We're committed to the security of your personal data, and to enabling your rights under the Data Protection Act 2018, GDPR, and associated data protection law.

Privacy statement

The University is registered as Data Controller with the Information Commissioners Office, registration number: Z7222773.

This notice and any other documents referred to in it set out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.

We may update our Privacy Notices at any time. The current version of all of our Privacy Notices can be found below, and we encourage you to check back here regularly to review any changes.

Unless specific time periods are given in the relevant Privacy Notice, your data will be kept in-line with the University's Records Retention Schedule.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

Data Protection Officer

The University has appointed a Data protection Officer:

Postal address:

Data Protection Officer
Bath Spa University
Newton Park
Newton St Loe
United Kingdom



What is personal data?

"Personal data" is defined as information relating to a living individual that enables that individual to be identified either from the data.

Personal data may contain “special categories of data” as described under the new law. Such “special categories of data" may include information about your racial or ethnic origin, religious beliefs or other beliefs, physical or mental health or, in relation to DPA only, other conditions and information concerning any criminal offences or criminal proceedings.

How you're protected under data protection law

Data protection law means that any processing undertaken by us must be done for specified purposes (outlined within these privacy notices) and that we have a relevant lawful basis for the processing. Under the new rules there are six possible bases:

  1. Consent: on occasions where the University will only process certain data for a specific purpose, subject to you having provided clear and affirmative consent. This is always required if we're processing special categories of personal data.
  2. Contract: it may be necessary to process your personal data to fulfil the contract we have with you or you have asked us to take specific action before entering into a contract with us.
  3. Legal obligation: the processing of your data is necessary for us to comply with the law (not including contractual obligations).
  4. Vital interests: the processing of your data is necessary to protect someone’s life.
  5. Public task: the processing of your data is necessary for us to perform a task that is in the public interest or for official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing of your data is necessary for the legitimate interest of the University or a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Your rights, including access to information and correction

  • Right of notification
    All data subjects (students, applicants, visitors to our website, and others as specified in our privacy notices) have the right to be informed about the collection and use of data. As Data Controller, the University is required to provide you with information about how we process your data and your rights under the new data protection law.
    You also have the Right to be notified of data rectification and erasure, such as in the event of a data breach.
  • Right of access/ portability
    You have the right to find out what information we hold about you, and you are able to request that information from us by submitting a Subject Access Request via our Data Protection Officer.
    You also have the right to request data we hold to be provided to you in a format suitable to transferring to other data controllers, which is your right to portability.
  • Right to rectification
    You have to right to contact us to rectify any information we hold about you and you can do this at any time either via the self-service portal, available to students and staff, or by contacting data-protection@bathspa.ac.uk
  • Right to erasure
    You have the right to request that we delete your information at any point, which we must do unless the information is necessary (such as your academic record if you are a student)
  • Right to restriction of processing
    If you think there's a problem with the accuracy of the data we hold about you, or if you think we're using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed.
  • Right to object
    You have a right to object to how we use your data if we do so on the basis of "legitimate interests" or "in the performance of a task in the public interest" or "exercise of official authority" (a privacy notice will clearly state this if this is the case). Unless we can show a compelling case why our use of data is justified, we have to stop using your data in the way that you've objected to.
  • Right to not be subject to automated decision making
    If any decision has been about you based on automated software (such as segmentation or suitability a bursary) you have the right to request a human being review the decision.

Withdrawing your consent

Where we have your consent to any processing (made clear within our privacy notices or at the time of collecting your data) you have the right to withdraw your consent at any time.

Exercising your rights, queries and complaints

For more information on your rights, if you wish to exercise any right, for any queries you may have, or if you wish to make a complaint, please contact our Data Protection Officer: data-protection@bathspa.ac.uk.

Complaint to the Information Commissioner

You have a right to complain to the Information Commissioner's Office (ICO) about the way in which we process your personal data. You can make a complaint on the ICO website.

Edit section | Website feedback to web@bathspa.ac.uk