Data Protection and Use of Student Data


1 The Data Protection Act 1998 (DPA) regulates the processing of personal data in any format by the University of Leicester, including both digital and hard copy personal data and all other formats.  ‘Personal data’ is any information relating to a living individual, and 'processing' is any activity carried out involving personal data, including holding and storing it.  On 25th May 2018 the DPA will be superseded in the UK by the General Data Protection Regulation (GDPR), which provides individuals with enhanced rights, and imposes increased responsibilities on organisations processing personal data.  This statement applies under both the DPA and GDPR.

This statement establishes the University’s procedures governing the collection and release of student data and is provided to students at the application and registration stages.  It includes information about how student data is used, and where it is supplied by the University to the Higher Education Statistics Agency (HESA) and other external parties.

3 The University of Leicester is the data controller for all personal data that it holds and processes, except where it is done in the capacity of a data processor on behalf of another data controller.  The University’s contact details are:

University of Leicester

University Road



The University’s Data Protection Officer is:

Mr Henry Stuart

Legal and Information Assurance Services

University of Leicester

University Road



(0116) 2527945


The University of Leicester may obtain, hold and process the personal data of students including personal details, family and social circumstances, education and training records, employment information, financial details, and services provided.  It may obtain, hold and process the sensitive personal data (the term used by the DPA) and special category data (the term used by GDPR) of students including racial or ethnic origin, religious or philosophical beliefs, biometric data, and physical or mental health. 

6 Personal data and sensitive personal data/special category data held by the University relating to students is obtained directly from the student or applicant, or in some cases from a third party organisation involved in the services provided by the University that has obtained the information in the first instance, for example UCAS and agents involved in student recruitment.

7 The University of Leicester holds the personal data and sensitive personal data/special category data of its students in order to implement and manage all services and processes relating to students, including student recruitment, admission, registration, teaching and learning, examination, graduation and other services such as accommodation, student support and careers.  Only information required for these purposes is obtained and processed, and without it the University may not be able to provide its services.  Information is passed between various sections of the University for operational reasons as is necessary and proportionate for intended purposes.

8 Student personal data is collected and processed by the University as it is necessary for the performance of the contract under which the University provides services to students.  Some processing activities may also be carried out under a legal obligation (for example, disclosing personal data to external parties under statutory powers), where it is necessary to protect the vital interests of the student or another party (for example, disclosures to external parties to ensure the safety and wellbeing of individuals), where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (for example, collecting or disclosing information in order to meet regulatory or statutory requirements), or where it is necessary for legitimate interests pursued by the University or a third party (the legitimate interests will relate to the efficient, lawful and proportionate delivery of services and will not be to the detriment of the interests or rights of individuals).  Where any of these legal bases do not apply, the consent of an individual to process their personal data will be sought. 

9 Where students’ sensitive personal data/special category data is collected and processed by the University this will be on the legal basis of explicit consent of the student, employment or social security/protection requirements, protecting the vital interests of the student or another party, the exercise or defence of a legal claim, reasons of substantial public interest, purposes of medical or health care, or where the information has been made public by the student.  Any processing will be proportionate and relate to the provision of services by the University.  When this data is used for monitoring and reporting purposes it will be anonymised if possible.

10 The University may disclose student’s personal data and sensitive personal data/special category data to external agencies to which it has obligations; for example for council tax, electoral registration, and visa and immigration purposes, and to other arms of central or local government, to the Higher Education Funding Council for England, Higher Education Statistics Agency, Student Loans Company, Office of the Independent Adjudicator for Higher Education, Research Councils, and potentially other such organisations for defined purposes.  It may also disclose information to examining bodies, legal representatives, Police or security agencies, suppliers or service providers, survey and research organisations engaged by the University, and regulatory authorities.

If students have unpaid debts to the University at the end of their course the University may, at its discretion, pass this information to debt collecting agencies in order to pursue the debt.

11 The University also uses student’s personal data as follows:

a Provide contact details to the University of Leicester Students’ Union to enable it to offer appropriate services to students.  Please contact Information Assurance Services ( if you do not want your contact details shared with the Students’ Union.

b The University’s AccessAbility Centre may contact students declaring  a disability to confidentially discuss available support.

c  Provide progress reports to sponsors of students (except relatives).

d Provide references to education institutions and employers, usually with the consent of the student or graduate.

e Publication of the names of graduating students in the degree ceremony graduation programme.

f Disclose information about students and graduates for the purpose of promoting the University, and to their former schools for the purposes of schools liaison, but only with the consent of the student or graduate if they are personally identified.

g For the purposes of plagiarism detection, utilising the on-line Turnitin plagiarism detection service.

h Supply personal and financial details to providers of financial services engaged by the University, for example for the payment of fees, refunds, loans and similar services.

i Disclosing information to external parties for safeguarding and duty of care purposes, for example to medical practitioners and law enforcement agencies.

j  Produce degree certificates, transcripts and Higher Education Achievement Reports (HEAR) for students.

k Graduates of the University are still able to access Career Development Service support and resources, and may be contacted after graduation by the Service to offer ongoing support with career plans, including coaching and job opportunities.

l Subject to review on a case-by-case basis, providing contact details to third party companies and organisations formally engaged by the University to provide enhanced levels of service to support core activities.

12 The University requires all campus-based students to participate in its attendance monitoring system.  For some student groups it is a statutory requirement that the University monitors attendance (for example some international students and medical students) and there may be a requirement to report non-attendance to official bodies (e.g. UK Visas and Immigration).  It also aids the University in its duty of care and support provisions, as well as enabling the analysis of specific elements of service provision such as space management. 

13 On graduating, all students automatically become members of Alumni Association (the formal title for the University’s Graduates’ Association).   They receive the opportunity to remain in touch with fellow graduates and to be kept up to date on University news, events, products, services and opportunities to support the University.  If you do not wish to receive these communications you must notify the Alumni Relations Office – this can be done at any time after you graduate.

14  In some instances the University may transfer students’ personal data to third parties located in other countries, including some outside of the European Economic Area.  Any such transfers will be strictly in relation to the delivery of the University’s core services, including to partner institutions abroad.  IT services used by the University may involve the transfer or hosting of student personal data overseas.  Personal data may be shared with international agents that the University uses for the delivery of services to overseas students.  All instances of overseas transfers of personal data are subject to appropriate technical safeguards and contractual provisions incorporating appropriate assurances to ensure the security of the data and full compliance with legislative and regulatory requirements. 

15 Some sections of the University undertake processes involving applicant or student personal data that include elements of profiling or automated decision-making.  Examples are some parts of the Division of External Relations, including the Marketing Communications Office, Student Recruitment Office and Admissions Office, where these processes are employed to determine the nature of communications sent to individuals and to facilitate student recruitment and admissions procedures. 

16 A basic academic record for individual students will be kept permanently by the University, with more detailed records kept for defined retention periods.  Details of the retention periods attributed to different elements of student records can be found in section 2 of the University’s Records Retention Schedule:

17 If you have any queries about the use of student personal data outlined above then please contact Information Assurance Services ( , (0116) 2527945).


18 Individuals whose personal data and sensitive personal data/special category data is held by the University have the following rights regarding their data:

a The right to request access to their personal data held by the University.

b  The right to have inaccurate or incomplete personal data rectified.

c  The right to erasure of personal data – this will only apply where there is no legitimate reason for the University to continue to process the personal data.  There will usually be a requirement for the University to keep a basic student record indefinitely. 

d The right to restrict the processing of personal data – individuals have the right to block the processing of their personal data by the University in specific situations.

e The right to data portability – students have the right to request provision of some elements of their information (for example academic progress details) in digital form in order to provide it to other organisations.

f The right to object – students can object to the processing of their personal data by the University in certain circumstances, including the sending and receipt of direct marketing material.

g The right to object to automated decision making and profiling – individuals have the right to object to decisions taken by automatic means without human intervention in some circumstances.  

All requests to exercise any of these rights should be made to the University’s Data Protection Officer.

19 Where the processing of personal data or sensitive personal data/special category data is based on the consent of the student, they have the right to withdraw their consent at any time by contacting the department or service who obtained that consent or the University’s Data Protection Officer. 

20 If a student is unhappy with the University’s handling of their personal data, or believes that the requirements of the DPA or GDPR may not be fully complied with, they should contact the University’s Data Protection Officer in the first instance.  The University’s formal complaint procedure can be invoked if appropriate, and they also have the right to submit a complaint to the Information Commissioner’s Office; further details can be found at .


21 Your contact details may be passed to survey contractors to carry out the National Student Survey (NSS) and surveys of student finances on behalf of some of the organisations listed in the Higher Education Statistics Agency (HESA) statement at the link below.  These organisations and their contractors will use your details only for that purpose, and will then delete them.

22 Approximately six months after you graduate, the University may contact you to ask you to fill in the HESA ‘Destinations of Leavers from Higher Education’ survey.  You may also be contacted as part of an audit to check that we have undertaken this survey properly.  We will not give your contact details to HESA. 

23 You may also be included in longitudinal surveys of leavers in the years after you graduate. If so, we will pass your contact details to the organisation that has been contracted to carry out that survey. That organisation will use your details only for that purpose, and will then delete them. 

24 There is not requirement for you to take part in any of these surveys but participation assists the University, as well as government and regulatory bodies, in performing their statutory, official and public duties.  If you do not want to take part in any of these surveys please contact the University’s Data Protection Officer. 


25 It is a statutory requirement for the University to send some of the information we hold about you to HESA every year (“your HESA information”).  HESA is the official source of data about UK universities and higher education colleges  HESA collects, and is responsible for, the database in which your HESA information is stored.  HESA is a registered charity and operates on a not-for-profit basis.  HESA uses your HESA information itself for its own purposes.  HESA also shares your HESA information with third parties for specified and lawful purposes.  It may charge other organisations to whom it provides services and data.  HESA's use of your HESA information may include linking information from it to other data, as described in the HESA statement linked to below.  All uses of HESA information must comply with the Data Protection Act 1998 and the General Data Protection Regulation.

26 If you give us information about your disability status, ethnicity, sexual orientation, gender reassignment or religion these may be included in your HESA information and used to assist with monitoring equality of opportunity and eliminating unlawful discrimination in accordance with the Equality Act 2010.  Some other sensitive information is used to enable research into the provision of fair access to higher education, for example information as to whether you are a care leaver.  If you are enrolled at a higher education provider in England regulated by the Higher Education Funding Council for England (HEFCE) your HESA information will include details of any financial support you may receive.  Your sensitive personal data/special category data will not be used to make decisions about you.

27 To read the full HESA student data collection notice please visit:


28 Students should also be aware that, in certain circumstances, the University may monitor usage of its IT   systems and access user information on its systems and networks that is normally private. Any institutional monitoring or access will comply with UK legislation including the Regulation of Investigatory Powers Act 2000, Human Rights Act 1998, and the Data Protection Act 1998 and General Data Protection Regulation.  Where necessary any access or monitoring will be justifiable, fair and proportionate, and will be in line with the University’s Institutional IT Usage Monitoring and Access policy (ISP-I6), which can be found online at the following address: 


29 Student members of the University are permitted to process personal data only for use in connection with their academic studies or research.  They may do this only with the express prior permission of their supervising member of staff, and only in accordance with any guidance or Code of Practice issued by the University and in force at that time.  This applies whether or not those activities are carried out on equipment owned by the University and whether or not they are carried out on University premises.  This means that the personal data must be:  fairly and lawfully obtained and processed;  used only for specified and legitimate purposes;  accurate and up-to-date;  held securely;  kept to the minimum possible and anonymised or pseudonymised where possible;  not published, put online or taken outside of the European Economic Area without the consent of the individual concerned;  and be deleted or destroyed when it is no longer relevant to retain it.  The individuals about whom data are held are entitled to inspect the data unless it is held only for research purposes and will not be released in such a way as to identify the individuals concerned.

 30 Students needing to process personal data for academic or research purposes must make themselves aware of the general requirements of the Data Protection Act 1998 and the General Data Protection Regulation, and in particular must abide by the data protection principles set out in Schedules I, II and III of the DPA, and Articles 5, 6 and 9 of GDPR.  Students can do this by obtaining a copy of the University’s current guidance on data protection, and further relevant information from their supervising member of staff or Information Assurance Services.

 31 Students who fail to comply with any guidance or Code of Practice in force may be held personally liable for any resulting breaches of the Data Protection Act 1998 or General Data Protection Regulation.


Share this page: