What can I do with personal data?

If you can't find what you are looking for in the FAQs below, please contact us.

What do I need to tell people about using their personal data?
Can I share personal data with people outside the University?
Can I share personal data with people within the University?
Can I use images of people?
How long can I keep personal data?
Do I need consent to process personal data?
How do I keep personal data safe?
Who is responsible for personal data?
Who do I ask for help?

What do I need to tell people about using their personal data?

The law requires that we tell individuals where we get their personal data from, what we do with it, what our justification is for processing it (lawful basis), who we share it with, how we keep it safe, and when we will delete it.

All of this information is typically relayed in a document called a ‘privacy notice’.

The University processes the personal data of many individuals and this is set out in a number of privacy notices, including a Student Privacy Notice, a Staff Privacy Notice , an Alumni Privacy Notice and a separate notice for students in the Lifelong Learning Centre. The University also has a Code of Practice for Learning Analytics that details how we process student data to support the progression and success of our students and improve our services.

If you want to do something with personal data that is additional to our normal processing (for example if you are organising an event, or conducting research) you will need to create your own privacy notice. Privacy notices must be specific to the processing that you are undertaking and should be accessible to the audience, so please consider the wording if writing a notice for children, for example. See Writing a privacy notice for further guidance.

In order to function as an organisation we need to be able to share personal data with other staff within the University. We all have an individual responsibility to ensure that we are sharing personal data with only the people who need to see it; that we are only sharing the minimal amount of personal data required to achieve the task; and that we are clear in our expectations about how that data will be used, stored and deleted.

Some particularly sensitive data may need to be sent in an encrypted or password protected format.

We can also take simple precautions such as double-checking the recipient when sending emails, making sure that we have removed extra worksheets from Excel spreadsheets and checked for hidden areas, and redacting any personal data that does not need to be shared. You might want to create local processes which govern how particular types of data should be sent to colleagues.

There is more information in the University's Information Protection Policy, and some straightforward guidance in the Top Tips sheet. If you are doing research with NHS patient data you will need to comply with the NHS Data Security and Protection Toolkit DSPT and you will need to store personal data on LASER. Contact Mark Conmy (M.P.Conmy@leeds.ac.uk) or LIDA (dat@leeds.ac.uk) for details.

As long as we have a clear requirement to do this, and that the data subjects know we are sharing their data, then the law allows it.

We must ensure that the recipient of the data understands our expectations about how it can be used, and this understanding needs to be documented. The University has created some templates to help you achieve this:

Data Processing Agreement

If the recipient of the data is acting on our instruction they become a Data Processor and need to sign one of our Data Processor Agreements (DPA):

The Data Processing Agreement is a basic DPA which does not specify any technical controls. This is intended for Data Processors which are not hosting our data on websites, or providing access to our data through websites.

There is also a Data Processing Agreement International for data processing that takes place outside the UK, EU/EEA or countries that have not received an adequacy decision.

The 'Technical Controls' template specifies the technical controls that we need to be satisfied are in place for Data Processors which are hosting our data on websites, or providing access to our data through websites.

Data Sharing Agreement

If the recipient of our data has the authority to use it as they like then they become a Data Controller and need to sign a Data Sharing Agreement. There is also an international agreement: Data Sharing Agreement International if you are going to share data outside the UK, EU, EEA or countries that have not received an adequacy decision.

Can I use images of people?

Images and footage of individuals are classified as personal data, but the University recognises a difference in the capturing of a picture of a group of people at an event, and the capturing of an individual as part of a case study. Please refer to the Use of Images Policy which provides more advice on how and when you can capture general footage.

If you want to retain an image of an identifiable individual on the University's database please also see the guidance on the Communications website.

If you are planning to photograph children then you need to think about additional risks that arise from doing so, including any publishing of images. You will need to seek permission from young people and their parent or carer, depending on age. Please contact the Information Governance team for guidance.

How long can I keep personal data?

The University has published a records retention schedule which governs how long certain data types can be kept. If you are creating your own privacy notice then you will need to specify the retention period for the data, but always refer to the University schedule first.

I’m doing a new activity that will involve collecting personal data; what do I need to do?

Where you are undertaking a new, or unusual, type of processing of personal data you should conduct a Data Privacy Impact Assessment (DPIA)– this document supports you to identify the risks associated with your processing and how you can reduce those to make sure you are safeguarding data appropriately.

The University has created a template form for this and there is more information available on the ICO's website.

The majority of the processing undertaken by the University does not require the consent of the individual. The University has a Staff Privacy Notice and a Student Privacy Notice which cover most of the processing that we can do without securing additional consent from the individual.

There are some rare instances where consent is required, for example when requesting consent for direct marketing, or processing special categories of data. We have produced a Consent Reference Guide which helps you determine when consent is required.

How do I keep personal data safe?

Personal data which is kept on the University’s servers is, to an extent, kept safe by the infrastructure that surrounds it. There is more information available on the Managing Electronic Data page of this website, and some general guidance available in the University’s Top Tips sheet.

If you intend to use new software that will process personal data then you must ensure that this meets legal and regulatory requirements and complete a Data Protection Impact Assessment (DPIA) to identify and mitigate any risks. You will need to submit details via the Contract Information for Software Compliance process.

Who is responsible for personal data?

The University is the registered Data Controller and, as such, is accountable to the ICO.

Every individual who processes personal data has a responsibility to keep it safe.

Heads of School/Service have responsibility for ensuring that UK GDPR principles are applied and upheld in their area.

Who do I ask for help?

There are a number of Data Champions embedded across the University who may be able to provide you with guidance; otherwise please contact the Information Governance team in Secretariat.