this means for NTU and how we manage your personal data.
Data protection legislation
NTU is a data controller for the purposes of:
- the UK General Data Protection Regulation (GDPR)
- the Data Protection Act (DPA) 2018, and
- associated data protection legislation.
Data protection legislation creates consistency and strengthens data protection principles and practices. It places a strong emphasis on the rights of individuals.
At NTU, we use and share personal information for our administrative purposes. We use it to:
- identify, deliver and monitor services that we provide
- carry out our functions as a university
- comply with our legal obligations.
NTU is registered with the Information Commissioner's Office (ICO). Our ICO registration number is Z7109967.
Privacy notices
NTU processes personal data relating to:
- prospective students
- current students
- graduates or alumni
- employees and applicants
- suppliers
- other third parties.
Our privacy notices explain how we collect, use, retain and store your data. They also explain your rights in relation to that processing.
- Website cookies and privacy
- Admissions privacy notice
- Employee privacy notice
- Student privacy notice
- Apprenticeship privacy notice
- Alumni, supporters, and friends privacy notice
- NTU Sport privacy notice
- Student accommodation privacy notice
- Job applicant tracking and right to work privacy policy
- Research privacy notice
Record of processing activity (RoPA)
Nottingham Trent University (NTU) processes personal data. This enables us to:
- provide services, education and support to students, graduates, staff and third parties
- undertake research and provide commercial services.
We also process personal data through visual images. We gather these through CCTV systems and body-worn devices. We may use this data for:
- the prevention and detection of crime
- the investigation of disciplinary proceedings against colleagues and students.
NTU processes personal data about:
- students, including prospective and exchange students
- unsuccessful applications (students)
- former students (withdrawn)
- alumni
- participants of apprenticeships
- staff
- workers and contractors
- former staff
- unsuccessful applicants (staff)
- donors and friends of the University
- external third parties
- visitors
- volunteers
- landlords and tenants
- work experience students or children under 18
- individuals captured by CCTV images
- parents, guardians, or carers of students
- business or industry contacts
- suppliers (e.g. goods and services)
- enquirers or complainants
- external examiners and
- governors and former governors.
The types of personal data NTU may process are as follows:
- biographical and family details
- contact details
- country of residence
- next of kin and emergency contact information
- lifestyle and social circumstances
- photographs
- financial information
- employment record information
- RoPA Nottingham Trent University
- student record, attendance and academic information
- qualifications and professional membership information
- survey or feedback information
- health and disability information
- criminal conviction information (alleged offences and offences)
- misconduct, disciplinary and grievance information
- records of consent
- equality information
- vetting and barring checks
- contract information — including external third parties
- religious and philosophical beliefs
- political opinion
- trade union membership
- sex life and sexual orientation
- biometric data (where used to for the purposes of identifying a person)
- genetic data
- information captured by CCTV.
NTU processes personal data for the purposes of:
- providing education and associated support to students
- administrative purposes (staff and students)
- data security and integrity purposes
- safeguarding the health and safety of staff, students and third parties
- university research management
- marketing and promoting our events to the NTU community
- financial and procurement purposes
- marketing
- management and promotion of events
- fundraising and donor management
- engaging with our alumni
- prevent and detection of crime
- managing our contracts, our contractors, and our relationships with third parties
- Student Union administration
- for regulatory and legal purposes to comply with statutory returns and legal obligations.
On occasion, we need to share personal data with third parties. We do this when it is:
- required by law, or
- otherwise necessary to achieve a specified purpose.
Whenever we share personal data with third parties, we'll comply with the UK GDPR and DPA.
The categories of recipients for personal data are:
- professional, regulatory and awarding bodies
- auditors
- regulatory bodies, including the Office for Students (OfS)
- Student Loan Company (SLC)
- Universities and Colleges Admissions Services (UCAS)
- government bodies, including UKVI, ESFA, Ofsted, DSA, HMRC
- local government or councils
- third-party statistical agencies, including Higher Education Statistics Agency (HESA)
- accommodation providers
- student support providers
- RoPA Nottingham Trent University
- research councils
- international agents
- third-party suppliers or service providers
- work experience and placement providers
- debt collection agencies and payment service providers
- legal representatives
- police and law enforcement agencies
- trade unions or staff associations
- the Students' Union
- current, past or prospective employers
- benefit suppliers (staff benefits)
- parents, guardians, and carers.
NTU has relationships with other institutions and agencies. Some of these bodies are outside the UK. The purpose of these relationships is to support and facilitate learning and research.
That means we sometimes transfer personal data outside the UK. Whenever we do this, we ensure appropriate contracts or other safeguards are in place.
We hold personal data and special category data. We keep it in line with our records retention schedule. The schedule documents how long we retain records. This will be in line with regulatory and operational requirements. See a copy of our records retention schedule.
See our record of processing activity (RoPA) document.
Policies and procedures
The University is a large and complex organisation. We're highly dependent on the processing of personal data for our activities. We take into consideration data privacy of individuals throughout our processes.
Data protection policy
NTU commits to protecting the privacy and security of personal information. This includes the personal data of our staff, students and other third parties. This data protection policy sets out the minimum standards we must comply with.
Data breach policy and procedure
This policy sets out how we identify and manage our data breach responsibilities. We do this in accordance with our legal and regulatory obligations. This data breach policy sets out the minimum standards we must comply with.
Data breach policy and procedure
Subject access request (SAR)
Data subjects have a right of access under the UK GDPR. This means you can make requests to organisations that hold personal data about you. The legislation doesn't give a right of access to information that isn't personal to you. To access the personal information held on you by NTU, you can submit a subject access request (SAR). Use our subject access request form to do so.
If you wish to submit a SAR, remember the following.
- We can't process your SAR until we've received proof of your identity.
- You should describe the information you're requesting as clearly as possible. We may ask you for more information to help us identify personal data relating to you.
- You must include your name and an address or email address for correspondence.
- NTU will aim to respond to your request within one calendar month.
Our policy sets out how NTU identifies and manages its SAR responsibilities. This is in accordance with our legal and regulatory obligations.
If you have any queries, email our Data Protection Officer.
Subject access request policy and procedure
Information rights requests
If you wish to exercise another of your information rights under the UK GDPR, please use our information rights request form.
The information rights requests policy sets out how you can engage your information rights under the UK GDPR and the process for doing so.
Records retention
NTU's records are important sources of administrative, evidential and historical information. These are pivotal to our activities. To help us with accountability, we have developed a records retention schedule.
Information classification scheme
All University data has an inherent value and is an important asset to the University. However, data varies in its sensitivity and value and different types of data will require different levels of security. All University information and data should be handled appropriately to ensure that any risks are effectively managed (which includes adequate storage and processing with appropriate security and access controls in place).
NTU's Data Protection Officer
The University has a Data Protection Officer (DPO) who oversees data protection matters.
Our DPO is Amanda Neylon, Director of Digital Technologies. You can contact Amanda by emailing DPO@ntu.ac.uk.
Freedom of Information at NTU
The Freedom of Information Act 2000 covers information relating to the way Nottingham Trent University is governed and how decisions are made. Access the webpage for further information.