Data Protection

The University of Worcester is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.

Data protection legislation (UK GDPR and the Data Protection Act 2018) places obligations on the University and the way it handles personal data.  In turn members of the University have responsibilities to ensure personal data is processed fairly, lawfully and securely. 

The following and associated pages provide the following information:


Data Protection Officer

The University's Data Protection Officer is the University Secretary  - Helen Johnstone, tel: 01905 855014, (m) 07785417281; email:

University Registration with the ICO

The University's registration number is Z5445506 and a copy of the University's certificate of registration can be viewed here

Dos and Don'ts for Data Protection

This provides basic guidance on how you should handle personal data under the data protection legislation. It applies to all personal data processing, both electronic (including emails) and manual (i.e. paper records).
  • When you process personal data you must ensure that it is accurate, relevant and not excessive in relation to your needs
  • When processing personal data you need to ensure that you have identified the appropriate lawful basis for processing that data - see the Records of Processing associated with each of the Privacy Notices.  Consent is only required where indicated on the Record of Processing
  • Once you have identified your lawful basis for processing you will need to provide the individual with a Privacy Notice (see Guidance on Writing Privacy Notices)
  • Ensure that you keep personal data in accordance with the University's Records and Document Retention Schedule
  • Do not disclose any information about an individual to a third party (e.g. external organisation, parent, partner) without first checking that the individual consents to such disclosure. In the case of a parent, partner or family member the University will not release any information without the consent in writing of the individual. In the case of a request from the police, please contact the Data Protection Officer. (See Requests for Personal Data)
  • Do not write any comment about any individual that is unfair or untrue and that you would not be able to defend if challenged. You must assume that anything that you write about a person is subject to release under a Subject Access Request and will be seen by that person.
  • Be vigilant if you are undertaking work off campus using personal data such as individualised research data, reference requests, or examination scripts or results. Strict security measures must be applied to the transportation and storage of all such data. Advice on encryption and mobile working should be sought from the IT Helpdesk. (See Information Security)
  • Ensure that all personal data is kept secure, not only from unauthorised access, but from fire and other hazards (See Information Security)
  • Use the confidential waste collection boxes or the contract shredding service to dispose of any document containing personal data, whether or not you consider it to be confidential.(see Information Security)
  • Apply password protection to computers, screensavers and documents. Where possible ensure that you lock personal data away when not in use or you are absent from your desk. 

For any queries regarding Data Protection please contact the Information Governance Officer