This page provides some general information that we need to tell you about whenever we collect personal data from you, or obtain your information from another source.

We will always give you specific information about why we require your personal data and how we will use it, see for example our student or staff privacy notices

To help you understand more about our use of your data, we’ve also included some additional information on security and the potential legal basis for processing personal data.

This page was last updated in September 2021.

The University of East Anglia is a Data Controller. This means that we determine why and how personal data will be collected and used, either alone, or jointly with others. 

Our handling of personal data is regulated by the Information Commissioner’s Office (ICO). Our registration number is Z8964916. See our ICO register entry

Our Data Protection Officer is Sue White, who can be contacted by email at  

You can contact the University’s data protection team by emailing

Under the UK General Data Protection Regulation (UK GDPR), the University is required to employ a Data Protection Officer. The Data Protection Officer for UEA is Sue White, who can be reached using the email address above.

UK data protection law gives people a range of privacy rights. These are:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling

Click on the links to find out more, or contact the Data Protection Officer (see above).

You may request a copy of your personal data held by the University. See the Requests for personal information web page. 

You have a right to object to the University's processing of your data. Where your data has been used for direct marketing this is an absolute right. 

If you have any complaint or concern relating to how the University has handled your personal data, you can contact the Data Protection Officer in the first instance. The Information Commissioner’s Office has published guidance on raising a concern with an organisation.

You can also contact the Information Commissioner’s Office directly.

When we use personal information, we are required to take appropriate technical and organisational measures to protect that information from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Our obligations extend from the point we collect the information up to, and including, the time of its destruction. 

All UEA staff are required to complete data protection training to ensure they are aware of the need to secure the personal data they use at work, including paper documents. The University’s Information Security Policy and Conditions of Computer Use set out how digitally-held information must be used and secured. Additionally, where we rely on an external organisation to handle UEA personal data on our behalf, we need to have a written agreement in place that sets out how data will be kept secure. We will tell you if your information is being shared with a third party in this way.

The UK GDPR requires UEA to record the technical and organisational security measures for all personal data we process. This work is ongoing, but if you require information on the security of your personal data, contact in the first instance.

Your personal data will normally be stored by the University on campus, in either paper or digital format. Data will only be held offsite where we have a contract with the organisation providing that storage, which will usually be part of a wider service. An example of offsite data storage is Microsoft 365.

Occasionally, these service providers are based, or store their information, outside of the UK. If we transfer or store information outside the UK the University must ensure additional steps are taken to protect your information. In these cases we will either: ensure our contract with the organisation includes specific clauses approved by the EU / UK government; ensure that the transfer is to a country deemed to provide an adequate level of protection for your data; ensure a lawful derogation applies.

We will keep your personal data only as long as is necessary for the purpose(s) for which it was collected. If we need to keep information for a specific period we will let you know, but most of the retention periods for each purpose are set out in the University’s Records Retention Schedules.

Data will be securely destroyed when no longer required. Note that some information about former students will be held indefinitely – see Alumni privacy notice for further details.

We are required to identify, and inform you, of the ‘lawful basis’ we rely on to process your personal data. The lawful bases are set out in Article 6 of the UK GDPR, and at least one of these must apply in order for us to be able to use personal data.

As the University is classed as a public authority, much of what we do with student data in particular is covered by the ‘public task’ lawful basis (Article 6(1)(e) of the UK GDPR). However, sometimes we may rely on others, and we’ve added some information below on two of the lawful bases.


About 'Legitimate Interests'

The University will, where appropriate and allowed by law, rely on ‘legitimate interests’ as a lawful basis for handling personal data. If we’ve told you that our use of your personal data is required for either the University’s or another body’s legitimate interests, here’s a bit more detail about what that means.

In this case, ‘Legitimate Interests’ means the interests of the University in how we conduct and manage our activities. For example, we have a legitimate interest in successfully attracting and enrolling students. It may also refer to the interest of a third party organisation, or the person whose data we are processing.

We might refer to legitimate interests when we want to use your information in a way that we believe will benefit the University and the services we provide, however, we cannot do something we think is in our legitimate interests if it causes undue harm to the person whose information we are using. We need to make sure we get the balance right in all cases, and will let you know what our use of your data will mean for you. To make sure we get the balance right, we will aim to complete a Legitimate Interests Assessment wherever possible.

You have the right to object to any processing of your personal data that has been undertaken in the legitimate interests of the University or other party. See Complaints section above for details. Please note that if you object we may not be able to carry out these activities for your benefit.


Consent for Handling for Personal Data

The University will also occasionally seek your consent to use your personal data in specified ways. If you have provided consent, or are considering doing so, you should be aware that the University will always aim to apply the standards set in the ICO checklists. If we haven’t met that standard, let us know

Where our use of your data is based on your consent, you have the right to withdraw that consent at any time. See Complaints section above for details of who to contact.

Our website privacy notice and cookie policy explain how data may be gathered about users of the University’s website.

The University’s privacy notices do not cover the links within the UEA site which link to other websites. We suggest you read the privacy statements on other websites you visit.