Data Protection

General Data Protection Regulation and Data Protection Act 2018

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. The legislation governs data protection requirements for any organisation or entity managing personal data across the European Union.

The UK Data Protection Act 2018 (DPA) is the implementation of the EU’s GDPR legislation coding its requirements into UK Law.

Both the DPA and GDPR control how personal data is used.  Everyone responsible for using personal data needs to follow strict rules when processing personal data, some of the rules are that personal data should only be processed if it is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There are stronger protections for sensitive or special category data such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

Personal data is any data that can identify a living individual, for example a name, email address, national insurance number, data of birth etc. there are stricter controls on how organisations approach data privacy, and give data subjects more rights in regard to their data.

In line with GDPR and DPA, we need to register all our activities which require the collection, storage, processing, retrieval and disposal of personal data with the Information Commissioner Office and undertake them in accordance with the provisions of the legislation.

A full copy of our registration document can be viewed on the Information Commissioner’s web-site at:

To ensure the University stays compliant with GDPR and DPA please familiarise yourself with our Data Protection [PDF] and IT Data Security [PDF] policies.

Requests for access to personal data (Subject Access Requests)

Personal data is information about natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. All individuals about whom the University holds or processes personal data have the right to view the data.

Requests to view such data must be made in writing by the individual concerned to the University's Data Protection Officer, stating the nature of the individual's relationship with the institution (such as 'student', 'staff member' etc.), and providing a form of identification.


Legal Office (Governance & Planning)
University of Bedfordshire
University Square

We will normally respond to the request within 30 days of receipt of the request, provided sufficient information has been provided to identify the individual and locate the information sought. The information provided will be subject to the provisions and safeguards to third parties in the GDPR and DPA 2018.


University switchboard
During office hours
(Monday-Friday 08:30-17:00)
+44 (0)1234 400 400

Outside office hours
(Campus Watch)
+44 (0)1582 74 39 89



International office

Student support