The University for Creative Arts must manage your personal information in line with the UK Data Protection Act 18 and the UK General Data Protection Regulation (GDPR).
The Information Commissioner’s Office regulates our compliance with these laws. It is important that we have a clear legal basis for processing personal information, and we have documented reasons for doing so. This ensures transparency and accountability in handling your data. All staff are trained to ensure that privacy rights are respected and that personal data is treated with care and consideration.
We regularly review our data protection procedures which helps us monitor compliance and maintain a high standard.
Privacy Notices
Data Protection law regulates the use of personal data, which applies to both public and private sectors. It helps to protect individual rights to privacy and covers information held by means of electronic and paper records. It doesn’t apply to anonymised data or to information about the deceased.
Under this legislation, the University for the Creatives Arts is the ‘data controller’ and we aim to be open with individuals about how their personal data will be processed:
Personal Data
Principles
The University for Creative Arts must manage your personal information in line with the UK Data Protection Act 18 and the UK General Data Protection Regulation (GDPR).
There are six principles we must uphold when handling your personal data:
- It is processed fairly, lawfully and transparently
- The data is only processed for legitimate purposes
- Our information is relevant and limited to what we need
- We must ensure we hold accurate information
- Data is not held for longer than necessary
- Information must be processed securely
Accessing your
Personal Data
You have the right to apply for a copy of your own records; this applies to both staff and students.
To enhance your experience and help us understand the specific information being sought, please complete the Subject Access Request (SAR) Form provided, which include prompts and guidance to ensure that all relevant details are captured consistently. This reduces the likelihood of misunderstandings or misinterpretations, which can lead to delays or incomplete responses. Once the standardised form is completed, this can be returned either:
- By email to: [email protected]
- Or by post to:
Data Protection Officer
Information Governance Team
University For The Creative Arts
Falkner Road
Farnham
Surrey
GU9 7DS
The University for Creative Arts aims to provide the requested information within one calendar month from the date of receipt of the completed form.
Reducing your
Digital Footprint
Similar to accessing your data, you equally have a right to remove your personal information from our databases, where it does not need to be kept for legal or compliance reasons. This known as ‘Erasure’ or ‘the right to be forgotten’.
If you would like to delete your data, in line with legislation, please complete the Erasure Request Form provided. It is necessary to receive the fields specified for us to locate any relevant records and to assure ourselves that a complete search has been achieved. Once the standardised form is completed, this can be returned either:
- By email to: [email protected]
- Or by post to:
Data Protection Officer
Information Governance Team
University For The Creative Arts
Falkner Road
Farnham
Surrey
GU9 7DS
The University for Creative Arts aims to provide the requested information within one calendar month from the date of receipt of the completed form.
Personal Data
Breaches
A personal data breach is an incident leading to the accidental or unlawful loss, alteration, unauthorised disclosure of, or access to, personal data. A breach of personal data must be reported immediately.
Reporting breaches is essential for protecting the affected individuals, but it is also a chance for the organisation to improve their compliance; this instils accountability and helps to build trust. Some typical examples of a personal data breach include:
- Sending an email to the wrong recipient or attaching an incorrect document.
- Losing an unsecured laptop or other mobile device containing personal data.
- Being a victim of Malware, which has corrupted personal data
If the breach is likely to result in a substantial risk to privacy and/or safety, this must be reported to the Information Commissioner’s Office within 72 hours. This is why it is important that the Data Protection Officer is notified of any potential personal data breaches straight away so that they can perform a risk assessment. Staff are trained to identify and report such instances should they arise.
If you think a mistake has been made that might have compromised personal data, please contact the Data Protection Officer via email: [email protected] and they will support you.