Skip to content
Skip to navigation menu


Data Protection

As a student at Cardiff, some of your personal data will be stored and processed by the University.  This page explains how your information is used, but you can view further information about the University’s registration under the Data Protection Act by searching for Cardiff University on the Register of Data Controllers. The Information Commissioner's Office also provides useful guidance on data protection matter.

If after reading this page you still have queries then please contact the Data Protection Officer, Governance and Compliance Division, Cardiff University, McKenzie House, 30-36 Newport Road, Cardiff, CF24 0DE or e-mail


The University collects your data, including your photograph, during your application and enrolment in order to:
• organise your studies;
• give access to and ensure the security of University buildings;
• provide student support services (libraries, careers, advice, IT facilities and Students’ Union);
• carry out legal duties, providing information to others (see disclosures section);
• provide other activities within the University business including developing and maintaining our alumni programme and research profile;
• conduct equal opportunities monitoring and equality impact assessments to ensure our policies and practices do not discriminate against individuals because of 'Protected Characteristics'.

The University has a code of practice on the use of photographs for identity.  This code sets out when and how you can expect your student card to be used to check your identity.


The University will share your relevant personal data with the bodies described below:

Sponsors (including LEAs and the Student Loans Company) where a contract exists
  • In accordance with the terms of the contract (which usually relates to attendance and progress reports)
  • This does not include anyone who is paying money toward your studies but where there is no formal contract i.e. parents.
Professional bodies (e.g. General Medical Council, Royal Society of British Architects, Law Society)
  • In order to confirm your qualifications and accredit your course
Cardiff & Vale University Health Board (and other NHS organisations in England and Wales)
  • When necessary for your programme, including for students studying Medicine, Biology and Life and Health Sciences
  • Where in the public interest and necessary for public health reasons, including the monitoring and control of infectious diseases. Data Sharing Agreement - TB Screening
Work placement sites or educational partners involved in joint course provision
  • Where this is necessary for your programme
The Higher Education Funding Council Wales (HEFCW) and its agents
  • Agents include the Higher Education Statistics Agency (HESA) and the Quality Assurance Agency (QAA).  You can find further details on the HESA website, there is also a Welsh language version.
Potential employers or providers of education whom you have approached
  • To confirm your qualifications
UK agencies with duties relating to the prevention and detection of crime, collection of a tax or duty or safeguarding national security
  • In order to allow the assessing and collecting/paying Council Tax, Benefits or Tax
  • To aid the police, UK Visas and Immigration Agency or the Foreign and Commonwealth Office
  • This happens as necessary in consideration with your rights and freedoms
Plagiarism detection service providers
  • In accordance with the contract with the service provider e.g. Turnitin to ensure academic standards

Any other disclosures that the University makes will be in accordance with the Data Protection Act and your interests will always be considered.

Your rights

You have a right to a copy, or to object to the processing of, your personal data held by the University.  Any requests or objections should be made in writing to the Data Protection Officer (details at the top of the page) and there will be a £10 fee for copies of your information.  

Your responsibilities

You have a responsibility to keep your personal details up-to-date via SIMS.  

During the course of your studies you may have access to personal information about others.  You are expected to treat this in a responsible and professional manner and are legally required to do this under the Data Protection Act, as well as any professional ethics or codes of conduct.  If you are made aware of personal information in confidence including regarding someone’s mental or physical health then you are expected to not tell anyone without the individual’s consent, unless there are exceptional circumstances.  You should also not seek to gain others’ personal data if you are not entitled.  Disciplinary action will be considered for any University member who breaches the Data Protection Act or a duty of confidence.  Further information about the Act can be found here.

Go back to The Step by Step Enrolment Process