The University of Birmingham ("the University") needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and health and safety, for example. It also needs to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the University must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998.

In summary these state that personal data shall:

• Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
• Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
• Be adequate, relevant and not excessive for those purposes.
• Be accurate and kept up to date.
• Not be kept for longer than is necessary for that purpose.
• Be processed in accordance with the data subject's rights.
• Be kept safe from unauthorised access, accidental loss or destruction.
• Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

The University and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the University has developed the Data Protection Policy.