Data protection

The General Data Protection Regulation (GDPR) is a new data protection law which comes into force on the 25th May 2018. The School will be updating this page and its data protection policy during the coming months to outline our compliance with this legislation.

This guide gives you an introduction to Data Protection and information on how to make a request for personal information relating to yourself or for someone that you are acting on behalf of.

Refer to our Data Protection policy (pdf).

What is Data Protection?

The Data Protection Act 1998 came into force on 1 March 2000 and superseded the Data Protection Act 1984. It aims to protect individual's fundamental rights and freedoms, notably privacy rights, in respect of personal data processing.

The Act applies to paper and electronic records held in structured filing systems containing personal data, meaning data which relates to living individuals who can be identified from the data. This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings. The School collects a large amount of personal data every year including: staff records, names and addresses of those requesting prospectuses, examination marks, references, fee collection as well as the many different types of research data used by the School.

Data protection operates by giving individuals the right to gain access to their personal data. This is done by making a subject access request in which they are entitled to:

  • a description of their personal data
  • the purposes for which they are being processed
  • details of whom they are or may be disclosed to

Individuals can also prevent processing of their data in certain circumstances, opt-out of having their data used for direct marketing and in automated decision making processes, apply to the courts for inaccurate data to be corrected and claim compensation for damage and distress caused as a result of any data protection breach.

All organisations have to notify the Information Commissioner of the processing of personal data; this is included in a public register. The public register of data controllers is available on the Information Commissioner's website, from here you can search for the School's or any other organisation's notification.

What data is involved?

Personal data means information which relates to a living individual who can be identified from that data or from data and other information which is in the possession of the data controller. It includes opinions about individuals.

Personal data is information on:

  • Name
  • Address
  • Telephone number

Sensitive personal data is information on:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade Union membership
  • Physical or mental health
  • Sexual life
  • Criminal convictions

The processing requirements for sensitive personal data are more stringent than for personal data.


  • Personal data are data relating to a living individual who can be identified from that information or from that data and other information in the possession of the data controller or which are likely to come into his or her possession.
  • Data subject is a living individual who is subject of personal data.
  • Data subject access is the right of an individual to access personal data relating to im or her which is held by a data controller.
  • Data controller is a person who makes decisions with regard to particular personal data, including decisions about the purposes for which the personal data are processed and the way in which the personal data are processed.
  • Data processor is a person who processes the data on behalf of the data controller.
  • Processing of personal data means anything at all done to the data including collection, holding, organising, consulting, disclosure, and destruction.

Data Protection Principles

Data Protection principles state that personal data shall be:

  1. Obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
  2. Obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes.
  3. Adequate, relevant and not excessive in relation to the purposes for which they are held.
  4. Accurate and where necessary, kept up to date.
  5. Held no longer than is necessary for the purposes for which they were obtained.
  6. Processed in accordance with the rights of the data subjects, including the general rights to access information held about them and, where appropriate, to correct and erase it.
  7. Kept securely and safely with appropriate measures to prevent unauthorised or unlawful processing of the data and against accidental loss, destruction or damage.
  8. Only transferred to a country outside the European Economic Area if that country has an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

How do I access my personal data held by the School?

To make a subject access request you will need to complete a subject access request form. This form is available to download as a Subject access request form (PDF 0.01 MB)  document, or you can request a form from the Archivist & Records Manager at or by writing to the School address.