The University is registered as Data Controller with the Information Commissioners Office, registration number: Z7222773.
This notice and any other documents referred to in it set out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
We may update our Privacy Notices at any time. The current version of all of our Privacy Notices can be found below, and we encourage you to check back here regularly to review any changes.
Unless specific time periods are given in the relevant Privacy Notice, your data will be kept in-line with the University's Records Retention Schedule.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
What is Personal Data?
"Personal data" is defined as information relating to a living individual that enables that individual to be identified either from the data.
Personal data may contain “special categories of data” as described under the new law. Such “special categories of data" may include information about your racial or ethnic origin, religious beliefs or other beliefs, physical or mental health or, in relation to DPA only, other conditions and information concerning any criminal offences or criminal proceedings.
How you're protected under data protection law?
Data protection law means that any processing undertaken by us must be done for specified purposes (outlined within these privacy notices) and that we have a relevant lawful basis for the processing. Under the new rules there are six possible bases:
Consent: on occasions where the University will only process certain data for a specific purpose, subject to you having provided clear and affirmative consent. This is always required if we're processing special categories of personal data.
Contract: it may be necessary to process your personal data to fulfil the contract we have with you or you have asked us to take specific action before entering into a contract with us.
Legal obligation: the processing of your data is necessary for us to comply with the law (not including contractual obligations).
Vital interests: the processing of your data is necessary to protect someone’s life.
Public task: the processing of your data is necessary for us to perform a task that is in the public interest or for official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing of your data is necessary for the legitimate interest of the University or a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Your rights, including access to information and correction.
Right of notification
All data subjects (students, applicants, visitors to our website, and others as specified in our privacy notices) have the right to be informed about the collection and use of data. As Data Controller, the University is required to provide you with information about how we process your data and your rights under the new data protection law.
You also have the Right to be notified of data rectification and erasure, such as in the event of a data breach.
Right of access/ portability
You have the right to find out what information we hold about you, and you are able to request that information from us by submitting a Subject Access Request via our Data Protection Officer.
You also have the right to request data we hold to be provided to you in a format suitable to transferring to other data controllers, which is your right to portability.
Right to rectification
You have to right to contact us to rectify any information we hold about you and you can do this at any time either via the self-service portal, available to students and staff, or by contacting firstname.lastname@example.org
Right to erasure
You have the right to request that we delete your information at any point, which we must do unless the information is necessary (such as your academic record if you are a student)
Right to restriction of processing
If you think there's a problem with the accuracy of the data we hold about you, or if you think we're using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed.
Right to object
You have a right to object to how we use your data if we do so on the basis of "legitimate interests" or "in the performance of a task in the public interest" or "exercise of official authority" (a privacy notice will clearly state this if this is the case). Unless we can show a compelling case why our use of data is justified, we have to stop using your data in the way that you've objected to.
Right to not be subject to automated decision making
If any decision has been about you based on automated software (such as segmentation or suitability a bursary) you have the right to request a human being review the decision.