About>University Structure & Governance>Data Protection - Records Management

Data Protection - Records Management




Data Protection

The Data Protection Act 1998 is intended to protect individuals from unwanted or harmful uses of their personal data (information about them), by ensuring that organisations process (including collect, use, store, disclose and destroy) this information in a responsible and accountable fashion.

Cardiff Metropolitan University embraces the general principle of openness, as outlined in its Ope​nness Policy.​

The Data Protection Policy is a statement of the University's commitment to comply with the Data Protection Act.

The Act also sets out a number of rights that all individuals have in relation to their personal data. If Cardiff Metropolitan University holds data about you, then you have the right to correct or erase any inaccurate information and to prevent it processing your data in certain circumstances. You also have the right of access to your personal data. Please click here for more information about your rights (See 'Rights of Individuals below).

If you would like to see or have a copy of any data about yourself then please have a look at Cardiff Metropolitan University's guide to requesting information. You can also download and print the guide as a Word document: Ho​w ​to Request Information from Cardiff Metropolitan University.

As part of its commitment to quality and the maintenance of academic standards, Cardiff Metropolitan University operates the plagiarism detection service 'TurnitinUK'. More information about the service can be found at http://www.cardiffmet.ac.uk/registry/Pages/Plagiarism.aspx​  and information and advice about the data protection aspects (See Plagiarism tab below) of using the service is also available.

More information about the Data Protection Act is available in the How to Request Information from Cardiff Metropolitan University and news about the legislation is available as well. Cardiff Metropolitan University has also developed more specific guidance on the Act (See the guidance tab below).

Rights of Individuals

If Cardiff Metropolitan University is processing information about you, then you have a number of rights in relation to that information. The:

  • Right of access
  • Right to prevent processing
  • Rights concerning automated decisions
  • Right to compensation
  • Right to correct or erase inaccurate data

The University will normally ask you for proof of your identity if you contact the University about any of these rights.

If you would like more information about your rights or want to contact Cardiff Metropolitan University to assert a right, the University would encourage you to get in touch with:

Andrew Lane
Information Compliance- Senior Officer
Secretariat Unit
Cardiff Metropolitan University
Llandaff Campus
Western Avenue
029 20 205758

Right of Access

You have the right:

  • To be informed if the University is processing personal data about you.
  • (If so) To be given a description of the data, the purposes for which the data are being processed and to whom it may be disclosed.
  • To have a copy of your personal data and any information that we have as to the source of the data.
  • To be informed of the logic behind some automated decisions.
  • If you would like to see or have a copy of any data about yourself then please have a look at the guide to requesting information from Cardiff Metropolitan University.

You can also download and print the guide as a Word document How to Request Information from Cardiff Metropolitan University​.

If you are a student or a Cardiff Met alumni, our the Student Fair Processing Notice gives full details of the information we are processing about you. This includes a link to the Higher Education Statistics Agency's (HESA) collection notice an agency with whom we share, mainly for statistical purposes, student data. We also share staff data with HESA, details of which can be found within this collection notice​.

Right to Prevent Processing

You have the right to prevent the University processing your personal data if it is causing, or is likely to cause, substantial damage or distress to you or to someone else. If anything Cardiff Metropolitan University is doing with your personal data is causing loss, harm, real upset or real anguish, then you should write to us to tell us:

  • What processing you want stopped, or not begun.
  • Why the processing is causing unwarranted damage or distress.
  • When you want to stop the processing.
  • You also have the right to prevent the processing of your personal data for direct marketing.

Again, you should write to the University to tell the University to stop (including when to stop).

Rights Concerning Automated Decisions

You have the right to ensure that most decisions which significantly affect you are not made solely by automatic means and to ask the University to reconsider a decision that has already been taken. If you want to assert this right, you should put it in writing.

Right to Compensation

You have the right to claim compensation if the University has failed to comply with any of the requirements of the Act and you have suffered damage, or damage and distress, as a result. You can also claim for distress alone in certain cases. If you feel that you have a claim for compensation and want to attempt to resolve the situation informally you should first explain the circumstances of your claim in writing. You also have the right to apply to the Court for compensation.

Right to Correct or Erase Inaccurate Data

If you believe the University is holding incorrect information about you, ​the University ​​would be happy to make any necessary corrections or even erase the information, although you have the right to apply to a Court to have inaccurate data about you rectified, blocked, erased or destroyed. This right also extends to any opinions based on the inaccurate data.

The Data Protection Act is intended to protect people from unwanted or harmful uses of their personal data so that their personal privacy is protected. It regulates the way in which organisations collect, use, disclose and destroy information about people to ensure that they do so ​in a responsible and accountable fashion.

Cardiff Metropolitan University needs​ to:

  • Notify the Information Commissioner that it intends to process personal data.
  • Comply with the data protection principles, including:
    Comply with one of six conditions to process personal data.
    Comply with one further condition to process sensitive personal data.

The Data Protection Policy and the Data Protection Act Procedures and Guidance​ are intended to ensure that all processing of personal data carried out by, or on behalf of, Cardiff Met complies with the requirements of the Act.

Please get in touch if:

  • There is any other information that you would like to see included on these pages.
  • You need some specific advice or assistance.

You can contact Andrew Lane, Informat​​ion Compliance - Senior Officer, Llandaff Campus – Room M1.05, Ext 6076, anlane@cardiffmet.ac.uk.

What is a Notification?

The University's Notification tells everyone, including the people the data is about, what personal data it has and what it intends to do with it. If you start to collect different personal data, or decide that you want to use the data you have for something different, you will need to make sure that what you intend to do is compatible with Cardiff Metropolitan University's Notification. If it isn't, you need to contact the Information Compliance Officer as soon as possible, so that the Notification can be updated. Cardiff Metropolitan University would be guilty of an offence if​​ it didn't have a current, up to date Notification.

Our current Notification specifies the following purposes:

  • Personnel administration
  • Work planning and management
  • Marketing and selling
  • Fundraising
  • Purchaser/supplier administration
  • Membership administration
  • Ancillary and support functions (specifically: car parking administration, debt collection, safety office, maintenance of the on-line telephone directory and telephone exchange service)
  • Customer and client administration
  • Research and statistical analysis (specifically: educational research, health research, social research, technical research)
  • Information and data bank administration
  • Credit facilities administration
  • Legal services
  • Consultancy and advisory services (specifically: careers, chaplaincy, counselling)
  • Alumni relations
  • Colleges' commercial activities
  • Web-based user directory services
  • Web-site maintenance
  • Lending and hire services administration
  • Share and stock-holding registration

What is 'Processing'?

'Processing' is a term that is used to refer to anything that could be done to, or with personal data – from the point at which it enters an organisation to the point at which it leaves. It includes collecting, recording, organising, holding, storing, retrieving, looking at, consulting, using, disclosing and destroying the data.​​