The General Data Protection Regulation (GDPR) is a new legal framework for data protection applying to all member states since 25 May 2018. GDPR replaces the Data Protection Act 1998 and brings some new requirements on organisations that obtain, hold, use or store personal data.
Prospective students, employees and other stakeholders have to trust that their personal details will be safe at the university. We, at Robert Gordon University, are expected to safeguard personal information of both staff and students properly and not to abuse it. For this reason we have developed a robust Information Governance Policy (PDF 218KB) that would meet these needs.
- All About GDPR (PDF 120KB)
- Key Points of GDPR (PDF 83KB)
- GDPR Briefing (PPT 332KB)
- Target Operating Model (PDF 36KB)
- Risk and Control Matrix (PDF 113KB)
- Subject Access Requests - Staff Guidance (PDF 85KB)
The university's registration number with the Information Commissioner's Office is Z5607918.
The University has a series of privacy notices to ensure transparency and explain to individuals how their personal data will be used.
- Student Privacy Notice (PDF 275KB)
- Employee Privacy Notice (PDF 81KB)
- RGU SPORT Privacy Statement (PDF 181KB)
- Accomodation Privacy Statement (PDF 230KB)
- Staff Recruitment Privacy Notice (PDF 115KB)
- Student Recruitment Privacy Notice (PDF 125KB)
Accessing your personal data
Under the GDPR, individuals (i.e. data subjects) have a right to know what data is held about them at RGU and a right to access their personal data. Data subjects must submit a request to access this information. Please note the university may request evidence of your identity (a copy of passport and/or driver’s license). The university provides a Subject Access Request Form (PDF 280KB) in order to assist in making a request, however you may also submit a request in a letter, email or verbally. Please see our Accessing Your Personal Data - Guidance Note (PDF 310KB) for further information on how to make a request.
Once the request has been validated and verified the university will respond within one month. Please note that you can only request your own personal data under a subject access request, unless you are proven to be authorised to act on behalf of the data subject.
Data Protection by design
Under GDPR the university in required to demonstrate that data protection has been considered in our activities. The university has a data protection impact assessment (DPIA) in order to ensure that new projects or systems are designed with data protection compliance built in from the start and that any privacy risks are managed.
A personal data breach may be defined as a breach of security that has affected the confidentiality, integrity or availability of personal data.
CCTV and Data Protection
Organisations, whose premises have CCTV (close circuit television) systems in operation, must inform the UK Information Commissioner that they are gathering personal information about the people they are recording. They must also put up signs to warn the public that this recording is taking place. The Robert Gordon University is registered with the Information Commissioner for the use of CCTV.
Contact Details and Further Information
If you are dissatisfied with the way in which your personal data has been handled please contact the University Data Protection Officer in the first instance. If you are dissatisfied with the response from the University you have the right to lodge a complaint with the Information Commissioner’s Office
Data Protection Officer
Robert Gordon University
Tel. +44 (0)1224 262076