ICP-02 Data protection policy

This is a sub-policy of the ICP-01 Information compliance policy.

Summary

This policy sets out how the University processes the personal data that it holds (relating to students, staff, research participants and third parties). It outlines the University’s responsibilities under data protection legislation and regulation, setting out how it will comply, and provides instruction for staff handling personal data.

Control information Control detail
Owner Information Governance Manager and Data Protection Officer, Information Compliance
Author Information Governance Manager and Data Protection Officer, Information Compliance
Sponsor Director of Governance and University Secretary, Governance
Consulted Not applicable
Approved by Information Governance and Security Advisory Board 
Responsible area University Secretary’s Office
Version 2
Approval date 02 March 2026
Effective date 02 March 2026
Interim review effective date Not applicable
Full review period 1
Date of next full review 02 March 2027
EIA completion date Not applicable
DPIA completion date Not applicable
SIA completion date Not applicable
Reporting requirements
Applicable statutory, legal or best practice requirements
Keywords anonymity, compliance, confidentiality, consent, data, direct marketing, disposal, document management, DPA, DPIA, EEA, information compliance, information security, lawful processing, personal data, protection, retention, rights, risk management, security, sharing, subject, transfer, transparency, UK GDPR

On this page

  1. Updates to this policy
  2. Introduction
  3. Scope
  4. Definitions
  5. Summary responsibilities
  6. Further advice regarding this policy
  7. Core principles of Data Protection
  8. Roles and responsibilities
  9. Data subject rights
  10. Risk management
  11. Security
  12. Transfers of data outside of the European Economic Area (EEA)
  13. Retention and disposal
  14. Complaints
  15. Changes to this policy

Appendix 1: Data protection framework

Appendix 2: Operating model for Information Compliance

1. Updates to this policy

1.1. Updates to this policy have been made to clarify roles and responsibilities.

1.2. This policy has been updated to align with the new University of Bristol policy management framework.

Back to top

2. Introduction

2.1. The protection of an individual's personal data is a fundamental human right. Individuals have varying degrees of understanding and concern for the protection of their personal data, but the University must ensure it acts in compliance with legislative and regulatory requirements at all times. If individuals feel that they can trust the University as a custodian of their personal data, this will help the University to fulfil its wider objectives.

2.2. The UK General Data Protection Regulation (UK GDPR), as supplemented by the Data Protection Act 2018 (DPA), is the main piece of legislation that governs how the University collects and processes personal data. Failure to comply with this legislation may have severe consequences for the University, including potential fines of up to £17.5 million or 4% of the University’s total annual turnover, whichever is higher. 

Back to top

3. Scope

3.1. This policy sets out how the University of Bristol (“The University” “We”) will process the personal data of its staff, students, research participants, suppliers, and other third parties.

3.2. This policy applies to all personal data that the University processes, regardless of the format or media on which the data is stored or to whom it relates.

3.3. This policy applies to all members of staff.

3.4. Staff have a crucial role to play in ensuring that the University maintains the trust and confidence of the individuals whose personal data it processes. This policy therefore sets out what the University expects from staff in this regard.

Back to top

4. Definitions

4.1. Anonymous, anonymised: Information that does not relate to an identifiable person, either in isolation of when combined with information from other sources.

4.2. Automated processing: any form of processing (including profiling) that is undertaken by automated means to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning, for example, their suitability for a position or programme applied for, performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements

4.3. Criminal convictions and offences: Personal data relating to criminal convictions, the commission or alleged commission of an offence, proceedings for the commission or alleged commission of an offence, and sentencing.

4.4. Data Controller: Legal or natural person, an agency, a public authority, or any other body that determines the purposes of any personal data and the means of processing.

4.5. Data Protection Impact Assessment (DPIA): A tool used to identify and reduce the risks of a processing activity, and which must be undertaken in certain circumstances specified in the GDPR (See the University’s Data Protection Impact Assessment Procedure).

4.6. Data Protection Officer (DPO): A person required to be appointed by an organisation in specific circumstances under the GDPR and who must have expert knowledge of data protection law and practice, being the organisation’s main representative on data protection matters.

4.7. Data subject: An individual to whom personal data relates and who can be identified or is identifiable from personal data.

4.8. Data Protection Act 2018 (DPA 2018): UK law that establishes rules for how organizations must handle personal data.

4.9. Data Protection Impact Assessment (DPIA): An assessment to identify and minimise the data protection risks of a project, process or system.

4.10. European Economic Area (EEA): The 28 countries in the European Union and Iceland, Lichtenstein and Norway.

4.11. Fair processing notice: A notice setting out information that must be provided to data subjects before collecting personal data from them, including notices aimed at a specific group of individuals or notices that are presented to data subjects (also known as ‘privacy notice’ or ‘data protection notice’).

4.12. Information Asset Assistant (IAA): Responsible for supporting IAOs with operational management of information assets.

4.13. Information Asset Owner (IAO): Senior staff responsible for managing information assets, risks, and assurance.

4.14. Information Asset Register (IAR): An inventory that records all significant information assets held by the University.

4.15. Information Commissioners Office (ICO): The UK's independent data protection regulator.

4.16. Personal data: any information identifying a data subject or information relating to a data subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers that are possessed or can be reasonably accessed. Personal data includes criminal convictions and offences data, special categories of personal data, and pseudonymised personal data, but excludes anonymous data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person's actions or behaviour

4.17. Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and which compromises the confidentiality, integrity, availability and/or security of the personal data.

4.18. Process, processes, processing: Any activity or set of activities which involves personal data including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.

4.19. Pseudonymised, pseudonymisation: Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers (for example, a numerical identifier or other code) or pseudonyms so that the data subject cannot be identified without combining the identifier or pseudonym with other information which has been kept separately and securely. Personal data that has been pseudonymised is still treated as personal data (unlike personal data which has been anonymised).

4.20. Records Management: The field of management and organisational function responsible for the systematic control of the creation, receipt, maintenance, use, and disposition of records.

4.21. Record of Processing Activity (RoPA): A record of all the personal data processing activities carried out by the University.

4.22. Staff: The University’s agents, consultants, contractors, employees, representatives, trustees, and other representatives, including hourly paid staff and students holding a position of employment.

4.23. United Kingdom General Data Protection Regulations (UK GDPR): UK law that replaced the EU's GDPR establishing rules for how organisations in the UK must collect, use, and store personal data. It is part of the UK's data protection framework, alongside the Data Protection Act 2018 (DPA 2018).

Back to top

5. Summary responsibilities

5.1. Full responsibilities for all parties detailed in Roles and responsibilities (section 8).

5.2. All staff: Ensure they follow data protection policies, complete required training, handle personal data securely, and report incidents or risks promptly. See All staff for detail.

5.3. Strategic governance and oversight roles: Provide leadership and accountability for data protection, ensuring risks are managed, compliance is maintained, and effective governance structures are in place. See Board of Trustees, Senior Information Risk Owner (SIRO) and Boards and Committees for detail.

5.4. Information compliance and data protection specialists: Offer expert advice, oversee lawful processing, approve DPIAs, manage data rights requests, and support staff in complying with data protection law. See Data Protection Officer (DPO) and Information Compliance Team for detail.

5.5. Information Security Team: Implement and maintain technical security controls, support safe system operation, and work with compliance teams to protect personal data from unauthorised access or loss. See Information Security team for detail.

5.6. Information Asset Network (IAOs, IAAs, IAN): Manage information assets, maintain registers and processing records, oversee retention and disposal, and identify or escalate risks relating to data handling. See Information Asset Owners (IAOs), Information Asset Administrators (IAAs) and The Information Asset Network (IAN) for detail.

5.7. Caldicott Guardians: Safeguard the confidentiality of health and care information and ensure its use is justified, appropriate, and compliant within specialist clinical or research settings. See Caldicott Guardians for detail.

5.8. Information Governance and Security Advisory Board (IGSAB): Provide senior oversight, strategic direction, and support for information governance, risk management, data protection, and security. See Information Governance and Security Advisory Board (IGSAB) for detail.

5.13. 

Back to top

6. Further advice regarding this policy 

6.1. The Information Compliance team can provide general advice on data protection matters, including if staff:

  1. Wish to process personal data for any purpose and are unsure whether the University has a lawful basis for doing so.

  2. Need to rely on consent and/or require explicit consent.

  3. Need to prepare a fair processing notice.

  4. Are unsure whether to delete, destroy, or keep any personal data.

  5. Are unsure about what security or other measures need to be taken to protect personal data.

  6. Know or suspect that there has been a personal data breach.

  7. Are unsure on what basis to transfer personal data outside of the European Economic Area (EEA).

  8. Need assistance in dealing with the exercise of any rights by data subjects.

  9. Are creating a new process involving personal data for which an entry on the University's Record of Processing Activity is required.

  10. Plan to use personal data for any purposes other than those they were originally collected for.

  11. Are considering the processing of personal data in a new or different way, particularly where there is an intention to use artificial intelligence to process personal data.

  12. Plan to undertake any activities involving automated processing, including profiling or automated decision-making, particularly when using artificial intelligence.

  13. Are unsure of the legal requirements relating to any direct marketing activities.

  14. Need help with contracts or any other areas in relation to sharing personal data with a third party.

Back to top

7. Core principles of Data Protection

7.1. The UK GDPR is based on a set of core principles that everyone who uses personal data must comply with. The University must ensure that all personal data is:

  1. Processed lawfully, fairly, and in a transparent manner. The University must have a lawful basis for collecting and processing personal data for any specific purpose. Without a lawful basis for processing, such processing will be unlawful and unfair and may also have an adverse impact on the affected data subjects. No data subject should be surprised to learn that their personal data has been collected, consulted, used, or otherwise processed by the University.

  2. Collected only for specified, explicit, and legitimate purposes. The University must only collect and process personal data for specified and legitimate purposes that have been communicated to data subjects before the personal data has been collected.

  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed. Staff must only process personal data when necessary for the performance of their duties and tasks and not for any other purposes. Fully anonymous data should be used as far possible, including when processing data using artificial intelligence tools.

  4. Accurate and where necessary kept up to date. The personal data that the University collects and processes must be accurate and, where necessary, kept up-to-date and must be corrected or deleted without delay when the University discovers, or is notified, that the data are inaccurate.

  5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed. Storing personal data for longer than necessary may increase the severity of a data breach and may also lead to increased costs associated with such storage. The University will maintain policies and procedures to ensure that personal data is deleted, destroyed, or anonymised after a reasonable period following expiry of the purposes for which they were collected.

  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. The University will develop, implement, and maintain appropriate technical and organisational measures for the processing of personal data, taking into account the:
  • nature, scope, context, and purposes for such processing
  • volume of personal data processed
  • likelihood and severity of the risks of such processing for the rights of data subjects.

7.2. Additionally, the University must ensure that:

  1. Personal data are not transferred outside of the EEA (which includes the use of any website or application that is hosted on servers located outside of EEA) to another country without appropriate safeguards being in place (see Transfers of personal data outside of the EEA).

  2. The University allows data subjects to exercise their rights in relation to their personal data (see Data subject rights and requests).

  3. The University is responsible for, and must be able to demonstrate compliance with, all of the above principles.

7.3. Detailed guidance on the core principles of the UK GDPR can be found on the Information Compliance webpages and on staff intranet pages.

Back to top

8. Roles and responsibilities

8.1. The University’s Data Protection Framework (see Schedule 1) outlines how the University manages compliance with legislative requirements and delivers governance and accountability over personal data processing.

8.2. To implement the Data Protection Framework, the University operates a comprehensive Operating Model for Information Compliance (see Schedule 2) that clearly defines roles and responsibilities across the organisation to ensure compliance. This model establishes key roles, including:

Board of Trustees

8.3. The Board of Trustees has ultimate responsibility for directing the affairs of the University and, as such, will ensure the University has appropriate information compliance procedures in place to mitigate risk and maximise the value of the information it holds.

Senior Information Risk Owner (SIRO)

8.4. The SIRO is accountable at a senior management level for assuming executive responsibility for information risk management, having a strategic and oversight function in the delivery of compliance. This role is held by the University's Director of Governance and University Secretary.

Data Protection Officer

8.5. Under the UK GDPR, the University is required to appoint a Data Protection Officer (DPO). This role is assigned to the Information Compliance Manager.

8.6. The Data Protection Officer is required to:

  1. Inform and advise the organisation and its employees about their obligations to comply with UK GDPR and other data protection laws.

  2. Monitor compliance with UK GDPR, and with the organisation’s data protection policies, including managing internal data protection activities, raising awareness of data protection issues, training staff, and conducting internal audits.

  3. Advise on and monitor data protection impact assessments.

  4. Cooperate with the Information Commissioner’s Office (‘ICO’).

  5. Be the first point of contact for the ICO and for individuals whose data is processed.

8.7. UK GDPR requires that the DPO can act independently, is adequately resourced to carry out their role, and reports to the highest level of management.

Information Compliance team

8.8. The Information Compliance team is the dedicated central function charged with ensuring the University’s compliance with information-related legislation and regulation, including UK GDPR. The team is responsible for providing procedures, guidance, and advice in support of this policy. They are responsible for approving Data Protection Impact Assessments (DPIAs), conducting due diligence in relation to data protection contract clauses, and managing data breaches and incidents that involve personal data. The team is also responsible for administering the servicing of data subject rights across the University and for overseeing the University's Record of Processing Activities.

Information Asset Owners (IAOs)

8.9. IAOs are appropriately senior members of staff who have responsibility for specific information assets within business functions. Their role is to ensure those assets are handled and managed properly, that appropriate access and security controls are in place, and that the accuracy and integrity of the information is assured. They provide assurance to the SIRO that the information risk is being managed effectively.

8.10. Key responsibilities of an IAO are to:

  1. Promote a culture that values and protects the University’s information.

  2. Maintain oversight of their assets in the University's Information Asset Register.

  3. Ensure appropriate use of information assets.

  4. Understand and address risks to the information assets and provide assurance to the SIRO.

  5. Maintain overall responsibility for timely disposition of records in line with the University’s Records Retention Schedule.

Information Asset Administrators (IAAs)

8.11. IAAs are members of staff who have been delegated responsibility by an IAO for the operational management of information assets within specific business functions Their role is to identify and report any operational concerns or risks to IAOs to be escalated accordingly.

8.12. Key responsibilities of an IAA are to:

  1. Maintain the Information Asset Register.

  2. Recognise and keep up to date with information handling requirements.

  3. Recognise risks and security incidents and consult with the appropriate IAO and the Information Compliance Team.

  4. Assist with the completion of Data Protection Impact Assessments (DPIAs) relevant to information assets.

  5. Ensure information is securely destroyed on behalf of the IAO, and in keeping with the Records Retention Schedule.

The Information Asset Network(IAN)

8.13. The IAN has overall responsibility for the management of records generated and held within their area. Each Faculty and Professional Service has a designated Information Asset Owner (IAO) role(s) who has overall responsibility. It is specifically the role of the Information Asset Network to carry out retention and disposal actions. See Information Asset Network (staff access only) for procedural guidance. In addition to the formal network for ensuring the compliant management of records, Line Managers are responsible for ensuring that their staff are aware of this Policy and comply with its requirements.

Caldicott Guardians

8.14. A Caldicott Guardians is a legal requirement for organisations providing publicly funded health and social care services. The Dental School and the Avon Longitudinal Study for Parents and Children (ALSPAC) have Caldicott Guardians. They are senior staff responsible for protecting the confidentiality of individuals’ health and care information and making sure it is used properly.

Information Governance and Security Advisory Board (IGSAB)

8.15. IGSAB is tasked with considering the University’s legislative and regulatory compliance with information governance and information security requirements. It facilitates effective oversight, strategic direction, and senior stakeholder support for information compliance, information risk management, data protection, and information security policies, initiatives, and compliance across the University. It supports the open information sharing needs of the University environment, paying due regard to both academic context and the notion of subsidiarity. The terms of reference for IGSAB set out the membership and remit of the group.

Information Security Team

8.16. Based in IT Services and responsible for maintaining the University’s Information Security Policy. This provides a framework to help make sure that all data held and processed by the University is managed to appropriate standards to keep it secure. The team is led by the Information Security Manager. The Information Security and Information Compliance teams work together closely, marrying technical and legal compliance perspectives.

Boards and Committees

8.17. Several boards and committees can have an oversight or operational role in ensuring UK GDPR compliance. This includes key senior functions, including the Operations Board, which provides the primary senior oversight function for operational matters, and the Audit and Risk Committee, which monitors the management of relevant risks and is accountable for this policy. The University Executive Board (UEB) can also become actively involved if serious compliance, or reputational issues are experienced.

8.18. Other bodies performing specific roles, such as the research governance function and ethics committees, the Data Access Committee, and temporary working groups, project groups or local initiatives can also have an oversight or operational role in ensuring UK GDPR compliance.

All staff

8.19. All members of staff, are responsible for ensuring that they are aware of the requirements of the University’s policies in relation data protection and adhere to them on a day-to -ay basis.

8.20. For detailed guidance, staff should refer to the University’s Guidance on Data Protection and any relevant local policies and procedures.

8.21. In summary, all staff must ensure that they:

  1. Complete mandatory data protection training every year and seek advice and guidance from the Information Compliance team where necessary.

  2. Keep personal data secure, ensuring compliance with the University’s Information Security Policy.

  3. Do not share personal data to unauthorised persons.

  4. Do not share personal data with freely available online and cloud services.

  5. Immediately report to the Information Compliance team any actual or suspected misuse or unauthorised disclosure of personal data.

  6. Ensure that the confidentiality, integrity, and availability of personal data are maintained at all times.

  7. Only access personal information for legitimate University purposes.

  8. Only use personal data in ways people would expect and for the purposes for which it was collected.

  9. Ensure their work is documented appropriately, that the records which they create or receive are accurate and managed correctly, and are maintained and disposed of in accordance with the University's guidelines and any legislative, statutory and contractual requirements.

  10. Use a minimum amount of personal data and only hold it for as long as is strictly necessary.

  11. Keep the personal data that you process up to date and ensure accuracy.

  12. Provide assistance to the Information Compliance Team in complying with data subject rights requests and forward any such requests that are received directly to the Information Compliance Team promptly.

  13. Ensure the students whose work they are supervising are aware of the Data Protection Principles as set out above.

  14. Do not transfer any personal data outside of the EEA except in the circumstances set out below in Transfers of data outside of the European Economic Area (EEA) (section 12). [CHECK THIS, IS IT SECTION 12?]

  15. Use artificial intelligence responsibly and always in accordance with this policy and any related guidance.

  16. In addition to adhering to data protection principles, are aware of the need to comply with the Privacy and Electronic Communications Regulations (PECR), ensuring all marketing and cookies practices are lawful and in conformance with University policy and guidance.

Back to top

9. Data subject rights

9.1. The UK GDPR provides data subjects with a number of rights in relation to their personal data. These include:

  1. Right to withdraw consent: Where the lawful basis relied upon by the University is the data subject’s consent, the right to withdraw such consent at any time without having to explain why.

  2. Right to be informed: The right to be provided with certain information about how we collect and process the data subject’s personal data.

  3. Right of subject access: The right to receive a copy of the personal data that we hold, including certain information about how the University has processed the data subject’s personal data.

  4. Right to rectification: The right to have inaccurate personal data corrected or incomplete data completed.

  5. Right to erasure (right to be forgotten): The right to ask the University to delete or destroy the data subject’s personal data if: the personal data are no longer necessary in relation to the purposes for which they were collected; the data subject has withdrawn their consent (where relevant); the data subject has objected to the processing with their objection upheld; the processing was unlawful; the personal data have to be deleted to comply with a legal obligation; the personal data were collected from a data subject under the age of 13, and they have reached the age of 13.

  6. Right to restrict processing: The right to ask the University to restrict processing if the data subject believes the personal data are inaccurate; the processing was unlawful and the data subject prefers restriction of processing over erasure; the personal data are no longer necessary in relation to the purposes for which they were collected but they are required to establish, exercise or defend a legal claim; the data subject has objected to the processing pending confirmation of whether the University’s legitimate interests grounds for processing override those of the data subject.

  7. Right to data portability: In limited circumstances, the right to receive or ask the University to transfer to a third party, a copy of the data subject’s personal data in a structured, commonly used machine-readable format.

  8. Right to object: The right to object to processing where the lawful basis for processing communicated to the data subject was the University’s legitimate interests and the data subject contests those interests.

  9. Right to object to direct marketing: The right to request that we do not process the data subject’s personal data for direct marketing purposes.

  10. Right to object to decisions based solely on automated processing (including profiling): The right to object to decisions creating legal effects or significantly affecting the data subject, which were made solely by automated means, including profiling, and the right to request human intervention. Artificial intelligence alone should not be used to decide who to shortlist for a job, determine academic outcomes, or assess disciplinary matters. These are decisions that require human oversight and accountability.

  11. Right to be notified of a personal data breach: The right to be notified of a personal data breach which is likely to result in a high risk to the data subject’s rights or freedoms.

  12. Right to complain: The right to make a complaint to the ICO or another appropriate supervisory authority.

9.2. Detailed guidance on the rights of data subjects can be found on the Information Compliance  webpages and on staff intranet pages.

9.3. Staff must be able to identify when a request has been made and know when to escalate it to the Information Compliance Team.

9.4. Staff should be wary of third parties deceiving them into providing personal data relating to a data subject without the data subject’s authorisation.

9.5. Staff must immediately forward any request made by a data subject to the Information Compliance team.

9.6. Staff must observe and comply with the University’s Information Rights Procedure.

Back to top

10. Risk management

10.1. The University recognises that effective data protection requires a proactive and systematic approach to identifying, assessing, and mitigating data protection risks.

10.2. To ensure comprehensive risk management across all its activities, the University has established procedural frameworks designed to anticipate and address potential data protection challenges. Central to this is the process for conducting Data Protection Impact Assessments (DPIAs), which enable the University to evaluate and mitigate risks.

10.3. The University also maintains a personal data breach procedure for incidents and breaches to be reported and managed accordingly.

Data Protection Impact Assessments (DPIAs)

10.4. A Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks involved in projects, processes, and activities involving the processing of personal data. DPIAs are legally required for processing likely to result in a high risk to the individuals and their personal data, and where new technologies are involved. In practice, the University requires a DPIA for any projects involving the use of personal data, including new systems, solutions, and some research studies.

10.5. A DPIA must:

  1. Describe the nature, scope, context, and purposes of the processing.

  2. Assess necessity, proportionality, and compliance measures.

  3. Identify and assess risks to individuals.

  4. Identify any additional measures to mitigate those risks.

10.6. DPIAs need to be assessed and signed off by the Information Compliance team and, where relevant, IT Services.

10.7. The University’s Data Protection Impact Assessment Procedure provides full details on how and when to complete an assessment. 

10.8. All staff must be aware of when a DPIA is necessary and engage with the Information Compliance team in conducting assessments.

Data breaches and Incidents

10.9. In certain circumstances, the UK GDPR will require the University to notify the ICO, and potentially data subjects, of any personal data breach.

10.10. The University must notify the ICO of a personal data breach where there is a high risk to the rights and freedoms of a data subject. This notification should occur no later than 72 hours after becoming aware of the breach.

10.11. The University has put in place appropriate procedures to deal with any personal data breach and will notify the ICO and/or data subjects where the University is legally required to do so.

10.12. If staff know or suspect that a personal data breach has occurred, they must contact the Information Compliance team (and IT Services if relevant), immediately to report it and obtain advice, and take all appropriate steps to preserve evidence relating to the breach.

10.13. Staff must ensure that they do not share or disclose personal data with third parties unless they have lawful grounds to do so.

10.14. Staff must ensure that they observe and comply with the University’s personal data breach procedure.

Back to top

11. Security

11.1. Keeping personal data properly secure is fundamental to complying with data protection laws.

11.2. The personal data that the University collects and processes must be secured by appropriate technical and organisational measures against accidental loss, destruction, or damage, and against unauthorised or unlawful processing.

11.3. The University will develop, implement, and maintain appropriate technical and organisational measures for the processing of personal data, taking into account the:

  1. Nature, scope, context, and purposes for such processing.

  2. The classification of information as outlined in the University’s Information Classification Scheme.

  3. Volume of personal data processed.

  4. Likelihood and severity of the risks of such processing for the rights of data subjects.

11.4. The University will regularly evaluate and test the effectiveness of such measures to ensure that they are adequate and effective. Staff are responsible for ensuring the security of the personal data processed by them in the performance of their duties and tasks. Staff must ensure that they follow all procedures that the University has put in place to maintain the security of personal data from collection to destruction.

11.5. Staff must not attempt to circumvent any administrative, physical, or technical measures the University has implemented, as doing so may result in disciplinary action and, in certain circumstances, may constitute a criminal offence.

11.6. Staff must ensure that they observe and comply with the University Information Security Policy. Please see the IT Security Policy for further information.

Back to top

12. Transfers of data outside of the European Economic Area (EEA)

12.1. The UK GDPR prohibits the transfer of personal data outside of the EEA in most circumstances in order to ensure that personal data is not transferred to a country that does not provide the same level of protection for the rights of data subjects. In this context, a “transfer” of personal data includes transmitting, sending, viewing, or accessing personal data in or to a different country.

12.2. The University may only transfer personal data outside of the EEA if one of the following conditions applies:

  1. The country to which it is proposed to transfer the personal data to is subject of an “adequacy decision” confirming that the country ensured an adequate level of protection for the rights and freedoms of data subjects (this applies to only a small number of countries).

  2. Appropriate safeguards are in place, such as binding corporate rules, approved contractual clauses issued by the ICO, an approved code of conduct or certification mechanism, which, in each case, can be obtained from the Information Compliance team. In most cases these safeguards will take the form of an International Data Transfer Agreement (IDTA) and associated Transfer Risk Assessment (TRA).

  3. The data subject has given their explicit consent to the proposed transfer, having been fully informed of any potential risks.
  4. The transfer is necessary in order to perform a contract between the University and a data subject, for reasons of public interest, to establish, exercise, or defend legal claims, or to protect the vital interests of the data subject in circumstances where the data subject is incapable of giving consent.

  5. The transfer is necessary, in limited circumstances, for the University’s legitimate interests.

12.3. Staff must ensure that they do not transfer any personal data outside of the EEA except in the circumstances set out above and provided that the University has agreed to this in advance.

12.4. Staff must notify and seek advice from the Information Compliance team if they believe they need to transfer data outside of the EEA.

Back to top

13. Retention and disposal

13.1. Personal data must only be kept for as long as is necessary and for the specified reasons that it was originally collected. The University’s Record Retention Schedule provides a standard for how long personal data should be kept with respect to regulation and business needs.

13.2. Storing personal data for longer than necessary increases the likelihood of data breaches.

13.3. The University will maintain policies and guidance to ensure that personal data is managed securely throughout the data lifecycle. This includes the storage, destruction, and anonymisation of personal data. Please see Records Management for more information.

13.4. Research data can be retained for a minimum of ten years. A shorter or longer retention period may be appropriate, depending on the discipline and characteristics of the project, or may be required by research sponsors and data custodians.

13.5. All privacy and fair processing notices and statements must outline the period for which personal data will be stored.

13.6. Staff must observe and comply with the University’s ICP-03 Records management policy.

Back to top

14. Complaints

14.1. The University’s Data Protection Officer will coordinate any complaints received in respect of this policy.

14.2. For full details on how complaints should be made and how they are handled, please see the University Data Protection Complaints Procedure.

14.3. If complainants are dissatisfied with the outcome of their complaint, they may seek an independent review from the Information Commissioner. Requests for review by the Information Commissioner should be made by contacting them using the information on their website.

Back to top

15. Changes to this policy

15.1. The University may make amendments to this policy at any time without notice, so please ensure you view the latest version. Substantive changes made to this policy will be communicated to staff.

Back to top

Request this policy in an alternative format

If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.

Back to top