Data Protection

  1. Handling Subject Access Requests
  2. Student Records Management in Academic Departments
  3. Student Records Management in Support Service Sections
  4. Staff Privacy Notice
  5. Disclosure of Student Information
  6. Telephone Protocol for the Disclosure of Personal Information
  7. Records Retention Schedule
  8. Examinations and Assessment
  9. References
  10. Photographs to be used in Publicity/Promotional Material

Training Handouts (PowerPoint presentations)


General Information

Loughborough University is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998. The University processes information about its staff, students and other individuals it has dealings with for a range of administrative purposes (e.g. to recruit and pay staff, administer programmes of study and comply with legal obligations to funding bodies and government). In order to comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.

All "processing" of personal data (includes collection, holding, retention, destruction and use of personal data) are governed by the Data Protection Act 1998. The Act applies to all personal data - whether they are held on a computer or similar automatic system or whether they are held as part of a manual file. Personal data is defined as information relating to an identifiable living individual and can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual's information can be readily extracted.

Under the 1998 Act, all organisations that process personal information are required to notify the Information Commissioner's Office. The University's Notification describes the various types of processing of personal information and defines the persons or bodies to which the information may be disclosed. Full details of the University's notification can be found at - the registration number is Z6556747.

It is an offence to process personal data except in strict accordance with the eight principles of data protection and the rights of data subjects. Further information on the Data Protection Act can be found at

Failure to comply with the Data Protection Act could result in the prosecution not only of the University but also of the individual concerned.

Data subjects (that is persons about whom such data is held) may also sue for compensation for damage and any associated distress suffered as a result of:

  • loss or unauthorised destruction of data
  • unauthorised disclosure of, or access obtained to, data
  • inaccurate data - i.e. data which is incorrect or misleading

It follows, therefore, that all staff who are concerned with, or have access to, such data have an obligation to ensure that they are processed according to the eight principles of data protection and the rights of data subjects. This means, among other things, that staff must treat all data carefully and must not disclose personal data to unauthorised persons (this will often include parents of students).

You are specifically cautioned that Loughborough University does not authorise any employee or agent of the University to hold or process any personal data on its behalf except as stated in the University's Notification. Users of personal data on or off campus (e.g. pc at home or laptop) should consider the legal position before attempting to process personal data.

In cases of doubt or difficulty staff should in the first instance contact the University's Data Protection Officer, Academic Registry tel: 01509 22 2468.


Eight Data Protection Principles

  • Data should be processed fairly and lawfully.
  • Data should be obtained for one or more specified lawful purposes.
  • Data shall be adequate, relevant and not excessive.
  • Data shall be accurate and where necessary kept up to date.
  • Data is not kept longer than is necessary for its purpose.
  • Data shall be processed in accordance with subject rights under the Act.
  • Appropriate technical and organisational measures shall be taken against unauthorised/unlawful processing, loss, destruction, damage to personal data.
  • Data shall not be transferred outside EEA unless that country/territory ensures adequate level of protection for rights and freedoms of data subjects in relation to the processing of personal data.

Data Subject Rights

  • To make subject access requests regarding the nature of information held and to whom it has been disclosed.
  • To prevent processing likely to cause damage or distress
  • To prevent processing for purposes of direct marketing
  • To be informed about mechanics of automated decision taking process that will significantly affect them
  • Not to have significant decisions that will affect them taken solely by automated process
  • To take action for compensation if they suffer damage by any contravention of the Act
  • To take action to rectify, block, erase or destroy inaccurate data
  • To request the Commissioner to assess whether any provision of the Act has been contravened