The Data Protection Act is intended to protect people from unwanted or harmful uses of their personal data so that their personal privacy is protected.  It regulates the way in which organisations collect, use, disclose and destroy information about people to ensure that they do so in a responsible and accountable fashion. 

Cardiff Metropolitan University needs to:

  • Notify the Information Commissioner that it intends to process personal data. 
  • Comply with the data protection principles, including:
           Comply with one of six conditions to process personal data.
           Comply with one further condition to process sensitive personal data.

The Data Protection Policy and the Data Protection Act Procedures and Guidance are intended to ensure that all processing of personal data carried out by, or on behalf of, Cardiff Met complies with the requirements of the Act.

Please get in touch if:

  • There is any other information that you would like to see included on these pages.
  • You would like to arrange an awareness or training session.
  • You need some specific advice or assistance.

You can contact Siân Newton, Data Protection Officer, Llandaff Campus – Room M1.05, Ext 6076,

What is a Notification?

The University's Notification tells everyone, including the people the data is about, what personal data it has and what it intends to do with it.  If you start to collect different personal data, or decide that you want to use the data you have for something different, you will need to make sure that what you intend to do is compatible with Cardiff Metropolitan University's Notification.  If it isn’t, you need to contact the Data Protection Officer as soon as possible, so that the Notification can be updated.  Cardiff Metropolitan University would be guilty of an offence if it didn’t have a current, up to date Notification.  

Our current Notification specifies the following purposes:

  • Personnel administration
  • Work planning and management
  • Marketing and selling
  • Fundraising
  • Purchaser/supplier administration
  • Membership administration
  • Ancillary and support functions (specifically: car parking administration, debt collection, safety office, maintenance of the on-line telephone directory and telephone exchange service)
  • Customer and client administration
  • Research and statistical analysis (specifically: educational research, health research, social research, technical research)
  • Information and data bank administration
  • Credit facilities administration
  • Legal services
  • Consultancy and advisory services (specifically: careers, chaplaincy, counselling)
  • Alumni relations
  • Colleges' commercial activities
  • Web-based user directory services
  • Web-site maintenance
  • Lending and hire services administration
  • Share and stock-holding registration

What is ‘Processing’?

‘Processing’ is a term that is used to refer to anything that could be done to, or with personal data – from the point at which it enters an organisation to the point at which it leaves.  It includes collecting, recording, organising, holding, storing, retrieving, looking at, consulting, using, disclosing and destroying the data.