Student and Registry Services


About the GDPR

Find out more about the General Data Protection Regulations, including the principles of data protection, individual rights and legal basis. This information is intended for use by SRS staff.

What is the GDPR?

Find out more about a specific area:

Principles of GDPR

There are seven principles that lie at the heart of the General Data Protection Regulations.

1. Lawfulness, fairness and transparency

UCL must be open and honest about how personal data will be processed, and must not use data in a way that would have a negative impact on the data subject. Before processing personal data, a lawful basis must be identified. For data protection purposes, UCL is classed as a public authority and any processing relating to our core purpose is lawful under ‘public task'. When processing special category data, a further condition for processing must be identified.

2. Purpose limitation

At the point that personal data is collected, it must be clear how the data will be processed. Data that has been collected for one purpose cannot be used for an unrelated purpose.

3. Data minimisation

The personal data that is collected must be relevant to, and adequate for the purpose it was collected. Collecting extra data ‘just in case’ is not permitted.

4. Accuracy

Effort should be made to ensure that personal data is accurate. It must be possible for data subjects to correct data that is inaccurate.

5. Storage limitation

Personal data should not be kept for longer than it is needed. The UCL retention schedule outlines how long data should be kept.

6. Integrity and confidentiality (security)

Reasonable effort must be made to ensure the security of personal data. In particular, processing should not affect the confidentiality, the integrity or the availability of the data. Put simply, data should not be inappropriately shared, changed or lost.

7. Accountability

The accountability principle requires everyone to take responsibility for handling personal data correctly and complying with the principles of the GDPR.

Individual Rights

The GDPR outlines eight rights for individuals. 

1. The right to be informed

This is related to the first GDPR principle: Lawfulness, fairness and transparency. Individuals have the right to know how their data will be processed. Remember that processing covers a range of things between collecting and deleting the data. UCL have a number of privacy notices that outline how data is used.

2. The right of access

Data subjects have the right to access their personal information. This is more commonly known as a subject access request (SAR). 

3. The right to rectification

Individuals have the right to correct any inaccurate information. Most applicants and students can do this via the student portal.

4. The right to erasure

This is also known as ‘the right to be forgotten’. This right is not absolute and in many cases it will not apply. For example, UCL must retain a ‘core student record’ for every person who has studied here.

5. The right to restrict processing

Individuals can request the restriction or suppression of their personal data. Again, this is not an absolute right and only applies in certain circumstances.

6. The right to data portability

Individuals have the right to transfer their personal data between services, for example, if an individual wishes to move to a different utilities supplier. It is unlikely that this right would apply to UCL.

7. The right to object

In some circumstances, individuals have the right to object to the processing of their personal data. This right applies to direct marketing and may apply in other circumstances.

8. Rights in relation to automated decision making and profiling

Individuals have the right to object to automated processing and to ask that a human be involved in any decisions made about them.

Legal Basis

In order to process personal data, a valid legal basis must be identified. For the majority of data processing that takes place within SRS, the legal basis will be ‘public task’; however, there are times when another basis will need to be identified.

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests