Information Governance

The EU’s new General Data Protection Regulation (GDPR) governs all data that companies hold on individuals. Find out what this means for NTU and how we manage your personal data.

    Guide to information

    The EU’s new General Data Protection Regulation (GDPR) governs all data that companies hold on individuals. The GDPR has been designed to create consistency and strengthen data protection principles and practices across EU. The GDPR administers a more up to date law on data protection, with stronger emphasis placed on the rights of individuals and how their personal data is used within organisations.

    The GDPR comes into force 25 May 2018 and replaces the existing UK Data Protection Act 1998.

    GDPR will apply to the entire UK despite the prospective outcomes of the UK leaving the European Union.

    There are still many concepts which are the same with the redundant Data Protection Act but with new elements, particularly regarding data subject rights, accountability and organisational compliance with the GDPR Regulation’s principles.

    Find out what this means for NTU and how we manage personal data. We use and share personal information in order to identify, deliver and monitor services that we provide.

    Who is our Data Protection Officer (DPO)?

    Our data protection officer is:

    • Tracy Landon, Legal Services Manager and Data Protection Officer
      Email: dpo@ntu.ac.uk

    GDPR introduces a statutory position of data protection officer who will have a key role in ensuring compliance with GDPR at NTU. Where processing is carried out by a public authority/body a DPO must be appointed. Public authorities/bodies are not defined within the GDPR but the UK’s Data Protection Bill has defined universities as a public authority/body and so we must have a DPO.

    Privacy notices

    A privacy notice is a public statement of how an organisation applies data protection principles to processing data and provides information about how information is collected.

    Whether you are an applicant, a student, a member of staff or a visitor to our website, your privacy is important to us. Our privacy notices will provide you with information on how we collect, use, retain and store your data.

    Policies and procedures

    The University is a large and complex organisation and we are highly dependent on the processing of personal data for our activities. The University takes into consideration data privacy of individuals at all stages of our processes.

    Data protection policy
    The University is committed to protecting the privacy and security of personal information which includes the personal data of our staff, students and other third parties. This data protection policy sets out the minimum standards which must be complied with by the University.
    Data protection policy

    Data breach policy and procedure
    This policy sets out how the University identifies and manages its data breach responsibilities in accordance with its legal and regulatory obligations. This data breach policy sets out the minimum standards which must be complied with by the University.
    Data breach policy 
    Data breach procedure

    Subject access request (SAR) 
    This policy sets out how the University identifies and manages its SAR responsibilities in accordance with its legal and regulatory obligations. Data subjects have a right of access under the GDPR that allows them to make requests to organisations that hold personal data about them. The SAR Procedure provides the process for accessing your information and provides an easy to use form for requesting your data. Alternatively, you can email us.
    Subject access request policy
    Subject access request procedure 

    Records retention
    The University’s records are an important sources of administrative/evidential and historical information. These are pivotal to our activities and to assist us with accountability. The University has developed a Records retention schedule.

    Information classification scheme
    All University data has an inherent value and is an important asset to the University. However, data varies in its sensitivity and value and different types of data will require different levels of security. All University information and data should be handled appropriately to ensure that any risks are effectively managed (which includes adequate storage and processing with appropriate security and access controls in place).
    Information classification scheme

    GDPR facts and FAQs

    Freedom of Information

    The Freedom of Information Act 2000 covers information relating to the way Nottingham Trent University is governed and how decisions are made.

    It includes information on the legal status of the University, which individual members of staff or groups within the organisation are responsible for specific functions and where they fit in the overall structure of the organisation.

    NTU: Freedom of Information

    Still need help?

    +44 (0)115 941 8418