Data Protection

The University is required by the Data Protection Legislation (EU General Data Protection Regulation and UK Data Protection Act 2018) to process all personal data strictly in accordance with the Legislation and its data protection principles.
Student working with laptop

Data Protection Code of Practice

The University has developed a Data Protection Code of Practice which:

  • Provides guidance on the application of the Act
  • Concentrates on key issues of concern to the University
  • Reflects our agreed policies and procedures
  • Provides links to these where appropriate and to specific guidance notes and other resources

If you are having any difficulties viewing this page please contact

View the Data Protection Code of Practice

Specific sections which apply to students include:

Student processing of personal data

The University is responsible for personal data when it is the data controller for that data i.e. where the University determines the purposes for and the manner in which any personal data is to be processed.

A student is only permitted to use personal data for a University related purpose, with the knowledge and express consent of an appropriate member of staff. For research purposes this would normally be a postgraduate supervisor or the person responsible for teaching the relevant undergraduate class or course. For administrative purposes this will be on the express authorisation of the line manager or supervisor of the project on which the student is employed.

For more information consult: Processing of Personal Data by Students

Use of personal data in research

The Act sets out to ensure that researchers may only process data about other living individuals where they have a clear legal purpose for doing so and subject to certain prescribed exemptions, the use of personal information for research falls within its remit. Staff and students engaged in research at the University are obliged therefore to comply with the requirements of the data protection principles, the University’s Code of Practice and any associated guidance, when collecting and processing personal data for research purposes.

In addition to computerised records, these requirements apply to written records held in a structured filing system, digital and microfiche records and video recordings. For more information consult: Use of Personal Data in Research.

Use of the internet, social media and other externally hosted services

In order to encourage safe, responsible and acceptable use of the internet, Web 2.0 and other externally hosted services (e.g. Facebook, YouTube, Twitter, LinkedIn) guidance has been developed for students on How to be Webwise.

Collection and use of your personal data

All students are asked at registration to sign up to the University’s Data Protection Statement for Students which explains how the University collects, uses, discloses and ultimately disposes of your personal data.

The University also publishes guidance on the student information we are required to disclose to HESA, which is available at the link above.


The University's graduation ceremonies are significant events for our graduates, their guests and our staff. Important information about how we will use student data for graduation purposes is in this Privacy Notice.

Checking or changing your student details

You can do this by going to eStudent Records.

Related University Policies

All students must adhere to the University's Information Security Policies.

Other sources of advice and guidance

Please note that all links provided in this guidance to third party sites are for your information and convenience only. Edinburgh Napier University has no control over these sites and accepts no liability in respect of their use.

Get Safe Online guidance BBC Twitter guidance The Information Commissioner’s Office guidance