The EU General Data Protection Regulation 2016/679 (GDPR) came into force on the 25 May 2018, and it is supplemented by the Data Protection Act 2018. We refer to these as “data protection law”.

Data protection law regulates the processing of “personal data” relating to individuals by organisations (known as “data controllers”).

On this page, and the pages which it links to, we have used some words and phrases, and these are explained below.

• "Personal data" means any information which relates to a living, identifiable person.  It can include names, addresses, telephone numbers, email addresses etc but it is wider than that and includes any other information relating to that person or a combination of information which, if put together, means that the person can be identified. 
• "Special category data" means personal data about a person’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.
• "Processing" covers all activities relating to the use of personal data by an organisation, from its collection through to its storage and disposal and everything in between.
• "Data subject" means the person whose personal data is being processed.
• "Data controller" means the organisation which is responsible for processing data and ensuring that personal data is processed in accordance with data protection law.

The University of Birmingham (the “University”) is the data controller for the personal data that we process in relation to you.

Occasionally, the University may be a joint data controller with other organisations, or we may be processing data about you on behalf of another organisation, but when this is the case, we will make you aware of this when the information is collected.

Personal data must be processed in accordance with specific principles set out in data protection law. These include the principle that personal data should be processed ‘lawfully, fairly and in a transparent manner’.  In order to comply with this principle, the University will tell you how it will deal with your information at the time we collect it.  This information is normally set out in a “privacy notice”.

We have separate privacy notices for the different categories of people the University processes information about, for example, for students, staff, alumni, visitors etc.  These are published on our website, and there are links to them on this page.

In addition to the privacy notices, more information is set out below, in particular “Your rights as a data subject” and “Exercising your rights, queries and complaints”.

We also process your data in accordance with our Data Protection Policy. This can be found here but it will be updated once the Data Protection Act 2018 is finalised and comes into force.

The University handles a substantial amount of information about people.   It is important that they have trust and confidence that the University will protect their privacy and the University takes great care to ensure that personal data is handled, stored and disposed of confidentially and securely. Our staff receive regular data protection training, and the University has put in place organisational and technical measures so that personal data is processed in accordance with the 6 data protection principles set out in data protection law. 

The University has an Information Security Management System based on ISO27001 with a range of controls covering the protection of personal information. Annual security awareness training is mandatory for staff and the University is accredited under the NHS Information Governance Toolkit, the Payment Card Industry Data Security Standard and is in the process of gaining Cyber Essentials Plus for defined services.

As a data subject, you have the following rights in relation to your personal data which is processed by the University:

• to access  the personal   information the University holds about you.  This is known as a Subject Access Request.  More information about making Subject Access Requests can be found on our website, and you will find it helpful to read this before making a Subject Access Request;
• to correct inaccuracies or, where appropriate and taking into account the purpose for which we process your data, the right to have incomplete data completed;
• to have your personal data erased. This is a limited right which applies, among other circumstances, when the data is no longer required or the processing has no legal justification. There are also exceptions to this right, such as when the processing is required by law or in the public interest (e.g. when the University needs to retain a historical archive);
• to object to the processing of your personal data for marketing purposes. If you ask us to delete your personal data, we will continue to maintain a core set of personal data comprising very brief information to ensure that we do not inadvertently contact you in future. We may also need to retain some financial records for statutory purposes;
• to object to the processing of your personal data when that processing is based on specific criteria such as the public interest or other legitimate interests, unless we have compelling lawful  grounds to continue;
• to restrict the processing of your personal data. This is a limited right which will apply in specific circumstances and for a limited period;
• to ask for the transfer of your data electronically to a third party;
• where the legal basis for us processing your personal data is your consent, to withdraw that consent at any time.

If:

• you would like more information on your rights;
• you would like to exercise any right; or
• you have any queries relating to the University’s processing of your personal data

please contact:

• The Information Compliance Manager
  Legal Services
  The University of Birmingham
  Edgbaston
  Birmingham
  B15 2TT
  Email: dataprotection@contacts.bham.ac.uk
  Telephone: +44 (0)121 414 3916

More information on making a Subject Access Request can be found on the University's website. Please do read this before making a request.

If you wish to complain

If you wish to make a complaint about how your data is being or has been processed, please contact our Data Protection Officer:

• Mrs Carolyn Pike, OBE
  The Data Protection Officer
  Legal Services
  The University of Birmingham
  Edgbaston
  Birmingham
  B15 2TT
  Email: dataprotection@contacts.bham.ac.uk
  Telephone: +44 (0)121 414 3916

You also have a right to complain to the Information Commissioner's Office (ICO) about the way in which we process your personal data. You can make a complaint using the ICO’s website.