The University for Creative Arts must manage your personal information in line with the UK Data Protection Act 18 and the UK General Data Protection Regulation (GDPR).

The Information Commissioner’s Office regulates our compliance with these laws. It is important that we have a clear legal basis for processing personal information, and we have documented reasons for doing so. This ensures transparency and accountability in handling your data. All staff are trained to ensure that privacy rights are respected and that personal data is treated with care and consideration.

We regularly review our data protection procedures which helps us monitor compliance and maintain a high standard.

Privacy Notices


Data Protection law regulates the use of personal data, which applies to both public and private sectors. It helps to protect individual rights to privacy and covers information held by means of electronic and paper records. It doesn’t apply to anonymised data or to information about the deceased.

Under this legislation, the University for the Creatives Arts is the ‘data controller’ and we aim to be open with individuals about how their personal data will be processed:

Marketing Privacy Notices Accommodation Privacy Notices Alumni Privacy Notice Applicant Privacy Notice Student Privacy Notice Staff Privacy Notice

Personal Data
Principles

The University for Creative Arts must manage your personal information in line with the UK Data Protection Act 18 and the UK General Data Protection Regulation (GDPR).

There are six principles we must uphold when handling your personal data:

  1. It is processed fairly, lawfully and transparently
  2. The data is only processed for legitimate purposes
  3. Our information is relevant and limited to what we need
  4. We must ensure we hold accurate information
  5. Data is not held for longer than necessary
  6. Information must be processed securely

Accessing your
Personal Data

You have the right to apply for a copy of your own records; this applies to both staff and students.

To enhance your experience and help us understand the specific information being sought, please complete the Subject Access Request (SAR) Form provided, which include prompts and guidance to ensure that all relevant details are captured consistently. This reduces the likelihood of misunderstandings or misinterpretations, which can lead to delays or incomplete responses. Once the standardised form is completed, this can be returned either: 

  • By email to: DPO@uca.ac.uk
  • Or by post to:
    Data Protection Officer
    Information Governance Team
    University For The Creative Arts
    Falkner Road
    Farnham
    Surrey
    GU9 7DS

The University for Creative Arts aims to provide the requested information within one calendar month from the date of receipt of the completed form.

Reducing your
Digital Footprint

Similar to accessing your data, you equally have a right to remove your personal information from our databases, where it does not need to be kept for legal or compliance reasons.  This known as ‘Erasure’ or ‘the right to be forgotten’.

If you would like to delete your data, in line with legislation, please complete the Erasure Request Form provided. It is necessary to receive the fields specified for us to locate any relevant records and to assure ourselves that a complete search has been achieved. Once the standardised form is completed, this can be returned either:

  • By email to: DPO@uca.ac.uk
  • Or by post to:
    Data Protection Officer
    Information Governance Team
    University For The Creative Arts
    Falkner Road
    Farnham
    Surrey
    GU9 7DS

The University for Creative Arts aims to provide the requested information within one calendar month from the date of receipt of the completed form.

Personal Data
Breaches

A personal data breach is an incident leading to the accidental or unlawful loss, alteration, unauthorised disclosure of, or access to, personal data. A breach of personal data must be reported immediately.

Reporting breaches is essential for protecting the affected individuals, but it is also a chance for the organisation to improve their compliance; this instils accountability and helps to build trust. Some typical examples of a personal data breach include:

  • Sending an email to the wrong recipient or attaching an incorrect document.
  • Losing an unsecured laptop or other mobile device containing personal data.
  • Being a victim of Malware, which has corrupted personal data

If the breach is likely to result in a substantial risk to privacy and/or safety, this must be reported to the Information Commissioner’s Office within 72 hours. This is why it is important that the Data Protection Officer is notified of any potential personal data breaches straight away so that they can perform a risk assessment. Staff are trained to identify and report such instances should they arise.

If you think a mistake has been made that might have compromised personal data, please contact the Data Protection Officer via email: DPO@uca.ac.uk and they will support you.

Data Protection Policies


Data Protection Policy Consent Policy Data Retention Policy Data Subject Access Request Guidance Data Processing Agreement CCTV Policy

Records of Processing Activity


Records of Processing Activity Statement

Related links


Information Commissioner’s Office UK Data Protection Act 18 UK General Data Protection Regulation (GDPR)