Data Protection

As Data Controller, the College has an obligation to process all personal data within the provisions of the General Data Protection Regulations, Data Protection Act (2018) and all other associated legislation. Please see details below to help you understand our obligations to protect your personal data, your Rights and how you can exercise these Rights.

Frequently Asked Questions

GDPR stands for the General Data Protection Regulation. GDPR came into effect on the 25th of May 2018, replacing the Data Protection Directive (DPD) and the UK Data Protection Act 1998.  Further to Brexit, the UK had adopted UK GDPR. The Data Protection Act (2018) refers to the practices, safeguards, and binding rules put in place to protect your personal information and ensure that you remain in control of it. In short, you should be able to decide whether you want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.
GDPR applies to any organisation that processes and holds personal data UK citizens is obliged to abide by the laws set out in UK GDPR. GDPR affects every individual that stores or uses European personal data in and outside of the EU.
Under the GDPR, the College must observe six fundamental principles when processing personal data - including ensuring that their use of personal data is lawful, fair, and transparent. We must implement organisational and technical measures to protect it from misuse and exploitation.  Compliance also includes the maintenance of statutory documentation such as Data Protection Impact Assessments for high-risk processing and a Record of Processing Activities.

So, what exactly is personal data? Personal data means any information relating to an identified or identifiable natural person. Known as the ‘data subject’.

In other words, any information that clearly about a particular person. But how broadly does this apply?

The GDPR states that this applies where an individual can be identified directly or indirectly. Some of the followings are examples that can make an individual identifiable:

  • Name;
  • Identification number;
  • Location data; and
  • An online identifier
  • Image

A name is perhaps the most common means of identifying someone. However, whether any potential identifier, including whether a name identifies an individual depends on the context.

By itself, the name ‘John Smith’ may not always be personal data because there are many individuals with that name. However, if the name is combined with other information (such as an address, a place of work, or a telephone number) this is often sufficient to clearly identify one individual.

Special Category Data

GDPR special category data is personal information of data subjects (individuals) that is especially sensitive. Special category data includes the following:

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union memberships
  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual orientation

Due to these data elements being particularly sensitive, the College must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. 

The College will only collect and process data that is necessary and we are forbidden from processing data unlawfully.  Examples of reasons why we ask for your data can vary from the College performing its public task, fulfilments of legal obligations and where an individual requires protection from harm.  Legislation protects your data against being processed where there is no existing lawful basis to do so.

The College has many Privacy Notices for various Departments to help you understand, how and why we collect your information. Privacy Notice - SERC

The Information Commissioners Office (ICO) states that, UK GDPR provides the following rights for individuals, which the College is complaint with:

  • The Right to be informed;
  • The Right of access:
  • The Right to rectification;
  • The Right to erasure;
  • The Right to restrict processing;
  • The Right to data portability;
  • The Right to object;
  • Rights in relation to automated decision-making and profiling. 
The College has one month to reply to all GDPR requests. For requests made on the weekend or on a holiday, organisations have the next working day to start the timer on their response. 
While individuals’ rights are paramount in GDPR the law does contain some provisions/exemptions where the College is not obliged to comply. Each request is assessed very carefully against legislation. Considering all surrounding factors if it is agreed that the College is unable to apply fully with your request, the College will provide reasoning for this, if possible. 

If you are unhappy with the College’s response to your Subject Access Request, please let us know by emailing or addressing a letter to the Records Manager.

If you remain unhappy with the College’s response to your Subject Access Request, please contact the Information Commissioner at:

Information Commissioner’s Office  

Wycliffe House

Water Lane




If you have any concerns at all on how the College may be processing your data or if you believe the data, we hold on you is inaccurate, then please contact the Data Protection Officer,

The College welcomes all means of support for our students however we must also comply with GDPR and the Data Protection Act (2018) which regulates how we process personal data, including any disclosures about our students.  This applies to all student information, even if they are under the age of 18.

The College is unable to discuss student information with anyone unless the student has provided this consent on their student account or where an individual has legal responsibility for a vulnerable adult.  During application and enrolment, the student is given opportunity to provide this consent and the name of the person to whom we can discuss their information with.

In an emergency e.g., where we have concerns about the life, health, and welfare of the student, we will make contact with the person identified as the ‘Emergency Contact’ on the student’s account.

While the College may not be able to discuss information with you, students can access their student profile from home, and this will contain their timetable, attendance register and various other aspects of their progress at the College.

Staff can answer any questions you may have about College processes e.g. EMA, Application process, Learning Support provision, and we have a suite of policies and procedures available on our website for your information.

A family looking at a tablet device.


You can access the College’s Data Proctection Policy via this link:

Data Protection Policy


Further details regarding this document can be obtained by contacting the Data Protection Officer at the following:

Data Protection Officer
SERC Bangor Campus
Castle Park Road
BT20 4TD

The Information Commissioner's Office

The FE Sector will continually refer to legislation and ICO guidance in regards to data protection.

Further information is available to the public on the ICO website: Guide to Data Protection | ICO.

compass component of the SERC logo
Card image cap

Public Information

We publish a range of information that is available to the public as part of our commitment to openness and transparency.

Learn More
Card image cap

Publication Scheme

Our publication scheme commits us to make information available to the public as part of its normal business activities.

Learn More
Card image cap

Freedom of Information

As a public authority, the College is committed to its obligations of transparency in line with the law.

Learn More