Privacy Notice for Student Personal Data
|Approved by||University Secretary/Director of Planning, Legal and Governance|
|Date Approved:||5 July 2018|
|Next Review Date||1 June 2019|
This document can only be considered valid when viewed via the University website. If this document is printed into hard copy or saved to another location you must check that the version number on your copy matches that of the one on the University website. Approved documents are valid for use after their approval date and remain in force beyond any expiry of their review date until a new version is available.
- GDPR and the Data Protection Act 2018
- What is personal data
- Purposes for which personal data will be used
- What personal data do we use?
- Where the University gets its information from
- Sharing personal data (third party disclosures)
- Do we transfer the information overseas?
- Under what legal basis do we process your personal data?
- How students’ personal data will be used after they have left the University
- How long is personal data retained by the University
- Your rights
- Providing personal data to the University
- Appendix: Details of Information Sharing
The University collects, holds and processes personal information (referred to in this document as personal data) relating to its students. It does so in order to manage its operations effectively and to administer students’ education and related functions. These activities are carried out in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the University's Data Protection Policy. The purpose of this document is to inform applicants and students (whether on a degree course or non-credit bearing programme) how their personal data will be processed and the purposes for which the data has been collected.
2. GDPR and the Data Protection Act 2018
GDPR is a Data Protection law that applies across the EU and to all processing of personal data relating to EU citizens. The UK has implemented GDPR as well and has passed the Data Protection Act 2018 which supplements GDPR, implements the EU’s Law Enforcement Directive and extends data protection laws.
Within the GDPR, there are a number of principles that govern the how personal data should be processed.
These principles cover:
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- storage limitation;
- integrity and confidentiality; and
3. What is personal data
Personal data is information relating to an identified or identifiable living person (these are called data subjects) who can be identified directly or indirectly.
3.1. Special categories personal data
There is a further group of personal data described as special category personal data. This includes information relating to:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs or trade union membership;
- genetic or biometric data used for the purpose of identification;
- health; and
- sex life or sexual orientation.
Specific arrangements exist for the processing of these types of personal data and these are described in section 8.1.
3.2. Personal data relating to criminal convictions and offences
Personal data relating to criminal convictions and offences or related security measures is another category of personal data which has specific rules for its processing.
Specific arrangements exist for the processing of these types of personal data and these are described in section 8.1.
4. Purposes for which personal data will be used
Personal data provided by applicants will be used within the University to process applications. This information and further personal data provided by students will be used to provide them, once enrolled, with education and allied services.
- processing applications to the University
- admission, enrolment and registration;
- provision of lectures, seminars and tutorials;
- access to the library, learning resources and ICT facilities;
- pastoral support;
- academic skills;
- supporting you to develop career and employability profile and access opportunities
- international study exchanges and work placements;
- health and safety;
- disciplinary, misconduct and fitness to practise processes;
- exams and assessment;
- alumni relations;
- provision of information to the Students’ Union
- reporting to external bodies on our activities.
Services such as languages, advice, counselling, medical care, financial assistance, disability, nursery, sports centre and the student complaints process may use the personal data held centrally by the University for activities associated with the above functions but separate privacy notices will explain to you how these services process your personal data.
Any personal data we hold will not be excessive nor will it be shared more broadly than it needs to be.
5. What personal data do we use?
The personal data held about students may include:
- other basic personal contact details;
- date of birth;
- family details;
- economic and social circumstances;
- nationality, country of birth, country of domicile
- passport/visa information
- personal mitigating circumstances
- financial details and fee payments;
- sponsorship details
- education details and student records, programme and modules studied;
- information about examinations, assessments and results;
- placement information;
- employment details including work contracts and payroll information;
- CV and related career and employability details;
- disciplinary records;
- attendance records;
- goods or services provided;
- visual images, personal appearance;
- information relating to your activity and behaviour; and
- information held in order to publish University publications
- feedback survey and evaluation information.
In addition to this, the University may process some special categories of personal data about you such as
- racial and ethnic origin
- disability status and physical & mental health details
- offences and alleged offences
- criminal proceedings, outcomes and sentences
- information relating to DBS (Disability and Barring Service) checks
6. Where the University gets its information from
The data held by the University is mainly taken from the details you provide either directly or through a third party such as UCAS or an overseas representative or partner institution during the application and enrolment process and personal data that the University collects before, during and after your time at the University. This may include special categories of personal data (which is explained below) and include photographs. Other information may be received from some of the bodies listed below.
7. Sharing personal data (third party disclosures)
The University may disclose appropriate personal data, including special categories of personal data, to third parties, where it is appropriate to do so, during or after your period of study.
Such disclosure is subject to procedures to ensure the identity and legitimacy of such organisations and their processing. These third parties may include the following (please note that this is not an exhaustive list):
- UK National Recognition Information Centre (NARIC)
- UK Visas and Immigration (UKVI)
- Overseas agents
- HM Prison and Probation Service
- National Health Service
- Education and Skills Funding Agency (ESFA)
- The University’s partners and contractors
- Debt recovery
- The University of Bradford Union
- Local Authorities
- Office for Students, the Quality Assurance Agency, Higher Education Statistics Agency (HESA), Office of the Independent Adjudicator and other HE bodies
- Student Surveys
- Higher Education (HE) institutions in the UK and overseas
- Sponsors, loan organisations and scholarship schemes
- Parents, guardians and other relatives
- Published information
- Employment agencies, prospective employers and third parties requesting information to support the provision of student and graduate opportunities and/or requesting confirmation of awards
- Police, crime and taxation
- Professional Bodies
- Government bodies and NGOs
- Court Orders
Further information on sharing to these organisations can be found in the Appendix.
8. Do we transfer the information overseas?
Data will be transferred from overseas only where application information has been provided to University staff, overseas representative or partner institutions where we have a progression or articulation agreement in place.
Data will only be transferred overseas to University staff based in the University of Bradford Regional Hubs in Beijing, China and Dubai to process applications from international students in that region. Information provided to the Regional Hubs will be subject to the same protection, processes and rights as data held in the UK.
Transfers may be made to countries outside the European Union where the EU has determined that there is an adequate level of protection in place.
Data stored in our database is transferred and saved on servers based in Canada. Canada has “adequacy” status from the European Commission, which determined in 2001 that Canada’s law under PIPEDA (the Personal Information Protection and Electronic Documents Act) was strong enough to satisfy that any data transferred from the EU to Canada would be adequately protected.
9. Under what legal basis do we process your personal data?
In order to process personal information, the University must have a legal basis to process the information.
In most cases, the University will process applicants and students’ personal data because itis necessary for the performance of the student contract or in order to take steps prior to entering into a contract.
For applicants who have applied for an academic programme, the University needs to use your data as the first steps towards potentially entering in to a student contract with you.
If you are admitted as a student the University needs to use your data to perform its obligations under that student contract.
There will be cases where there are other legal bases. For example:
- the University shares information with the police where the request is appropriately authorised and processing is necessary for the performance of a task carried out in the public interest;
- it may share information with medical services under the vital interests where there are grave concerns relating to a student’s health and wellbeing
- it shares information with the Higher Education Standards Agency (HESA) and UK Visas and Immigration (UKVI) as it has a legal obligation to do so;
- it shares information with the University of Bradford Union of Students under its official authority as the University’s Charter requires there to be a Students’ Union and Ordinance 19 states that the Union’s members shall be all registered students of the University except those who opt out of membership.
There will also be situations where the University will process data for the purposes of the legitimate interests pursued by the University or by a third party. Examples of such processing may include:
- where the processing enables us to enhance, modify, personalise or otherwise improve our services / communications for your benefit;
- to better understand how people interact with our websites;
- to provide communications which we think will be of interest to you (direct marketing);
- to determine the effectiveness of our activities and services
Where the University relies on legitimate interests, it must only do so where these interests are not overridden by the interests or fundamental rights and freedoms of the individuals concerned.
The legitimate interests listed above are not thought to impact on your own interests as they are to provide you with the services and information you may need to make the right decision on where you choose to study. If however you would like us to stop using your information in this way please contact the University at MarketingComms@bradford.ac.uk or update your contact preferences in the Your Bradford portal.
Please bear in mind that if you make a request to us to stop using your information this may affect our ability to carry out tasks above for your benefit.
9.1. Special categories of personal data and data relating to criminal convictions.
There are additional requirements where the University processes special categories of personal data and data relating to criminal convictions.
The University collects and process such information in order to undertake equal opportunities monitoring and widening participation assessment to provide access to certain programmes and support for students where appropriate.
In most other cases, the University will only process special categories of personal data where it has explicit consent to do so.
This data will only be accessed by who have a legitimate need to see it.
9.2. Data relating to criminal convictions.
We also ask that students provide information relating to any criminal convictions so that a panel can decide whether we can offer a place.
Also, for certain programmes of study which are accredited by professional, regulatory or statutory bodies, the University is legally required to collect and process data on past criminal convictions.
In most cases the University will only process data relating to criminal convictions where it has explicit consent to do so or where processing takes place under its official authority.
10. How students’ personal data will be used after they have left the University
As well as maintaining student records during a student’s time at the University, it continues to process personal data in connection with alumni management, external relations and development after they have left.
The University may also wish to send information about products or services which may be relevant, and to keep alumni informed about University activities. In such cases we will normally seek your consent.
Alumni who do not wish the University to use their personal data in any of these ways, should write to the alumni office: email@example.com
11. How long is personal data retained by the University
Personal data will be retained for 6 years after the end of the relationship with a student if they enrol on a programme but there are a number of exceptions:
- Certain medical information must be retained for longer periods
- Records of complaints, academic misconduct and student discipline cases are retained for six years after the closure of the case
- A core record to demonstrate and verify degree results is retained for every student permanently
- Office for Students statutory survey data
For those applicants who do not enrol, their personal data will be held for 1 year after the end of the application cycle that they have applied in before being destroyed.
To access the University’s Retention and Disposal Policy which sets out the length of time that the University’s records are retained please click the link below:
12. Your rights
As a person whose personal data we are processing, you have certain rights in respect of that personal data; you have the right:
- To access your personal data that we process
- To rectify inaccuracies in personal data that we hold about you if it is inaccurate or incomplete;
- To request the deletion or removal of your personal data where there is no compelling reason for its continued processing;
- To restrict the processing of your personal data in certain ways
- To obtain your personal data for reuse;
- To object certain processing of your personal data
- To complain to the Information Commissioner’s Office about the way in which we process your personal data.
If you want to look at and check the accuracy of your personal data held by any part of the University, you should in the first instance request informal access to that information.
If you wish to formally access your personal data you should make a Subject Access Request. For more details please refer to the website: https://www.bradford.ac.uk/data-protection
13. Providing personal data to the University
Students must ensure that all personal information provided to the University is accurate and up to date.
You should notify any changes of address, corrections to contact details etc. via the University of Bradford Student Portal: https://portal.bradford.ac.uk
If you believe that any part of the University is not complying with GDPR, the Data Protection Act 2018 or its own Data Protection Policy, you have the right complain to the University’s Data Protection Officer.
Complaints should be submitted to the Data Protection Officer, email: firstname.lastname@example.org
If you do not wish to contact the University or are not content with the outcome of its internal processes, you have the right to complain directly to the Information Commissioner’s Office (ICO):
ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 111
Appendix: Details of Information Sharing
We receive and share personal data from UCAS if you apply to study here via UCAS. More information is available in the UCAS privacy notice at https://www.ucas.com/about-us/policies/privacy-policies-and-declarations/ucas-privacy-policy.
UK National Recognition Information Centre (NARIC)
UK NARIC is the designated United Kingdom national agency for the recognition and comparison of international qualifications and skills. The University shares information with NARIC to confirm the validity of international qualifications.
UK Visas and Immigration (UKVI)
The University has a legal obligation to share information relating to students studying on a Tier 4 student visa. We must report students subject to immigration control whose circumstances change for example when they do not register, withdraw, change their expected end date and fail to maintain contact with the University. The University may also have to provide other information to the UKVI and other agencies in the Home Office.
HM Prison and Probation Service
The University may share information with the Prison and Probation service in relation to students and applicants who are probation or who have had a conviction in order, for example, to assess whether someone is suitable to study on a particular programme.
Education and Skills Funding Agency (ESFA)
The University may share personal data with ESFA which is responsible for funding education and skills in England and for delivery of key services in the education and skills sector in England including the apprenticeship service, the provision of information, advice and guidance through the National Careers Service, and the Learning Records Service.
National Health Service
The University will share information with the NHS, its agencies and trusts in relation to students who receive, or may receive, education and placements from the NHS.
The University is obliged to share personal data with our auditors for them to provide assurance that our processes and activities are fit for purpose. In such cases, only the personal data necessary for these purposes is shared and where it is strictly needed for those purposes.
The University’s partners and contractors
The University may provide personal information to its partners and contractors. In such cases, the University must ensure that this information is managed in accordance with the GDPR, under contractual or similar arrangements and only for the purpose(s) for which it was provided to the partner/contractor.
The University’s agents
In countries where the University has regional representatives or agents we will pass information on to them where we feel the agent will be able to provide assistance and support to students and applicants. In such cases, the University ensures that this information is managed in accordance with the GDPR, under contractual or similar arrangements and only to provide assistance and support.
Where the University’s internal procedures attempting to recover debt from those who owe it money have not been successful, it may disclose personal data about those debtors to third parties debt recovery organisations.
The University of Bradford Union
Some students' personal data will be shared with the University of Bradford Union for the provision of membership, governance, student representation and the delivery of services that they provide on the University’s behalf.
Details of students living in the City of Bradford Metropolitan District Council area and other local authority areas which request the data are shared for the purpose of maintaining the Register of Electors and to administer Council Tax collection and provision of exemptions for those who do not need to pay it. Only relevant information is provided.
The University makes use of the Turnitin UK system to enable academic staff to assess more effectively students' work for the employment of appropriate citations and references and for potential plagiarism. Students may be required to provide a limited amount of personal data, for instance name, email address and course details and submissions, to Turnitin when using the service.
For more information please refer to the University’s website: https://www.brad.ac.uk/elearning/Plagiarism/Student-Guide-to-TurnitinUK/page_01.htm
Use of Turnitin means that personal data is transferred to the United States. Turnitin participates in the EU-U.S. Privacy Shield Framework (Privacy Shield), and is committed to applying the Privacy Shield Principles to all personal information received from countries in the European Economic Area (EEA). The "Privacy Shield” ensures that personal data is processed in the US under the same standards of protection as required by the GDPR. For more information please refer to the Turnitin website: http://turnitin.com/en_us/about-us/privacy#eu-compliance
Office for Students, the Quality Assurance Agency, Higher Education Statistics Agency (HESA), Office of the Independent Adjudicator and other HE bodies
Your personal data will be provided to the above bodies etc. in accordance with the regulations in place and the University’s statutory obligations.
Further details about the data shared with HESA can be found in the HESA-Student collection notice on the HESA website. If you choose to ask the Office of the Independent Adjudicator to undertake an external review of a complaint, relevant personal information will be released to this organisation for this purpose.
The University is required to pass data about its students to the University regulator, the Office for Students, in order for them to conduct the National Student Survey, Graduate Outcomes Survey and other surveys.
These surveys gives students and alumni the chance to give feedback on their experiences at the University, provide information on where you are studying or working after you graduate etc. and the results therefore inform the choices of prospective students and enable the Office for Students to monitor the performance of Universities.
Further information is provided on the websites of these surveys:
- National Student Survey: http://www.thestudentsurvey.com/
- Graduate Outcomes Survey: https://www.hesa.ac.uk/innovation/outcomes/students
The University also participates in the Postgraduate Taught Experience Survey (PTES), Postgraduate Research Experience Survey (PRES) and UK Engagement Survey (UKES) administered by the HE Academy under contractual terms and conditions in compliance with the GDPR.
Higher Education (HE) institutions in the UK and overseas
Where students are involved in, or planning to become involved in, exchange or placement programmes or where other documentation is required, the University may disclose personal data for general educational, assessment, residency etc. purposes.
Sponsors, loan organisations and scholarship scheme
Where students have a sponsor, scholarship scheme or a loan provider, the University may disclose student personal data to these organisations.
In such cases information will only be provided where the University is provided with a contractual agreement for the provision of such information or where the student has given permission for such disclosure.
Parents, guardians and other relatives
Other than in the most exceptional of circumstances, the University will not disclose a student's personal data to parents, guardians and any other relative without consent from the student.
In situations where students have provided details of an “in case of emergency” contact in the event of a medical problem or emergency then some personal data may be provided.
Students are asked whether they consent to their personal data appearing in the relevant graduation ceremony programme and other related graduation material and products.
Students are asked whether they consent to their personal data appearing in resources aimed at other students or potential students e.g. newsletters, case studies, blogs etc.
Photographs of students are used as part of a number of University activities. For example, all ID cards require a photo and the University retains a copy of this photo for the purposes of identification. During the course of their study and during extra-curricular activities, photos may also be taken of students. Students who do not wish to have their photograph to be taken should ensure that they bring this to the photographer’s attention and remove themselves from anywhere photos are being taken.
Attendance at graduation ceremonies will involve the taking of photographs as well as video recordings taken on the day which will be available for purchase and will be published on the University's website. If you do not wish to be filmed, you may graduate in absentia.
Employment agencies, prospective employers and third parties requesting information to support the provision of student and graduate opportunities and/or requesting confirmation of awards
Except where individuals have requested for their personal information to be kept confidential and the University has agreed to do this, the programme of study, award made (including classification) and date of award will be provided to those seeking verification of a graduate’s qualifications.
Except where individuals have requested for their personal information to be kept confidential and the University has agreed to do this, the programme of study, award made (including classification) and date of award, employability skills profile and work experience profile will be provided to those seeking to recruit a student or graduate to an opportunity e.g. job, placement, internship.
The University uses the Higher Education Degree Datacheck (HEDD). HEDD is UK Higher Education’s official system for candidate verification and University authentication and enquiries.
The University will however routinely require the consent of students before providing a personal character reference.
Police, crime and taxation
The University may be informed by the Police when students are convicted or cautioned etc.
The University may also provide information to the Police or other organisations that have a crime prevention or law enforcement function, such as benefit fraud departments of Local Authorities, about students if it is necessary for the prevention or detection of a crime or the collection of taxes etc.
The University has a CCTV system across its estate. Cameras located on and within buildings are monitored by trained security staff. All staff operating the CCTV system do so in compliance with GDPR, the Data Protection Act 2018, the 2008 CCTV Code of Practice, the Regulation of Investigatory Powers Act 2000 and the Private Security Industry Act 2001 and the University's Data Protection Policy.
The University’s website Privacy and Cookies Policy states what the University processes information it obtains from those viewing its website.
Personal data relating to students on specific programmes will be passed to professional bodies which accredit those programmes at the University, those with a regulatory function over our programmes or where qualification on a programme facilitates membership or registration of that body.
Government bodies and NGOs
Many government bodies and NGOs have statutory powers to require the University to provide personal information. This includes UK Visa and Immigration, a subsection of the Home Office.
Others may request information relating to their official functions and the University will normally provide the information requested if it is deemed appropriate to do so.
Where a court orders the University to release information, it has a legal obligation to do so.
The University receives requests for personal data from solicitors acting on a student’s behalf. In such cases, before any personal data is disclosed, the University requires the solicitor to provide consent from the student to demonstrate that they are acting on behalf of that student. Solicitors often refer to this as a form of authority.
In rare cases where a solicitor acting on the other side of a legal case requests information, information will only be provided where the University receives consent or a court order.