skip to primary navigationskip to content


University of Cambridge Veterinary School Trust

Studying at Cambridge


Data Protection Legislation


Data protection legislation sets out rules and standards for the collection, use and storage of information relating to living identifiable individuals. The current legislation in the UK is the Data Protection Act 1998 (DPA).  From 25 May 2018, this will be replaced by the General Data Protection Regulations (GDPR), coupled with a new Data Protection Act that supplements the GDPR in specific ways and which is currently being debated by Parliament. Both pieces of legislation are based around the notions of principles, rights and responsibilities. The legislation is regulated by the Information Commissioner's Office as well as the courts.


The DPA applies to some paper records as well as those held in electronic form. It imposes obligations on those who record and use personal information to be open about how that information is used and requires them to follow the eight data protection principles.

Personal data must be processed following these principles so that data are:

  1. processed fairly and lawfully and only if certain conditions are met;
  2. obtained for specified and lawful purposes;
  3. adequate, relevant and not excessive;
  4. accurate and where necessary kept up-to-date;
  5. not kept for longer than necessary;
  6. processed in accordance with an individual's rights;
  7. kept in a secure manner;
  8. not transferred outside of the EEA without adequate protection.

These principles broadly are carried through into the GDPR, though they are expressed somewhat differently.


Under data protection legislation an individual has the right, subject to certain exemptions, to access the personal information that an organisation holds about them.

Individuals have certain additional rights under the DPA, such as the right to prevent data processing which is likely to cause substantial and unwarranted damage or distress, the right to prevent processing for the purpose of direct marketing, and the right to correct inaccurate personal data. These existing rights are enhanced and supplemented in the GDPR.


Data protection legislation imposes certain responsibilities on all those who process personal data at the Trust.

These obligations include holding and using data in a secure manner, making sure that data is handled in line with what individuals have been told, having appropriate arrangements in place for the access to (and sharing of) data, and making sure that individuals' data is accurate and retained for a suitable period. Most importantly, if a data breach occurs (e.g. personal data held by the Trust is lost, stolen, inadvertently disclosed to an external party, or accidentally published), this should be reported immediately to the .

Under the GDPR, greater emphasis is placed on an organisation's accountability for its data protection compliance.  Certain record-keeping and policy/procedural requirements become mandatory in some circumstances.


If you are currently receiving information about our work but no longer wish to do so, please unsubscribe by clicking here. 




Upcoming events

2018 Virgin London Marathon

Apr 22, 2018


Upcoming events

« March 2018 »