We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Information Governance

Data Protection

Durham University processes information about individuals with whom we have dealings, for our own administrative purposes and to comply with our legal obligations. This includes personal data concerning current, prospective and former employees, students, suppliers, research partners and others in order to carry out our function as a university. We detail our processing within our Data Protection Policy. Durham University is committed to protecting the rights and privacy of individuals in accordance with appropriate UK and European legislation. This includes:

General Data Protection Regulation (GDPR)

On 25 May 2018 the EU General Data Protection Regulation (GDPR) came into force. For further information please see the ICO's Data Protection Reform webpages.

Data Protection Act 2018

The GDPR provides some opportunity for national governments within the EU Member States to make certain provisions for how they apply the GDPR. The Data Protection Act 2018 formally repealed the Data Protection Act 1998 and addresses these Member State options of the GDPR. The Data Protection Act 2018 will need to be applied alongside the GDPR. For more information refer to the ICO page on the Data Protection Act 2018.

Privacy and Electronic Communications Regulations (PECR)

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) sit alongside data protection legislation. All processing of personal data is governed by data protection legislation but when this processing involves electronic communications, some additional rules apply in the form of the PECR. Additional Guidance for Employees regarding PECR is available.

Individual Rights Regarding Personal Data

Individuals have a number of rights granted under data protection legislation, as follows:


Individuals have the right to be made aware of how their personal data is being used. This should be documented and communicated in a Privacy Notice available at the point of data collection.
Access Individuals have the right to access their personal data so that they are aware of and can verify the lawfulness of the data processing, as well as correcting any inaccuracies in that data. There are some circumstances under which the University will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. For more information please refer to the Subject Access Request page.
Rectification Individuals have the right to have personal data rectified where it is inaccurate or incomplete.
Erasure Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This is often called the 'right to be forgotten'. This right is not absolute and only applies in specific circumstances.
Restriction Individuals have the right to ask us to temporarily stop processing their personal data in certain circumstances whilst such processing is reviewed.
Data Portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Note that this only applies:

  • To personal data an individual has provided to a controller,
  • Where the processing is based on the individual’s consent or for the performance of a contract, and
  • When processing is carried out by automated means.

Individuals have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • Direct marketing (including profiling)
  • Processing for purposes of scientific/historical research and statistics.
Automated decisions / Profiling Individuals have the right not to be subject to a decision made solely by automated means and to profiling (automated processing of personal data to evaluate certain things about an individual).

In order to exercise those rights, the individual should refer to their relevant Privacy Notice that will provide more detail on how to enact those rights. Direct communications may provide additional details and opportunities, e.g. unsubscribe features within emails support the right to object.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:

Jennifer Sewel
University Secretary
Telephone: (0191 33) 46144