Skip to main content
Directorate of Governance and Legal Services

Data Protection

What is data protection?

Data protection concerns information relating to an identified or identifiable living individual – personal data. This might include names, addresses, dates of birth, photos, fees paid, NI number, religious beliefs, nationality, performance appraisals and so on. Included is any data which is in, or is likely to come into, the possession of the data controller, i.e. Queen Mary University of London and its employees, relating to individuals. It includes any expression of opinion about the individual and any indication of the intentions of Queen Mary, its staff or any other person in respect of the individual. Queen Mary University of London is a data controller in terms of Article 4 of the U.K. General Data Protection Regulation (GDPR). Please see the glossary for more explanations of terms. 

Staff should familiarise themselves with Queen Mary's Data Protection Policy [PDF 268KB] and its appendix of guidelines.

How Queen Mary uses your personal data

Queen Mary processes the personal data of staff, students, alumni and other individuals with whom it has a relationship, known as data subjects. Privacy notices will explain the purposes for this, among other things, usually at the point of collection. 

Queen Mary’s central privacy notice can be seen at This advises individuals about their rights and provides contact details of our Data Protection Officer, as well as other important information. Links to the main privacy notices for students, staff, direct applicants and research participants can be found below. Other privacy notices exist.

Queen Mary is obliged by law to send some data about students and staff to the Higher Education Statistics Agency (HESA, now part of JISC). Please see HESA's collection notices for further details. Your HESA record will not be used in any way that affects you personally. Disclosure may also be necessary in other circumstances such as a medical emergency or during the course of investigations being carried out by agencies such as the police or tax authorities.

See also the Right to Privacy and the Monitoring of Data [PDF 156KB] guidelines.

Some of the personal information processed by Queen Mary is classed as "special category" data under the GDPR (for example ethnicity, health records, etc). If you give Queen Mary any information regarding a disability or learning difficulty it may be passed to any member of Queen Mary who requires it in order to ensure appropriate arrangements for teaching, examination or other facilities, unless you explicitly object. 

Requests relating to personal data

Data protection legislation affords a number of rights to data subjects. If Queen Mary processes your personal data you have a right to know what is held, for what purposes and to a copy of this data by making a data subject access request (SAR). Queen Mary will not usually release information to third parties, including family members, without your consent unless required or allowed by law. For further details please see the Information Commissioner's guidance.

If you wish to make a subject access request please fill in this form [DOC 58KB] and send it to or to: Data Protection Officer, Queens’ Building, Mile End Road, London, E1 4NS. A response will be made within one calendar month. It is not compulsory to use the form, but requests are easier in writing and there are instructions on it explaining the requirements to enable a request to be processed. Third parties, such as parents/carers or legal representatives, may make such requests on behalf of data subjects with their authorisation. Separate requests may be made to the Students' Union in relation to data it holds.

Members of staff who receive any requests for personal information or attempting to exercise other rights under the GDPR should advise the Records & Information Compliance Manager. It is especially important to note that third party requests, such as from law enforcement, must be made in writing and properly authorised to ensure that the request is legitimate. If you are contacted by the police (or other third party), you are under no obligation to provide any information unless the enquirer is in possession of a valid court order/warrant, but may do so in an emergency. The Records & Information Compliance Manager will advise.

Data subjects have other rights under UK-GDPR, please see our central privacy notice for details (link above).

Other information

Guidance for SITS users [PDF 134KB]

MySIS and Data Protection Training Slides [PPT 71KB]


For more information contact the Data Protection Officer. Training is available on request and by booking via the CPD.

Visitors to our website should also view the relevant Privacy Notice.

Back to top