Secretariat and legal privacy notice

Secretariat and Legal is part of the University of Surrey. We are registered as a data controller with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a named Data Protection Officer, Suzie Mereweather, who can be contacted via

One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.

We hold and process personal data about staff to comply with legislation with regards to the Bribery Act 2010 and Fraud Act 2006 as outlined in the Ethical Conduct Policy (PDF).

We receive the below data from you when you complete our form. The personal data we hold about you consists of:

  • Name
  • Email address
  • Job title
  • Commercial information depending on which form you complete.

We collect your personal data in order to ensure compliance with the Ethical Conduct Policy (PDF) with regards to declarations of interest, hospitality and gifts, reporting purposes to the Audit and Assurance Committee as well as providing de-personalised information to respond to Freedom of Information requests.

We will use the data we collect to make decisions about individuals or to analyse information on an individual level.

We take our obligations for data handling very seriously and it is therefore important for you to know that the lawful basis for us processing your information is that processing is necessary for the purposes of the legitimate interests of the University of Surrey. These purposes will never override your personal interests, fundamental rights and freedoms which require protection of your personal data.

We keep your personal data in accordance with the University’s retention schedules.

This means that:

  • Declarations of interest data is kept for 6 years from the time you leave the University and then destroyed
  • Declarations of hospitality and gifts data will be kept for 3 years from its last use and then destroyed.

We will share your personal data with your line manager, department manager or dean/executive board member in order to ensure compliance with the Ethical Conduct Policy (PDF) in regards to the management of the declarations of interest, hospitality and gifts.

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
  • Ask us to confirm that your personal data is being processed and to gain access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.