UK GDPR and the Data Protection Act (2018) set out the UK's legislative framework for managing personal data. This includes student records, staff files and personally identifiable research data.

Together, these legislation set out the standards for data management and provides a right of access by data subjects to the information that the university holds about them. The university's Data Protection Policy provides additional detail about how personal data is handled.

The university has a Data Protection Procedure which should be read alongside the Data Protection Policy. It covers the steps we will take to implement the Data Protection Policy, the lawful bases under relevant data protection legislation that we will rely upon to process personal data, and the data protection principles.

Please see Policy Hub to find related policies including the College's policy regarding the use of CCTV and the King's IT policy framework.

King's is a registered data controller under UK GDPR. The registration number is: Z7915194. You can look up King's registration and download a registration certificate from the ICO Register of data protection fee payers.

The Information Commissioner's Office is the supervisory body for the UK in relation to Information Rights. Further information regarding UK GDPR can be found on the ICO's website.

Information Compliance manages requests for personal data (and other rights under UK GDPR) and provides guidance and support to staff and students to ensure compliance with the Act. To access data that King's holds about you, please see our page on requesting personal data.

Further guidance for students and staff, including information about all-staff mandatory data protection training can be found on our internal webpages.

Loss of personal data or breaches of the Data Protection Act (2018)/UK GDPR can occur when identifiable data is lost, stolen, unintentionally or maliciously disclosed or altered.

The university's Data Breach Management Procedure (internal only) explains the steps to be taken for any incident involving the actual or potential loss of personal data. Any loss or suspected loss of personal data should be reported to info-compliance@kcl.ac.uk as soon as possible after the incident is discovered. This helps the university to reduce the impact of any data loss on the individuals affected.

Under UK GDPR, we are required to report data breaches to the ICO within 72 hours of us becoming aware of it. Reports must be made by the university's Data Protection Officer who heads up the Information Compliance Team.

Further information on reporting a breach is available on our internal pages.