The EU's new General Data Protection Regulation (GDPR) governs all data that companies hold on individuals. Find out what this means for NTU and how we manage your personal data.
Data protection legislation
NTU is a data controller for the purposes of:
- the UK General Data Protection Regulation (GDPR)
- the Data Protection Act (DPA) 2018, and
- associated data protection legislation.
Data protection legislation creates consistency and strengthens data protection principles and practices. It places a strong emphasis on the rights of individuals.
At NTU, we use and share personal information for our administrative purposes. We use it to:
- identify, deliver and monitor services that we provide
- carry out our functions as a university
- comply with our legal obligations.
NTU is registered with the Information Commissioner's Office (ICO). Our ICO registration number is Z7109967.
NTU processes personal data relating to:
- prospective students
- current students
- graduates or alumni
- employees and applicants
- other third parties.
Our privacy notices explain how we collect, use, retain and store your data. They also explain your rights in relation to that processing.
Record of processing activity (RoPA)
Nottingham Trent University (NTU) processes personal data. This enables us to:
- provide services, education and support to students, graduates, staff and third parties
- undertake research and provide commercial services.
We also process personal data through visual images. We gather these through CCTV systems and body-worn devices. We may use this data for:
- the prevention and detection of crime
- the investigation of disciplinary proceedings against colleagues and students.
Categories of data subjects
NTU processes personal data about:
- students, including prospective and exchange students
- unsuccessful applications (students)
- former students (withdrawn)
- participants of apprenticeships
- workers and contractors
- former staff
- unsuccessful applicants (staff)
- donors and friends of the University
- external third parties
- landlords and tenants
- work experience students or children under 18
- individuals captured by CCTV images
- parents, guardians, or carers of students
- business or industry contacts
- suppliers (e.g. goods and services)
- enquirers or complainants
- external examiners and
- governors and former governors.
Categories of personal data and special category data
The types of personal data NTU may process are as follows:
- biographical and family details
- contact details
- country of residence
- next of kin and emergency contact information
- lifestyle and social circumstances
- financial information
- employment record information
- RoPA Nottingham Trent University
- student record, attendance and academic information
- qualifications and professional membership information
- survey or feedback information
- health and disability information
- criminal conviction information (alleged offences and offences)
- misconduct, disciplinary and grievance information
- records of consent
- equality information
- vetting and barring checks
- contract information — including external third parties
- religious and philosophical beliefs
- political opinion
- trade union membership
- sex life and sexual orientation
- biometric data (where used to for the purposes of identifying a person)
- genetic data
- information captured by CCTV.
Purpose for processing
NTU processes personal data for the purposes of:
- providing education and associated support to students
- administrative purposes (staff and students)
- data security and integrity purposes
- safeguarding the health and safety of staff, students and third parties
- university research management
- marketing and promoting our events to the NTU community
- financial and procurement purposes
- management and promotion of events
- fundraising and donor management
- engaging with our alumni
- prevent and detection of crime
- managing our contracts, our contractors, and our relationships with third parties
- Student Union administration
- for regulatory and legal purposes to comply with statutory returns and legal obligations.
Recipients of personal data (who we might share personal data with)
On occasion, we need to share personal data with third parties. We do this when it is:
- required by law, or
- otherwise necessary to achieve a specified purpose.
Whenever we share personal data with third parties, we'll comply with the UK GDPR and DPA.
The categories of recipients for personal data are:
- professional, regulatory and awarding bodies
- regulatory bodies, including the Office for Students (OfS)
- Student Loan Company (SLC)
- Universities and Colleges Admissions Services (UCAS)
- government bodies, including UKVI, ESFA, Ofsted, DSA, HMRC
- local government or councils
- third-party statistical agencies, including Higher Education Statistics Agency (HESA)
- accommodation providers
- student support providers
- RoPA Nottingham Trent University
- research councils
- international agents
- third-party suppliers or service providers
- work experience and placement providers
- debt collection agencies and payment service providers
- legal representatives
- police and law enforcement agencies
- trade unions or staff associations
- the Students' Union
- current, past or prospective employers
- benefit suppliers (staff benefits)
- parents, guardians, and carers.
Transfers to a third country
NTU has relationships with other institutions and agencies. Some of these bodies are outside the UK. The purpose of these relationships is to support and facilitate learning and research.
That means we sometimes transfer personal data outside the UK. Whenever we do this, we ensure appropriate contracts or other safeguards are in place.
Retention of personal data
We hold personal data and special category data. We keep it in line with our records retention schedule. The schedule documents how long we retain records. This will be in line with regulatory and operational requirements. See a copy of our records retention schedule.
See our record of processing activity (RoPA) document.
Policies and procedures
Data protection policy
NTU commits to protecting the privacy and security of personal information. This includes the personal data of our staff, students and other third parties. This data protection policy sets out the minimum standards we must comply with.
Data breach policy and procedure
Subject access request (SAR)
Data subjects have a right of access under the UK GDPR. This means you can make requests to organisations that hold personal data about you. The legislation doesn't give a right of access to information that isn't personal to you. To access the personal information held on you by NTU, you can submit a subject access request (SAR). Use our subject access request form to do so.
If you wish to submit a SAR, remember the following.
- We can't process your SAR until we've received proof of your identity.
- You should describe the information you're requesting as clearly as possible. We may ask you for more information to help us identify personal data relating to you.
- You must include your name and an address or email address for correspondence.
- NTU will aim to respond to your request within one calendar month.
Our policy sets out how NTU identifies and manages its SAR responsibilities. This is in accordance with our legal and regulatory obligations.
If you have any queries, email our Data Protection Officer.
Information rights requests
The information rights requests policy sets out how you can engage your information rights under the UK GDPR and the process for doing so.
Information classification scheme
NTU's Data Protection Officer
The University has a Data Protection Officer (DPO) who oversees data protection matters.
Our DPO is Amanda Neylon, Director of Digital Technologies. You can contact Amanda by emailing DPO@ntu.ac.uk.