Please read our student and staff community guidance on COVID-19
Skip to main content Skip to navigation

Data protection

University of Warwick Data Protection Statement

The University of Warwick is committed to protecting the privacy rights of individuals who entrust the University with their personal data. This Data Protection Policy outlines the University’s commitment to transparency and accountability and promoting good information governance.

Principles

Under the GDPR there are six data protection principles. The University, as a data controller, must comply with all six general principles when processing personal data:

  • Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes).
  • Data minimisation – personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy – personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
  • Retention – personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes).
  • Integrity and confidentiality – personal data must be kept confidential and loss and or damage prevented.

Data Subject Rights

The General Data Protection Regulation ('GDPR') provides the following rights for individuals:

  1. The right to be informed – individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement which is usually satisfied by the provision of a privacy notice at the point the personal data is collected by the University. A Notice should be given whether we receive personal data directly from an individual or indirectly from someone else.
  2. The right of access – individuals have a right to access their personal data, which is commonly referred to as a Subject Access Request.
  3. The right to rectification – individuals have a right to have inaccurate personal data rectified, or completed if it is incomplete. This right is closely linked to the accuracy principle.
  4. The right to erasure – individuals have a right to have personal data erased – also known as the right to be forgotten.
  5. The right to restrict processing – individuals have the right to request the restriction or suppression of their personal data.
  6. The right to data portability – individuals have the right to obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without it affecting the usability.
  7. The right to object – individuals have the right to object to the processing of their personal data in certain circumstances, including an absolute right to stop their data being used for direct marketing.
  8. Rights in relation to automated decision making and profiling – individuals have the right not to be subject to a decision based solely on automated decision-making using their personal data.
  9. The right to communication – individuals have the right to be told about personal data breaches that pose a high risk of harm to them. They will be told, at least, the consequences of the breach for them, what the University is doing/ has done to address the breach/ minimise harm and be provided with a contact point.

Our response

A response to all rights must be sent without undue delay and at the latest within one month. That period may be extended by two further months if a request is complicated or we receive a number of requests from the same individual. If the University proposes to extend the time beyond a month, we will tell the individual, within one month of receiving a request, why the extension is necessary and when it will be dealt with.

Where an individual makes a request by email we will generally respond by email unless the individual requests otherwise.

When providing information to an individual we will do so in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is especially the case if we are dealing with a child/young person. We can provide information verbally to the individual if they request so and we are satisfied they are entitled to the information.

If for whatever reason, we choose not to deal with the request then we will tell the individual why, without delay and at the latest within one month of receipt of their request. They will be advised that they may lodge a complaint with the Information Commissioner’s Office or seek a judicial remedy.

Requests to exercise rights are normally free of charge however where a request(s) is “manifestly unfounded or excessive” (this might be where the requests are repetitive) we may:

    • charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
    • refuse to act on the request.

    It is for the University to prove that a request is manifestly unfounded or excessive.

    Where the University has reasonable doubts concerning the identity of the person making the request we may request the provision of additional information necessary to confirm their identity.

    The rights above are not absolute. The GDPR sets out the circumstances in which they apply. In addition, an exemption may be present in the Data Protection Act 2018 which means that we are able to depart from our usual obligations.

    How to Make a Request

    To help us facilitate any request regarding your Data Subject Rights, it would be helpful if you could complete a Data Subject Rights Form, providing as much information as possible, and submit this by email to infocompliance at warwick dot ac dot uk or sent it to:

    Legal and Compliance Services
    University House
    University of Warwick
    Coventry
    CV4 8UW

    In addition, you may need to provide a copy of one form of ID (passport, driving licence or another internationally recognised ID card) for yourself.

    Download a Data Subject Rights form here:

    Data Protection Officer
    dpo@warwick.ac.uk
    The University of Warwick
    University House
    Coventry CV4 8UW