GDPR compliance statement

During the course of our activities, the University collects and uses data about a wide range of individuals, for example staff, students, applicants and people taking part in our research.  Data Protection Law regulates how Personal Data must be processed and provides individuals with rights in relation to their Personal Data.

The University has policies in place, including its Data Protection Policy, which are designed to protect the accuracy, integrity and confidentiality of Personal Data and to ensure that individuals are able to exercise their rights.

Data protection compliance is overseen by the Information Security Management Group, reporting to The University’s Executive Board. The University has put in place organisational and technical measures to support compliance, and where, in rare occasions due to reasons outside the University’s control, full compliance may be delayed ( eg because external software is not capable of compliance) we have an action plan to resolve the issue within a reasonable period of time.

Communicating Privacy Information

Information on how the University uses personal data together with our privacy notices online at Data subjects have been informed of our privacy notices using a variety of approaches. The privacy notices also include information about how individuals can exercise their data rights.

Reviewing and Refreshing Existing Consents

At the University, the majority of the personal data processing is based on a legal basis other than consent, such as ‘public task’ or ‘contractual obligations’. We have been mapping the basis for processing in all our activities. Where consent is the legal condition for processing, and if we do not have a recorded opt-in consent, we have communicated with data subjects, internally and externally, to obtain a renewed consent which will allow us to continue processing the information we have for the specific purpose(s) that it was collected for. When the consent is not renewed we will stop processing the personal data and delete the information as soon as reasonably practicable.

Procedures for Data Subject Requests

Information on how to exercise rights, including information on how to submit a Subject Access Request, is available on our website.

Information Security

The University has an Information Security Management System based on ISO27001 with a range of controls covering the protection of confidential and personal information and ensuring business continuity. Annual security awareness training is mandatory for staff and the University is accredited under the NHS Information Governance Toolkit, the Payment Card Industry Data Security Standard and in the process of gaining Cyber Essentials Plus for defined services.

Data Protection Impact Assessment (DPIA)

We have embedded DPIAs within our IT Project processes and Procurement requirements. DPIAs will also be embedded within the planning stage of all research and other significant projects.

Data Breaches Procedures

At the University we have had a breach notification process for many years, which enables the University to be confident that any breaches will be reported, in a timely manner.  Procedures are in place to ensure that both the Data Protection Officer, and relevant colleagues in IT Services will liaise and act together to initiate any necessary measures. When the University is a "data processor", our procedures allow us to communicate personal data breaches to any responsible "data controller(s)" in due time.


At the University we have produced an introductory video on Data Protection. Our staff are also required to complete a mandatory online training module on Data Protection every two years, in addition to the mandatory training on information security. Some staff, e.g. those who deal with health data, are required to complete the training every year.


The GDPR Project has been closely monitored by the University’s Audit Committee and subject to specific internal audits periodically.

If you wish to have more information, please contact our Data Protection Officer:

  • Nicola Cardenas Blanco
    The Data Protection Officer
    Legal Services
    The University of Birmingham
    B15 2TT
    Telephone: +44 (0)121 414 3916


Professional Services