Skip to main content

Information Governance

Information Governance

GDPR and Data Protection Act FAQs

In the UK, an individual’s personal data is protected by law under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The GDPR framework offers greater protection for the personal data of individuals and tougher punishments for non-compliance than previous data protection regulation.

The University is currently working to ensure all Schools and departments understand their responsibilities under GDPR. Please remember that GDPR builds upon the existing data protection measures that staff and information processes and systems should already be compliant with.

For more information please see our GDPR FAQs and the privacy pages.

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018. The change provides organisations with an opportunity to review how they handle personal data, encouraging transparency in processes.

The University has formed a task group chaired by Andrew Hartley, Director of Legal and Information Governance and the University of Salford Data Protection Officer. The task group will oversee the way in which GDPR requirements are implemented.  Work completed to date includes:

  • An initial information audit
  • privacy notices,
  • records retention,
  • managing data subjects rights,
  • providing advice,
  • training and awareness
  • incident reporting
  • communications – to both staff & students
  • Data Protection Impact Assessments

Your task group representative will be able to help you with any initial questions. Please speak to them in the first instance.

We are all responsible for the safe use of personal data. It is your responsibility to check that your work is in line with guidance issued by the ICO, the Legal and Information Governance team and local procedures. There is an e-learning toolkit available to staff. If, once you’ve completed this training, you think you need additional training, please email There is work underway within most areas of the University. Check with your GDPR Task Group representative to see what is going on in your area.

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

We will still keep this regulation once the UK leaves the EU for two reasons:

  • this Regulation comes into effect before we leave the EU so we need to implement it for the time we are in the EU, and
  • when the UK is no longer part of the EU it will be necessary for the UK to prove that our standards for processing personal data are at least as good as those throughout the EU, for the remaining countries to be able to transfer data to the UK. One way of proving the UK data processing standards is to retain the basis of the EU Regulation on which all other Member States are using to regulate data processing.

The main changes in the GDPR are:

  • that the legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings, emails, cloud storage, etc
  • the definition of Personal Data has changed to include location data and online identifiers
  • the definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual
  • the term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)
  • that data subject rights are extended and improved
  • the requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times
  • the introduction of compulsory data breach notification
  • increased fines for data, and notification, breaches
  • the requirement for transparency and accountability
  • increased responsibility of data processors for data processing.

Information about retention can be found here.

  • The Information Commissioner’s Office is the UK watchdog and regulatory body that governs data protection law. Their website has a lot of useful information and guidance.
  • Mandatory e-learning is available to all staff
  • The Information Governance Web Pages will be updated regularly with more information.
  • Speak to your GDPR Task Group representative

The good news is that most of the data processed by the university falls within our public task, or form part of our obligations under contract with the student. Consent needs to be managed carefully. The GDPR requires consent to be ‘specific, explicit, informed and freely given’. In order for the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of a form. 

Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that is involved. This consent must be retained for as long as the data to which it refers is held.

Having, and making available a fair processing notice (see FAQ 7) means that when a person consents to their data being processed, their consent is informed by the information provided in the fair processing notice.

The final element of consent, that it is ‘freely given’, may be the hardest to achieve. If there is any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.

Under the GDPR data breach notification is now compulsory whereas it was voluntary under the DPA 1998. The ICO will issue guidelines for when it is necessary to report a breach (similar to those in existence under the DPA, but the GDPR requires that the data controller shall report a data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

This depends. If consent has been used as the legal basis for processing, then an individual has the right to withdraw consent at any time, and the information must be deleted. However, for other legal bases of processing, the right to erasure is not an absolute right and a test needs to be applied to see if the information should be retained. In each case or request, a log should be kept of the request, the decision, and any documents to support the justification for the decision.

We should certainly think about how much data we record and whether we need all of it to complete our activities, but if it is necessary and we have adhered to all the GDPR recommendations you should not stop recording it or remove it from documents or systems

You should speak to your Task Group representative in the first instance or email if they cannot answer your question.

There are many things you can do to look after data effectively, listed below are some best practice approaches which we will update regularly.


Always carry in hand luggage when travelling & use a privacy screen when in a public place

Computers at Work:

Lock your screen whenever you are away from your desk


These should be a mixture of upper & lower case, numbers and symbols. If you use a PIN make it longer than the standard 4 digits. And never use a password that you use elsewhere

File Transfers

When sending to third parties you should encrypt the file and use secure data transfer systems

If you have to send data to another person within your organisation you don’t have to encrypt but you should password protect and then send the password in a separate email

Mobile Phones

These should be carried with you at all times and PIN/Facial recognition protected


Operate a clear desk policy – not only will it make you more organised it will ensure that all paper files are secured at all times


We should digitalise files wherever possible; making it easier to store and search, but if you have to keep a hard-copy this should be under lock and key.

GDPRGeneral Data Protection Regulation
DPIAData Protection Impact Assessment
SARSubject Access Request

Freedom of Information

The Freedom of Information Act 2000 came into force in 2005 and its purpose is to promote transparency and accountability by allowing individuals the right to access “recorded” information held by public organisations.

In accordance with the Act the University has made available a Publication Scheme. This document details the types of information the University routinely publishes and how to access it.

A considerable amount of information can also be found on the University webpages. Please consult the University webpages and the University Publication Scheme for information you require.

If you are unable to locate the information you require, you may submit a formal request for information. Please submit your request in writing to, stating your name, address and information you require.

Alternatively if you wish to submit your request by post, please send to:

Information Governance Officer
Legal and Governance Directorate
Maxwell 6th floor
University of Salford
M5 4WT

What is Information Security?

Access to information and IT systems is essential for the University to function competitively in the higher education environment. Information Security is the corporate framework of culture, policies, organisational structure and operating environments used to ensure confidentiality, integrity and availability of our information.

The Senior Information Security Officer based with Legal & Governance Directorate works together with all University departments and Schools to develop policy, advice and guidance on information security issues – whether new information systems, projects to share information with external partners or major revisions to existing information systems and procedures that hold personal information i.e. confidential information.

This can be achieved by implementing controls in:

Physical security

Responsibility of Estates with each resident School and department

Personnel and training security

Responsibility of Human Resources

Policy/procedural security

Responsibility of Senior Information Security Officer and Business Owners

Technical security

Responsibility of Digital IT and System Owners (outside DIT)

All these measures must be implemented in tandem rather than being a one-off, as you can see in the diagram below.

Information Security Onion

How to report a data breach or security incident

The University needs to know about incidents involving:

  • unauthorised access to or disclosure of personal data or Confidential University information
  • lost or stolen laptop, smart phone, memory stick or other IT equipment containing University information

The Information Governance Team are part of a co-ordinated team across Legal & Governance and Digital IT called the IT Security Emergency Response Team (ITSERT) who respond to and manage investigations into data breaches and security incidents.

Please report any data breaches or security incidents to the Digital IT Service Desk on 0161 295 2444. The Service Desk will refer the case to the relevant teams.

You should always report your concerns because misuse could damage the University network, be illegal or have a negative impact on the University's reputation. All of these can have a negative effect on your studies or job with the University. By reporting your concerns, you are providing the best opportunity to prevent any recurrence and to limit damage to the University and its data subjects as quickly as possible.

Under the forthcoming General Data Protection Regulation there will be a strict time limit for the University to notify the Information Commissioner about serious personal data breaches – we can only meet the time frame, if you tell us about the incident or breach immediately!

Records management

Records management is the process by which the University manages all the elements of records whether externally or internally generated and in any format or media type, from their inception/receipt, all the way through to their disposal. Good records management:

  • ensures that you can find the information you need at the time you need it;
  • provides evidence of your work;
  • supports decision-making;
  • ensures that you are complying with legislation such as the Data Protection Act 1998 and the Freedom of Information Act 2000.

Benefits of effective records management practice

  • Saves time - It is currently estimated that 20 - 60% of staff time is spent looking for information. Good records management will enable information to be retrieved quickly and reliably, thus reducing this time considerably.
  • Saves space - Destroying information that is no longer required liberates space in the University which can be used as teaching space or office space.
  • Reduces administration costs, both in staff time and storage.
  • Removes doubts over authenticity of documents and reduces risk of legal liability to the University.
  • Enables timely responses and cost efficiency to information requests made to the University.
  • Removes duplicates.
  • Ensures that documents important to the University's history are retained permanently.

How can I implement records management?

All staff can help implement good records management by:

  • ensuring you create and maintain a full and accurate record of your activities;
  • following agreed filing procedures in your office;
  • listing your files as they are created and keeping the list up to date;
  • regularly reviewing and disposing of your files according to the records retention schedule;
  • keeping files neat and tidy and not letting filing backlogs build-up;
  • ensuring files are not open for over three years and opening new files when existing ones become too large to use;
  • being aware that the public may request to see virtually all of your records under the Freedom of Information Act 2000, the Environmental Information Regulations and the General Data Protection Regulations.

Additional guidance is available from the Information Governance Team.