GDPR compliance statement

Information on how the University uses personal data together with our privacy notices online at www.birmingham.ac.uk/dataprotection. Data subjects have been informed of our privacy notices using a variety of approaches. The privacy notices also include information about how individuals can exercise their data rights.

At the University, the majority of the personal data processing is based on a legal basis other than consent, such as ‘public task’ or ‘contractual obligations’. We have been mapping the basis for processing in all our activities. Where consent is the legal condition for processing, and if we do not have a recorded opt-in consent, we have communicated with data subjects, internally and externally, to obtain a renewed consent which will allow us to continue processing the information we have for the specific purpose(s) that it was collected for. When the consent is not renewed we will stop processing the personal data and delete the information as soon as reasonably practicable.

Information on how to exercise rights, including information on how to submit a Subject Access Request, is available on our website.

The University has an Information Security Management System based on ISO27001 with a range of controls covering the protection of confidential and personal information and ensuring business continuity. Annual security awareness training is mandatory for staff and the University is accredited under the NHS Information Governance Toolkit, the Payment Card Industry Data Security Standard and in the process of gaining Cyber Essentials Plus for defined services.

We have embedded DPIAs within our IT Project processes and Procurement requirements. DPIAs will also be embedded within the planning stage of all research and other significant projects.

At the University we have had a breach notification process for many years, which enables the University to be confident that any breaches will be reported, in a timely manner.  Procedures are in place to ensure that both the Data Protection Officer, and relevant colleagues in IT Services will liaise and act together to initiate any necessary measures. When the University is a "data processor", our procedures allow us to communicate personal data breaches to any responsible "data controller(s)" in due time.

At the University we have produced an introductory video on Data Protection. Our staff are also required to complete a mandatory online training module on Data Protection every two years, in addition to the mandatory training on information security. Some staff, e.g. those who deal with health data, are required to complete the training every year.

The GDPR Project has been closely monitored by the University’s Audit Committee and subject to specific internal audits periodically.