Data Protection Policy Statement
Edinburgh Napier University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data. This is done in accordance with:
- The EU-General Data Protection Legislation (GDPR) and Data Protection Act 2018 (the Act), which together are referred to as the "Data Protection Legislation" below
- associated legislation
- case law and the spirit of the Data Protection Legislation
- the University's notification with the UK Information Commissioner, which sets out the purposes for which the University holds and processes personal data about employees, students, graduates and others
1. All users of personal data at Edinburgh Napier University are required to comply with:
- The Data Protection Legislation
- the University's Data Protection Code of Practice and Information Security Policies
- associated University policies, procedures and guidance on the provisions and practical implementation of the Data Protection Legislation
2. These requirements apply to all personal data created and received, regardless of where it is held and irrespective of the ownership of the equipment used, if the processing is for Edinburgh Napier University purposes.
3. Any breach of the University's policies, procedures or guidance may result in the University being legally liable for the consequences and internal disciplinary action being taken.
1. All employees and agents processing personal data for and on behalf of the University are responsible for ensuring that any processing of personal data carried out by them complies with the Data Protection Legislation.
2. All line managers are responsible for ensuring that the processing of personal data carried out in their School/Service Area is compliant with the Data Protection Legislation and that employees reporting to them are aware of their responsibilities under the Data Protection Legislation and have received training.
3. Governance Services are responsible for overseeing compliance, developing guidance and providing advice and training to employees.
4. The University Secretary has overall responsibility for the development and maintenance of an effective data protection compliance framework and monitoring institutional compliance.
The Data Protection Legislation sets out six principles governing the use of personal information with which all University users must comply unless an exemption applies. These principles are:
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
5. Storage limitation
6. Integrity and confidentiality
Further guidance is available on these pages and in the University's Data Protection Code of Practice.