In May 2018, the data protection law changed. The Data Protection Act 1998 was be replaced by the General Data Protection Regulation (GDPR). This has significant implications for the way in which personal data is collected and processed by the University.
Some of the key changes include: enhanced data subject rights; new rules relating to consent; a requirement for more detailed and transparent notices; mandatory data breach notification. A new principle relating to ‘accountability’ is also being introduced which will impact on record keeping and decision making, with an emphasis on the idea of ‘privacy by design’ – i.e. building privacy principles into projects from the outset and documenting your approach.
Over the coming months we will be providing additional information and resources relating to GDPR. Below is a description of the University’s key data protection documentation which has been revised to take into account these changes.
Aberystwyth University's Data Protection Policy broadly explains how the institution manages key aspects of data protection and outlines staff and student responsibilities. The Data Protection Statement for Students and Privacy Notice for Staff provide more detail about the processing of personal data.
Data protection is similarly addressed within the University's Information Security Policy, Information Security Policy - Responsibilities of Staff, E-Mail Policy and its CCTV Code of Practice.
It is important to be aware that the institution passes on personal data to the Higher Education Statistics Agency (HESA) who provide further information concerning this process here:
Other supporting documentation provides detailed guidance for staff handling personal data in everyday circumstances:
Security of Personal Data when working out of the office
We also process data to support Learning Analytics. Details of this can be found here: Learning Analytics at Aberystwyth University
Further information relating to access to personal data along with other University Data Protection procedures can be found here:
Data Controller Registration
Data Subject Access Requests
Breaches of Data Protection
Research Data and Data relating to non-members of the University
Contractors, Short-Term and Voluntary Staff
Wiping Computer Hard Disks
Further information can be found externally at: