About>University Structure & Governance>Data Protection - Records Management

Data Protection - Records Management



Data Protection

The Data Protection Act 2018 is intended to protect individuals from unwanted or harmful use of their personal data (information about them), by ensuring that organisations process (including collect, use, store, disclose and destroy) this information in a responsible and accountable fashion.

Cardiff Metropolitan University embraces the principles of the General Data Protection Regulation (GDPR).​

The University has a Data Protection Policy which is a statement of the University's commitment to comply with the Data Protection Act, and a Records Management Policy.

In the event of a potential data protection breach, all staff and students must notify the Information and Data Compliance Officer immediately. A Data Breach Incident Report Form can be completed in order to provide as much information about the situation as possible.

For further information on what to do in the event of a data breach, please see the University's Data Breach Procedure.

The Act also sets out a number of rights that all individuals have in relation to their personal data. If Cardiff Metropolitan University holds data about you, then you have the right to correct or erase any inaccurate information and to prevent the University processing your data in certain circumstances. You also have the right of access to your personal data. Please click here for more information about your rights (or see 'Rights of Individuals' below).

If you would like to see or have a copy of any data about yourself then please contact dataprotection@cardiffmet.ac.uk

As part of its commitment to quality and the maintenance of academic standards, Cardiff Metropolitan University operates the plagiarism detection service 'TurnitinUK'. More information about the service can be found at http://www.cardiffmet.ac.uk/registry/Pages/Plagiarism.aspx​ and information and advice about the data protection aspects (see 'Plagiarism' tab below) of using the service is also available.

More information about the Data Protection Act is available in the How to Request Information from Cardiff Metropolitan University. Cardiff Metropolitan University has also developed more specific guidance on the Act (see the 'Guidance' tab below).

Documents Available in Welsh

Data Breach Incident Report Form

Data Breach Procedure

Data Protection Policy

Staff Privacy Notice

Student and Applicant Data Protection Notice

Rights of Individuals

If Cardiff Metropolitan University is processing information about you, then you have a number of rights in relation to that information. The:

  • Right of access
  • Right to prevent/restrict processing
  • Rights concerning automated decision making and profiling
  • Right to rectify inaccurate data 
  • Right to erasure/be forgotten

The University will normally ask you for proof of your identity if you contact the University about any of these rights.

If you would like more information about your rights or want to contact Cardiff Metropolitan University to assert a right, the University would encourage you to get in touch with:

Sean Weaver
Information & Data Compliance Officer
Secretariat Unit
Cardiff Metropolitan University
Llandaff Campus
Western Avenue

Right of Access

You have the right:

  • To be informed if the University is processing personal data about you.
  • (If so) To be given a description of the data, the purposes for which the data are being processed and to whom it may be disclosed.
  • To have a copy of your personal data and any information that we have as to the source of the data.
  • To be informed of the logic behind some automated decisions.
  • If you would like to see or have a copy of any data about yourself then please have a look at the guide to requesting information from Cardiff Metropolitan University.

You can also download and print the guide as a Word document How to Request Information from Cardiff Metropolitan University​.

If you are a student or a Cardiff Met alumni, our Student Fair Processing Notice  gives full details of the information we are processing about you. This includes a link to the Higher Education Statistics Agency's (HESA) collection notice an agency with whom we share, mainly for statistical purposes, student data. We also share staff data with HESA, details of which can be found within this collection notice​.

If you are a member of staff, our Staff Privacy Notice gives full details of the information we are processing about you.

Right to Prevent/Restrict Processing

You have the right to prevent the University processing your personal data if it is causing, or is likely to cause, substantial damage or distress to you or to someone else. If anything Cardiff Metropolitan University is doing with your personal data is causing loss, harm, real upset or real anguish, then you should write to us to tell us:

  • What processing you want stopped, or not begun.
  • Why the processing is causing unwarranted damage or distress.
  • When you want to stop the processing.
  • You also have the right to prevent the processing of your personal data for direct marketing.

Again, you should write to the University to tell the University to stop (including when to stop).

Rights Concerning Automated Decisions

You have the right to ensure that most decisions which significantly affect you are not made solely by automatic means and to ask the University to reconsider a decision that has already been taken. If you want to assert this right, you should put it in writing.

Right to Rectify Inaccurate Data

If you believe the University is holding incorrect information about you, ​the University ​​would be happy to make any necessary corrections or even erase the information. Please put this request in writing detailing the inaccuracies and how you wish for them to be amended. 

The Right to Erasure 

An individual may decide that, for whatever reason, they no longer want the University to process, store or use particular data that is held on them. Data Protection legislation provides the right to ask the University to delete personal data in certain circumstances.

This 'right to be forgotten' as it's known, is not an absolute right, which means that it might not be possible or required in all situations.

A request to erase particular data should be made in writing to dataprotection@cardiffmet.ac.uk and the Information and Data Compliance Officer will be able to advise further.  

The Data Protection Act is intended to protect people from unwanted or harmful uses of their personal data so that their personal privacy is protected. It regulates the way in which organisations collect, use, disclose and destroy information about people to ensure that they do so ​in a responsible and accountable fashion.

Cardiff Metropolitan University needs​ to:

  • Notify the Information Commissioner that it intends to process personal data.
  • Comply with the data protection principles.
  • Identify a lawful basis when processing personal data.
  • Identify a further lawful basis when processing sensitive personal data.

The University's Data Protection Policy ensures that all processing of personal data carried out by, or on behalf of, Cardiff Met complies with the requirements of the legislation. 

Please get in touch if:

  • There is any other information that you would like to see included on these pages.
  • You need specific advice or assistance.

You can contact Sean Weaver, Informat​​ion and Data Compliance Officer, Llandaff Campus – Room M1.05, dataprotection@cardiffmet.ac.uk.

What is a Notification?

The University's Notification tells everyone, including the people the data is about, what personal data it has and what it intends to do with it. If you start to collect different personal data, or decide that you want to use the data you have for something different, you will need to make sure that what you intend to do is compatible with Cardiff Metropolitan University's Notification. If it isn't, you need to contact the Information and Data Compliance Officer as soon as possible, so that the Notification can be updated. 

Our current Notification specifies the following purposes:

  • Personnel administration
  • Work planning and management
  • Marketing and selling
  • Fundraising
  • Purchaser/supplier administration
  • Membership administration
  • Ancillary and support functions (specifically: car parking administration, debt collection, safety office, maintenance of the on-line telephone directory and telephone exchange service)
  • Customer and client administration
  • Research and statistical analysis (specifically: educational research, health research, social research, technical research)
  • Information and data bank administration
  • Credit facilities administration
  • Legal services
  • Consultancy and advisory services (specifically: careers, chaplaincy, counselling)
  • Alumni relations
  • Colleges' commercial activities
  • Web-based user directory services
  • Web-site maintenance
  • Lending and hire services administration
  • Share and stock-holding registration

What is 'Processing'?

'Processing' is a term that is used to refer to anything that could be done to, or with personal data – from the point at which it enters an organisation to the point at which it leaves. It includes collecting, recording, organising, holding, storing, retrieving, looking at, consulting, using, disclosing and destroying the data.