Section navigation


The Data Protection Act 1998 (DPA) (the General Data Protection Regulation GDPR from May 2018) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.

The University takes its obligations under the Data Protection Act very seriously and will always ensure personal data is collected, handled, stored and shared in a secure manner. The University’s Data Protection Policy can be accessed here.

The following statement will outline what personal data we collect, how we use it and who we share it with. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office, the regulator for data protection in the UK.

The University’s official contact details are:

Data Protection Officer
Middlesex University
The Burroughs

Tel: +44 (0)20 8411 5555

How and why does the University use personal data?

The largest volume of personal data the University processes is in relation to students, at both undergraduate and postgraduate level. The primary purposes we process information about these individuals include:

  • to enable us to administer student-related functions from original applications through to graduation and to provide alumni services;
  • to plan and account for the use of the services provided;
  • to produce information including statistics for relevant external agencies such as the Higher Education Statistical Agency (HESA) and the Higher Education Funding Council for England (HEFCE) which allocates funds to the University on the basis of student numbers;
  • to enable University staff to communicate with students;
  • to monitor academic progress over the period of enrolment towards completion of a qualification;
  • to carry out assessment, authorise award of qualifications and verification of awarded qualifications post-study;
  • to monitor, complaints, disciplinary cases and academic appeals;
  • to provide student support services, including financial, pastoral and IT/learning resources;
  • to comply with immigration compliance checks in relation to sponsored migrants;
  • to ensure all eligible students have access to University accommodation;
  • to monitor, develop and update University systems to ensure they continue to operate effectively and securely; and
  • to monitor equality and diversity objectives within the University.

The University also processes personal data in relation to staff, both academic and non-teaching. This is undertaken to facilitate recruitment activity and to administer the requirements the University must meet as an employer in line with UK law. In addition, it is used to facilitate operational activity within the relevant faculty / professional service.

Finally, the University processes personal data as part of research activity. This is done in line with the University's Code of Practice for Research, which includes meeting the requirements of current data protection legislation.

What personal data does the University collect?

The University collects personal data from students at various stages. The volume and nature of the personal data collected is outlined below:

  • Initial email/telephone enquiry:
    • name and address
    • contact details (telephone number, email address)
    • subject / area of interest
  • Details from application forms:
    • name and address
    • contact details (telephone number, email address)
    • age / date of birth
    • gender
    • nationality and country of residence
    • educational records to date
    • academic references (including personal statement and predictive grades)
    • disability declaration
    • criminal conviction declaration
  • Further data collected at enrolment or updated during a student’s time at the University:
    • Home address and next of kin
    • Term-time address
    • Entry and other qualifications
    • Demographic information
    • Funding, bursary and fee related information
    • Information needed to provide services in relation to disability, wellbeing or any other type of pastoral support
    • Course and stage details
    • Attendance, progress and current status
    • Assessment results
    • Photograph for identification badge
    • For students undertaking courses in nursing, social work and midwifery a DBS Clearance and a full occupational health check will be completed to allow a student to commence a placement
  • Data collected for statutory monitoring and reporting purposes:
    • Religious belief
    • Parental occupation and education
    • Sexual orientation
    • Ethnic origin
  • Data collected from international students on a Tier 4 (or similar) visa to meet UK Visa and Immigration requirements:
    • passport details
    • visa lifecycle details
    • data to evidence attendance on course of study

Additional personal data may be collected by the University where relevant in relation to placements, professional body requirements, extenuating circumstances applications, appeals/complaints/disciplinary cases and any further optional student services.

The University collects the following information from academic and non-teaching staff which is outlined below:

  • initial application:
    • name and address
    • national insurance number
    • contact details (telephone number, email address)
    • self-declaration of permission to work in the UK and upload of passport/visa copy if necessary
    • relevant qualifications or indication of highest qualification held
    • professional development / training and membership of any professional body
    • employment history
    • supporting statement
    • Referee details
    • Criminal record disclosure
    • Data captured for equal opportunities monitoring (gender, date of birth, nationality, marital status, sexual orientation, religious belief, ethnicity)
    • Declaration about any disability as defined under the Equality Act 2010
  • Once a candidate has been made an offer of employment:
    • Bank details
    • Emergency contact details
    • Qualification information required to be shared with HESA
    • Data captured for equal opportunities monitoring (as above)
    • Health information
    • Certain positions also require a DBS compliance check to be completed

Further personal data captured about an employee is likely to relate to any performance or appraisal process and any information needed to maintain a sickness/absence record.

Sharing of personal data

The University is required to share personal data with certain other organisations in order to meet statutory requirements or to provide services to students. Sharing will always be undertaken in line with the requirements of data protection law, either through the consent of the individual, or another relevant legal gateway. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.

The information below outlines the key partners with whom the University shares personal data with on a periodic basis:

  • Middlesex University Students’ Union in order for the administration of the Union and its clubs/societies, administration of elections and student representation and communication to students to promote Union services and events. For further information please see the MDXSU privacy notice;
  • The University has two overseas campuses in Dubai and Mauritius which are both outside of the European Economic Area (EEA) and personal data will need to be shared with these campuses for student/staff administration and research activity;
  • Professional and Funding Bodies:
    • Validation of registrations and awards; and
    • Approval of funding applications.
  • National/Local Government Departments and other public bodies:
    • Higher Education Statistics Agency (HESA) to produce a variety of statistical reports about higher education that are required to be published in the public interest;
    • Skills Funding Agency in order to make them aware who are enrolled apprenticeships students are and subsequently the academic progress those students are making;
    • UK Immigration agencies to ensure compliance with the conditions attached to student/staff visas;
    • the Student Loans Company in connection with grants, fees, loans and bursaries;
    • the courts, the police and other organisations with a crime prevention or law enforcement function (subject to meeting the conditions of Section 29 of the DPA);
    • The NHS for the purpose of coordinating student placement activity for nursing and midwifery students; and
    • Local authorities for the purposes of assessing and collecting council tax.
  • Other individuals / organisations:
    • External examiners for examination, assessment and moderation purposes;
    • International recruitment consultants and agents (for relevant international students);
    • Housing providers for students;
    • The University’s insurers and legal advisers for the purpose of providing insurance cover or in the event of a claim;
    • The Office Of The Independent Adjudicator to review student complaints;
    • The University’s recognised Trade Unions, the University and College Union and Unison (for staff with an active membership only); and
    • Employers who request a reference from the University (for relevant staff and students).

How long does the University keep personal data?

The University takes its obligations under the DPA very seriously in terms of not holding onto personal data for any longer than is necessary. The University has a retention schedule in place for the different categories of data it holds.

In some cases, there are good reasons as to why the University needs to retain data about students and other individuals for a significant period of time. The most important reasons are outlined below:

  • in order that student awards can be verified in the long-term;
  • to produce transcripts and references;
  • for alumni services and ongoing relations with the University;
  • for careers and employability services;
  • to deal with complaints, appeals and disciplinary cases;
  • for statutory reporting purposes and in order to complete statutory surveys such as the Destination of Leavers from higher Education Surveys;
  • to produce references on request from previous employees; and
  • in order to meet pension obligations.

Your rights

An individual has the right to ask the University what personal data we hold about them, and to ask for a copy of that information. This is called making a Data Protection Subject Access Request.

A Subject Access Request should be submitted in writing via email to the Data Protection Officer or in hard copy to the postal address provided above. The University reserves the right to ask you to provide proof of identification and for you to clarify your request if it is unclear in the first instance. You will receive a reply no longer than 40 calendar days from the date you make the request in writing.

If you are unhappy with the initial response you can ask the University to undertake a further search if there is specific information you have good reason to believe exists but that hasn’t been provided.

You also have the right to complain to the UK Regulator the Information Commissioner’s Office (ICO’s) if you believe you request has not been dealt with properly or you have a complaint to raise against the University for any other data protection related issue. A complaint can be raised via the ICO’s website or write to the following address:

The Office of the Information Commissioner
Wycliffe House
Water Lane

You also have the right to withdraw consent from the processing of your personal data by the University at any time, if your consent was sought initially to use your personal data.

Right to rectify

If you believe the University holds information about you that is factually incorrect please email Academic Registry if you are a student or Human Resources if you are a member of staff providing the correct information, and the University should update it within one month.

From May 2018 you will also have a number of new individual rights under the GDPR. The means to exercise these new rights with the University will be published early 2018 in the run-up to the rights coming into effect.

Your responsibilities

All students, staff and any other relevant individual who handles personal information of which the University is responsible for must following the requirements of the Data Protection Policy.

In this section

Back to top

We use Cookies

View our Privacy and Cookie policy