Data Protection
The University of Reading needs to process personal data about its employees, students, research participants, visitors, users of our facilities, and others, to allow it to effectively carry out its business.
What do we mean by 'Process'?
Processing is the term used to describe anything we do with personal data, including collecting, storing, sharing, analysing, sharing, and deleting.
What is Personal Data?
Personal Data means any information relating to an identified or identifiable person ( which we refer to as the ‘data subject’). This includes information that can directly identify an individual, such as names and contact details, as well as information that can indirectly identify an individual, such as an ID or reference number.
Data Protection law only applies to living individuals.
The University processes significant amounts of personal data across a broad range of activities including; the provision of teaching and learning, employment administration, research, marketing and fundraising, welfare and support services, catering and accommodation, events and leisure activities. The University also has numerous regulatory, statutory and legal requirements and obligations that involve the collection and sharing of personal data.
The Law
The primary Data Protection laws that govern how we must protect personal data are:
The General Data Protection Regulation (GDPR) (EU and UK)
This is where the general definitions, principles, requirements and rights of Data Protection law can be found. The UK adopted the EU GDPR into our own laws after the UK's exit from the European Union. However, the territorial reach of the EU GDPR still applies to some of our data processing, so we are required to meet our obligations under both regimes. At present, The EU and UK GDPR are aligned, however the UK Government are seeking to move away from the adopted EU text and make changes to the UK GDPR. IMPS and Legal Services will be monitoring the impact of any future divergence. In the meantime, references to the 'GPPR' can be taken to refer to both regimes.
The Data Protection Act (DPA) 2018
This is UK law and where more detailed requirements, exemptions and the role of the UK regulator (the Information Commissioner's Office) can be found
The Privacy of Electronic Communications Regulations 2003
This contains requirements that are more specific to our digital and marketing activities involving personal data
Common Law Duty of Confidence
This is more relevant to data processing in a healthcare context. The requirements of Data Protection legislation apply alongside the requirements of the common law duty of confidence and both must be satisfied.
This list is not exhaustive and many countries around the world also have their own Data Protection laws that may place obligations on UK organisations, dependant on territorial scope.
The good news is, we do not expect staff and students across the University to read and understand these laws in full! The polices, training, advice and guidance we provide you with are designed to navigate the key requirements.
The University must process personal data according to the Data Protection Principles set out in the GDPR. This requires the University to collect and use data fairly, to store it safely and not to disclose it to any other person unlawfully. The requirement for the University to comply with this Act, in protecting the rights and privacy of individuals, imposes certain responsibilities on its staff, students and others that they should fully understand; it also sets out certain rights for them of which they should be aware.
The University of Reading has developed its Data Protection Policy (PDF-179KB) to ensure that everyone associated with the University understands their rights and responsibilities. It has also drawn up a series of detailed guidance to help deal with the most common activities involving personal data..
The Data Protection policy and its guidelines are related to other University policies and publications including:
- Freedom of Information and Environmental Information Regulations Policy (PDF-214KB)
- University Records Management Policy (PDF-131KB)
- Records Management guidelines
How you can help us with meeting these obligations:
- Completing any training as instructed
- Keeping your University accounts and data secure
- Following advice and instructions relating to IT security
- Following University Information Compliance Polices
- Taking care when sending personal data to others - check carefully that you have the correct email recipient and using blind copy (bcc) where appropriate
- Contacting IMPS if there is anything you need help with, or are unsure about
- Involving IMPS when you are embarking on new or changing activities or projects that involve the processing of personal data
- Reporting any Information Security Incidents to IMPS promptly (see below)
Information Security Incidents
Suspected or actual compromises of University data must be reported to IMPS immediately using the Information Security Incident Reporting Form.
This is a requirement under the University's Information Security Incident Response Policy (PDF 210KB) and Information Security Incident Response Procedures (PDF 354KB)
Completed forms should be submitted to imps@reading,ac,uk
For advice, support and assistance in the event of an incident contact IMPS on 0118 378 8981.
Contact IMPS
- Email:
imps@reading.ac.uk - Telephone: +44 (0) 118 378 8981
Report an
Find out if you need to do a DPIA here: