Skip to main content Skip to navigation

Data Protection

The University of Warwick is committed to protecting the privacy rights of individuals who entrust the University with their personal data. The Data Protection PolicyLink opens in a new window outlines the University’s commitment to transparency, accountability, promoting good information governance, and compliance with both the GDPR and the Data Protection Act 2018.

The University is regulated by the Information Commissioner's Office (ICO) and has the registration number Z5856740 on the ICO's public register.

Data Protection Principles

The University strives to comply with the data protection principles. The principles are that personal data shall be:

  • processed lawfully, fairly and in a transparent manner (the lawfulness, fairness and transparency principle);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the purpose limitation principle);
  • adequate, relevant and limited to what is necessary in relation to purposes for which they are processed (the data minimisation principle);
  • accurate and, where necessary, kept up to date (the accuracy principle);
  • kept in an identifiable format for no longer than is necessary (the storage limitation principle); and
  • processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical and organisational measures (the integrity and confidentiality principle).

The University is responsible for, and must be able to demonstrate, compliance with these principles. The University is proactive in its approach to data protection and has in place a number of appropriate technical and organisational measures. The University recognises that data protection is an ongoing obligation which must be regularly reviewed.

The measures put in place by the University include:

  • appointing a Data Protection Officer;
  • implementing policies, procedures, processes and training to promote and embed data protection by design and default;
  • conducting Legitimate Interests Assessments;
  • conducting Data Protection Impact Assessments on processing activities;
  • implementing appropriate privacy provisions in written agreements when sharing personal data or engaging a data processor to conduct work on the University’s behalf;
  • maintaining a record of processing activities; and
  • applying pseudonymisation techniques.