General Questions:

What constitutes personal data?

Personal Data is any information related to a person, which can be used to directly or indirectly identify them. Under GDPR, almost all data used by the College falls under ‘personal data’.

The definition is broad and includes initials of a name, a photo or video of someone, notes taken during an interview, location information, posts on social networking sites or websites, results of medical tests, or a IP address. It is important to understand what personal data is and where you may use it in your role, because you need to comply with GDPR. More information is found in our GDPR training available on Moodle.

 For further information about personal data and GDPR, please see our GDPR FAQs by clicking here or contact Data Protection at

What are personal data breaches?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. Here are some examples:

  • Someone accessing data they shouldn’t e.g. looking at systems or databases without permission
  • Giving someone access to data they shouldn’t e.g. leaving a computer unlocked at a desk or in a public place while away from it
  • A wrongful action to personal data e.g. accidentally or deliberately deleting someone’s data which is needed
  • Sending personal data to the wrong person e.g. sending a spreadsheet of student marks to the wrong colleague
  • Publishing personal data e.g. recording an event and posting it on our external website without consent from people in the footage
  • Devices containing personal data being lost or stolen e.g. losing a laptop or USB stick used for work.
  • Paper records containing personal data being lost or stolen e.g. leaving paperwork in the printer, or a bag is stolen which had paperwork with people’s details
  • Alteration of personal data without permission e.g. accidentally updating contact information for the wrong person on a system
  • Loss of availability of personal data e.g. password protecting an important document and forgetting the password

If you suspect or become aware of a personal data breach, you must please report it immediately Data Protection.


  • Report it, even if you’re unsure whether it’s a breach or not.
  • Let your line manage know what has happened.
  • Make initial enquiries to understand what has happened and what data is affected, and complete a ‘Reporting a Data Breach form’.
  • Report it, even if you don’t know all the details of what has happened.
  • Report it to IT Services if systems or devices are involved e.g. if a work-issued laptop was lost or stolen or someone who has left the College still has access to a system they shouldn’t.
  • Try to take initial steps to put things right e.g. recalling an email if you realise it was sent to the wrong person, or removing someone from a mailing list they don’t want or need to be in, or undo accidental changes to someone’s data.
  • Make sure you have completed the mandatory GDPR e-learning available on Moodle.


  • Take too long or leave reporting it for another day. As soon as you suspect or become aware of a breach, contact Data Protection as we have a very tight (72 hour) timeframe within which to make a report to the ICO if one is required.
  • Report it to the ICO yourself. The decision to report to the ICO can only be made by the Data Protection Officer or their nominee.
  • Notify the person or persons whose data is affected by a breach. This is a decision which needs to be made by the Data Protection Officer or their nominee.
  • Deal with it alone and not tell Data Protection. It is Data Protection’s responsibility to investigate and decide what action is taken in the event of a possible breach.
  • Withhold, ignore or delay responding to Data Protection’s requests for further information about an incident. Data Protection are responsible for investigating and managing a personal data breach. Without the full details Data Protection can’t do this, and if we fail to properly investigate or manage the breach the College is breaking the law and risks significant penalties.
  • Be scared to report something. The point of Data Protection’s investigation is to put things right and make sure it doesn’t happen again.

If you have any questions or would like to know more please contact Data Protection.

What is sensitive personal data?

Sensitive personal data can be broken down into three categories. You can have ‘special category’, ‘criminal offence’ or just generally ‘other sensitive’ data. Find out more about sensitive personal data.

What is US data?

The ‘Privacy Shield’ was a GDPR-compliant way to share data with the US, however the European Court of Justice has recently revoked this. This means that as a College we now have to identify all data we share with US-based organisations. Learn more about US data.

What is a subject access request?

A ‘Subject Access Request’ (SAR) is when someone exercises their right under GDPR to have a copy of their personal data from us.

If you receive a request like this please forward it as soon as possible to and we will action the request; please note that we are required to respond to a SAR within one month of the date of the request, so time is of the essence.

The Data Protection Team will need a copy of every piece of data that relates to or identifies the requestor, so we can decide what can or can’t be released by law. We will then process it for a final copy to be sent out to the requestor, explaining what we have decided to provide or withhold (with our reasons). Read more about subject access requests.

Why the change?

The Data Protection Act of 1998 was drafted before much of the technology which transformed the way process information existed. GDPR is an update of the laws to meet the needs of today.

Will non-compliance result in fines?

Yes, the ICO aims to dissuade data protection failures by imposing large fines of up to 20,000,000 euros, or 4% of global annual turnover.

What about Brexit?

Despite GDPR being an EU law, the Data Protection Act 2018 covers much of the same ground. In addition to this it is necessary for the UK to be considered to be adequately complying when Brexit occurs or else there will be restrictions on data transfers between the UK and the EU, which nobody wants to happen.

So if GDPR covers all of this what is the Data Protection Act 2018?

The GDPR is a directive aimed at all countries within the EU, there are various points within it however in which individual Member States may derogate from the regulations for reasons of their own circumstances. For this reason the Data Protection Act 2018 and the GDPR will need to be read alongside each other. Following Brexit, the UK government intends to introduce a ‘UK GDPR’.

What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment is a type of risk assessment aimed at ascertaining whether a proposed processing of personal data is likely to have an adverse effect on either the data subject or anybody else. It is completed so steps can be taken to minimise the risk of this occurring.

What is Protection by Design and Default?

Protection by Design and Default means implementing methods of data protection from the very start of a project, and developing an understanding of how data is to be secure throughout the lifespan of the project.

Staff Questions

What is the College doing about this?

We have appointed a Data Protection Officer, Elaina Moss, who is responsible for ensuring the College’s compliance with GDPR. The responsibilities of this role include managing internal data protection activities; raising awareness of data protection issues, training staff, advising on data protection impact assessments and being a first point of contact for everyone about whom the College holds data.

We have also established a network of Data Stewards who have are accountable for how the data in their area is used and they are supported by Data Custodians who work with the data on a daily basis. These people support the Data Protection Officer in her work to ensure the College’s compliance with the law and we would ask that you co-operate with any request you might receive from them.

What do I need to do now?

Firstly you should complete the training available on Moodle. This will give you a good basis in understanding the GDPR and how we should process the data we hold.

Do I need to change the way I use data?

If you need to look at Individual’s (student, staff or other) data, where possible look at this on the relevant system (e.g. Banner) or using the relevant reporting tool (Infoview, Dashboards) rather than exporting/printing the information.

Only export/download personal data where you genuinely need to process/use it.

Ensure that any exported or collected documents containing personal data are saved in an appropriate location, e.g. Departmental shared drives, where access is limited to individuals who have a genuine need to access the data.

Do not save personal data to your PC (C: Drive or Desktop) and limit use of your Personal (Y) Drive unless there is nowhere else that data could be stored.

Limit the printing of documents with personal data unless absolutely necessary.

Where possible, you should avoid sending e-mails which contain personal data either in body of the email or as an attachment. If you can, direct the recipient to where they can find it in a shared drive to which you both have access. Emails are the College’s greatest source of data breaches as it is so easy to click the wrong name in the address book or to rely on autocomplete which you may not notice has given you the wrong name.

Personal data should never be emailed to a non-Royal Holloway email address.

We know that so much of our work relies on our ability to share information and we are working on ways to enable you to securely share personal data.

Do not save personal data onto a memory stick, external hard drive or laptop unless these devices are encrypted. Ensure you have consulted the Mobile Working Policy.

What do I do if I think I or someone in my team or department has committed a data breach?

You should take action as soon as you become aware of this. Contact us at and read the Personal Data Breach Reporting Procedure [link TBC] before filling out this form.           

If somebody requests to have their data deleted do I have to comply?

If you receive a request like this, please refer them to the Data Protection Officer who will handle the request.

If the Police ask me for the personal data of a Student do I have to give it to them?

If you receive a request directly from the Police, please refer them to the Data Protection Officer who will liaise with the Police directly. Do not give information to an officer just because they ask for it.