Data Protection Policy - Data Protection Definitions

Personal Data

Data relating to a living individual who can be identified from the data, or from the data and other information which is in the possession of (or likely to come into the possession of) the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive Personal Data

Sensitive personal data is personal data relating to racial or ethnic origins, political opinions, religious beliefs, trade union membership, physical or mental health (including disabilities), sexual life, the commission or alleged commission of offences, and criminal proceedings. 

Data Controller

The Data Controller is a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purposes of this document, Swansea University is the registered Data Controller.

Data Processor

The Data Processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller e.g. a person or organisation that collects and processes data on behalf of the University under contract. The Data Controller remains responsible for the data being processed by a Data Processor.  

Data Processing

Data Processing is any operation on personal data, including obtaining, recording, holding, organizing, adapting, combining, altering, retrieving, consulting, disclosing, disseminating, deleting, destroying and otherwise using the data.

Data Subject

The Data Subject is a living individual who is the subject of the personal data.

Third Party

A Third Party is any person other than the data subject, the data controller or any data processor or person authorized to process data for the data controller or processor.

Privacy Notice

A privacy notice is provided by the Data Controller to a Data Subject and explains how information about them will be used and what the implications of this are likely to be.  It describes the purposes for which the Data Controller intends to process their personal data. Importantly the privacy notice must also include the indications of third parties to whom the data may be disclosed or transferred, and the purposes served by those transfers or disclosures.

The privacy notice must provide sufficient information to demonstrate that a Data Subject could have ‘reasonably expected’ their data to be processed in the manner the Data Controller intends it to be. Privacy notices should be provided at the onset of any collection of personal data and ideally via the same medium. The Data Subject should be notified of any change to a privacy notice. Given the level of engagement with external parties and industries, and the different programmes Swansea University have ongoing, this may require regular review and management.

Further information on privacy notices can be found on the Information Commissioner’s Office website:-