Privacy Notice for Student Personal Data
|Approved by||University Secretary|
|Date Approved:||29 September 2020|
|Next Review Date||1 August 2021|
This document can only be considered valid when viewed via the University website. If this document is printed into hard copy or saved to another location you must check that the version number on your copy matches that of the one on the University website. Approved documents are valid for use after their approval date and remain in force beyond any expiry of their review date until a new version is available.
- GDPR and the Data Protection Act 2018
- What is personal data
- Purposes for which personal data will be used
- What personal data do we use?
- Where the University gets its information from
- Sharing personal data (third party disclosures)
- Do we transfer the information overseas?
- Under what legal basis do we process your personal data?
- How students’ personal data will be used after they have left the University
- How long is personal data retained by the University
- Your rights
- Providing personal data to the University
- Appendix: Details of Information Sharing
The University collects, holds and processes personal information (referred to in this document as personal data) relating to its students. It does so in order to manage its operations effectively and to administer students’ education and related functions. These activities are carried out in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the University's Data Protection Policy. The purpose of this document is to inform applicants and students (whether on a degree course or non-credit bearing programme) how their personal data will be processed and the purposes for which the data has been collected.
2. GDPR and the Data Protection Act 2018
GDPR is a Data Protection law that applies across the EU and to all processing of personal data relating to EU citizens. The UK has implemented GDPR as well and has passed the Data Protection Act 2018 which supplements GDPR, implements the EU’s Law Enforcement Directive and extends data protection laws.
Within the GDPR, there are a number of principles that govern the how personal data should be processed.
These principles cover:
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- storage limitation;
- integrity and confidentiality; and
3. What is personal data
Personal data is information relating to an identified or identifiable living person (these are called data subjects) who can be identified directly or indirectly.
3.1. Special categories personal data
There is a further group of personal data described as special category personal data. This includes information relating to:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs or trade union membership;
- genetic or biometric data used for the purpose of identification;
- health; and
- sex life or sexual orientation.
Specific arrangements exist for the processing of these types of personal data and these are described in section 8.1.
3.2. Personal data relating to criminal convictions and offences
Personal data relating to criminal convictions and offences or related security measures is another category of personal data which has specific rules for its processing.
Specific arrangements exist for the processing of these types of personal data and these are described in section 8.1.
4. Purposes for which personal data will be used
Personal data provided by applicants will be used within the University to process applications. This information and further personal data provided by students will be used to provide them, once enrolled, with education and allied services.
- processing applications to the University
- admission, enrolment and registration;
- provision of lectures, seminars and tutorials;
- access to the library, learning resources and ICT facilities;
- pastoral support;
- academic skills;
- supporting you to develop career and employability profile and access opportunities
- international study exchanges and work placements;
- health and safety;
- disciplinary, misconduct and fitness to practise processes;
- exams and assessment;
- alumni relations;
- provision of information to the Students’ Union
- reporting to external bodies on our activities.
Services such as languages, advice, counselling, medical care, financial assistance, disability, nursery, sports centre and the student complaints process may use the personal data held centrally by the University for activities associated with the above functions but separate privacy notices will explain to you how these services process your personal data.
Any personal data we hold will not be excessive nor will it be shared more broadly than it needs to be.
5. What personal data do we use?
The personal data held about students may include:
- other basic personal contact details;
- date of birth;
- family details;
- economic and social circumstances;
- nationality, country of birth, country of domicile
- passport/visa information
- personal mitigating circumstances
- financial details and fee payments;
- sponsorship details
- education details and student records, programme and modules studied;
- information about examinations, assessments and results;
- placement information;
- employment details including work contracts and payroll information;
- CV and related career and employability details;
- disciplinary records;
- attendance records;
- goods or services provided;
- visual images, personal appearance;
- information relating to your activity and behaviour; and
- information held in order to publish University publications
- feedback survey and evaluation information.
In addition to this, the University may process some special categories of personal data about you such as
- racial and ethnic origin
- disability status and physical & mental health details
- offences and alleged offences
- criminal proceedings, outcomes and sentences
- information relating to DBS (Disability and Barring Service) checks
6. Where the University gets its information from
The data held by the University is mainly taken from the details you provide either directly or through a third party such as UCAS or an overseas representative or partner institution during the application and enrolment process and personal data that the University collects before, during and after your time at the University. This may include special categories of personal data (which is explained below) and include photographs. Other information may be received from some of the bodies listed below.
7. Sharing personal data (third party disclosures)
The University may disclose appropriate personal data, including special categories of personal data, to third parties, where it is appropriate to do so, during or after your period of study.
Such disclosure is subject to procedures to ensure the identity and legitimacy of such organisations and their processing. These third parties include statutory bodies to which the University must disclose information and other organisations with whom it is appropriate and legitimate to share your information.
Further information on sharing to these organisations can be found in the Appendix.
8. Do we transfer the information overseas?
Data will be transferred from overseas only where application information has been provided to University staff, overseas representative or partner institutions where we have a progression or articulation agreement in place.
Data will only be transferred overseas to University staff based in the University of Bradford Regional Hubs in Beijing, China and Dubai to process applications from international students in that region. Information provided to the Regional Hubs will be subject to the same protection, processes and rights as data held in the UK.
Transfers may be made to countries outside the European Union where the EU has determined that there is an adequate level of protection in place.
Data stored in our database is transferred and saved on servers based in Canada. Canada has “adequacy” status from the European Commission, which determined in 2001 that Canada’s law under PIPEDA (the Personal Information Protection and Electronic Documents Act) was strong enough to satisfy that any data transferred from the EU to Canada would be adequately protected.
9. Under what legal basis do we process your personal data?
In order to process personal information, the University must have a legal basis to process the information.
In most cases, the University will process applicants and students’ personal data because itis necessary for the performance of the student contract or in order to take steps prior to entering into a contract.
For applicants who have applied for an academic programme, the University needs to use your data as the first steps towards potentially entering in to a student contract with you.
If you are admitted as a student the University needs to use your data to perform its obligations under that student contract.
There will be cases where there are other legal bases. For example:
- we share information with the police where the request is appropriately authorised and processing is necessary for the performance of a task carried out in the public interest;
- we may share information with medical services under the vital interests where there are grave concerns relating to a student’s health and wellbeing;
- we share information with the Higher Education Standards Agency (HESA) and UK Visas and Immigration (UKVI) as it has a legal obligation to do so;
- we share information with the University of Bradford Union of Students under its official authority as the University’s Charter requires there to be a Students’ Union and Ordinance 19 states that the Union’s members shall be all registered students of the University except those who opt out of membership.
There will also be situations where the University will process data for the purposes of the legitimate interests pursued by the University or by a third party. Examples of such processing may include:
- where the processing enables us to enhance, modify, personalise or otherwise improve our services / communications for your benefit;
- to better understand how people interact with our websites;
- to provide communications which we think will be of interest to you (direct marketing);
- to determine the effectiveness of our activities and services.
Where we rely on legitimate interests, it must only do so where these interests are not overridden by the interests or fundamental rights and freedoms of the individuals concerned.
The legitimate interests listed above are not thought to impact on your own interests as they are to provide you with the services and information you may need to make the right decision on where you choose to study. If however you would like us to stop using your information in this way please contact MyBradford or email@example.com.
Please bear in mind that if you make a request to us to stop using your information this may affect our ability to carry out tasks above for your benefit.
9.1. Special categories of personal data and data relating to criminal convictions.
There are additional requirements where the University processes special categories of personal data and data relating to criminal convictions.
The University collects and process such information in order to undertake equal opportunities monitoring and widening participation assessment to provide access to certain programmes and support for students where appropriate.
In most other cases, the University will only process special categories of personal data where it has explicit consent to do so.
This data will only be accessed by who have a legitimate need to see it.
9.2. Data relating to criminal convictions.
There are additional requirements where the University processes data relating to criminal convictions.
For some programmes of study, particularly those which are accredited by professional, regulatory or statutory bodies, the University is legally required to collect and process data on past criminal convictions.
Applicants and student on all other programmes are not required, except as may be required by law, to disclose any criminal convictions buy, if they wish to do so, may disclose details relating to any past convictions in order for support to be provided.
Further information can be found in the Applicant and Student Criminal Convictions Disclosure Policy.
10. How students’ personal data will be used after they have left the University
As well as maintaining your student record during the time you are at the University, we continue to process personal data in connection with alumni management, external relations and development after you have left.
We may also wish to send information about products or services which may be relevant, and to keep alumni informed about University activities. In such cases we will normally seek your consent.
Alumni who do not wish the University to use their personal data in any of these ways, should write to the alumni office: firstname.lastname@example.org
11. How long is personal data retained by the University
A core student record to demonstrate and verify degree results is retained for every student permanently.
Most other personal data relating to you will be retained for 6 years after you have left the University (or after the end of the relationship between you and the University) but there are a number of exceptions, for example:
- certain health-related information must be retained for longer periods;
- records of complaints, academic misconduct and student discipline cases are retained for six years after the closure of the case;
- Office for Students statutory survey data.
If you are an applicant who does not enrol, your personal data will be held for 1 year after the end of the application cycle during which you applied and will then be destroyed.
The University’s full Retention and Disposal Policy sets out the length of time that the University’s records are retained for.
12. Your rights
As a person whose personal data we are processing, you have certain rights in respect of that personal data; you have the right:
- To access your personal data that we process
- To rectify inaccuracies in personal data that we hold about you if it is inaccurate or incomplete;
- To request the deletion or removal of your personal data where there is no compelling reason for its continued processing;
- To restrict the processing of your personal data in certain ways
- To obtain your personal data for reuse;
- To object certain processing of your personal data
- To complain to the Information Commissioner’s Office about the way in which we process your personal data.
If you want to look at and check the accuracy of your personal data held by any part of the University, you should in the first instance request informal access to that information.
If you wish to formally access your personal data you should make a Subject Access Request. For more details please refer to the website: https://www.bradford.ac.uk/data-protection
13. Providing personal data to the University
You must ensure that all personal information provided to the University is accurate and up to date.
You should notify any changes of address, corrections to contact details etc. via the University of Bradford Student Portal: https://portal.bradford.ac.uk
If you believe that any part of the University is not complying with GDPR, the Data Protection Act 2018 or its own Data Protection Policy, you have the right complain to the University’s Data Protection Officer.
Complaints should be submitted to the Data Protection Officer, email: email@example.com
If you do not wish to contact the University or are not content with the outcome of its internal processes, you have the right to complain directly to the Information Commissioner’s Office (ICO):
ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 111
Appendix: Details of Information Sharing
We are obliged to share personal data with our auditors for them to provide assurance that our processes and activities are fit for purpose. In such cases, the personal data is only shared where it is strictly necessary for these purposes.
The University has a CCTV system across its estate. Cameras located on and within buildings are monitored by trained security staff. All staff operating the CCTV system do so in compliance with GDPR, the Data Protection Act 2018, the 2008 CCTV Code of Practice, the Regulation of Investigatory Powers Act 2000 and the Private Security Industry Act 2001 and the University's Data Protection Policy.
Where a court orders the University to release information, it has a legal obligation to do so.
Debt Recovery Organisations
As part of the Student Contract, we agree to deliver educational services in exchange for tuition fees. If you have not paid your fees and our internal procedures to recover them, or any other money owed to us, have not been successful, we may disclose personal data about those debtors to third parties debt recovery organisations.
Further information on the University’s approach to students with debt can be found in the Procedures Relating to Students with Composite Fees Debt
Education and Skills Funding Agency (ESFA)
The ESFA which is responsible for funding education and skills in England and for delivery of key services in the education and skills sector in England including the apprenticeship service, the provision of information, advice and guidance through the National Careers Service, and the Learning Records Service. We may share personal data with the ESFA in connection with the services they provide.
The University asks students to provide a contact who may be contacted in the event of an emergency such as a medical problem or other exceptional circumstances. We ask that you advise the emergency contact that you have provided their details to the University.
Employment agencies, prospective employers and third parties requesting information to support the provision of student and graduate opportunities and/or requesting confirmation of awards
Except where individuals have requested for their personal information to be kept confidential and the University has agreed to do this, the programme of study, award made (including classification) and date of award will be provided to those seeking verification of a graduate’s qualifications.
It is courteous for a student to contact an academic member of staff before naming them as a referee but where this has not happened and an academic member of staff has been approached by an organisation, where it appears a reasonable request, a reference will be provided
In some cases, the organisation requesting the reference may be asked to provide consent from the student or the University may contact the student directly for consent.
The University will however routinely require the consent of students before providing a personal character reference.
Further information about the University’s position on the provision of references in the following document: Provision of References About Students and Former Students.
On rare occasions, if we have a serious concern about your health and/or wellbeing or that of someone else, we may feel it necessary to contact professional health providers (such as the National Health Services, Local Authority Safeguarding Services or the Emergency Services).
In such circumstances, such a referral will be discussed by the Academic Registrar (or another senior University manager) and the Data Protection Officer before any action is taken. Specialist physical or mental health practitioners may also be involved where their input is also needed.
We may also contact the emergency contact you have specified in e:Vision where you have provided these details.
Government bodies and NGOs
Many government bodies and NGOs have statutory powers to require the University to provide personal information. This includes UK Visa and Immigration, a subsection of the Home Office.
Others may request information relating to their official functions and the University will normally provide the information requested if it is deemed appropriate to do so.
Higher Education (HE) institutions in the UK and overseas
Where students are involved in, or planning to become involved in, exchange or placement programmes or where other documentation is required, the University may disclose personal data for general educational, assessment, residency etc. purposes.
If you live in the Bradford, Leeds, Calderdale or Kirklees Council areas, we share your personal data with your council for the purpose of maintaining the Register of Electors and/or administration of Council Tax exemptions for those who do not need to pay it. Other local authority areas may request similar information and such requests are dealt with on an ad hoc basis.
National Health Service
We will share information with the NHS, its agencies and trusts in relation to students who receive, or may receive, education and placements from the NHS. We may also share information about you in a medical emergency.
Office for Students, the Quality Assurance Agency, Higher Education Statistics Agency (HESA), Office of the Independent Adjudicator and other HE bodies
Your personal data will be provided to the above bodies etc. in accordance with the regulations in place and the University’s statutory obligations.
Further details about the data shared with HESA can be found in the HESA-Student collection notice on the HESA website.
If you choose to ask the Office of the Independent Adjudicator to undertake an external review of a complaint, relevant personal information will be released to this organisation for this purpose.
In countries where we have regional representatives or agents we will pass information on to them where we feel the agent will be able to provide assistance and support to students and applicants. In such cases, we ensure that this information is managed in accordance with the GDPR, under contractual or similar arrangements and only to provide assistance and support.
Parents, guardians and other relatives
Other than in the most exceptional of circumstances, the University will not disclose a student's personal data to parents, guardians and any other relative without consent from the student.
Partners and contractors
We may provide personal information to our partners and contractors. In such cases, we must ensure that this information is managed in accordance with the GDPR, under contractual or similar arrangements and used only for the purpose(s) for which it was provided to the partner/contractor.
HM Prison and Probation Service
We may share information with the Prison and Probation service in relation to students and applicants who are on probation or who have had a conviction in order, for example, to assess whether someone is suitable to study on a particular programme.
Photographs of students are used as part of a number of University activities. For example, all ID cards require a photo and the University retains a copy of this photo for the purposes of identification. During the course of their study and during extra-curricular activities, photos may also be taken of students. Students who do not wish to have their photograph to be taken should ensure that they bring this to the photographer’s attention and remove themselves from anywhere photos are being taken.
Attendance at graduation ceremonies will involve the taking of photographs as well as video recordings taken on the day which will be available for purchase and will be published on the University's website. If you do not wish to be filmed, you may graduate in absentia.
Personal data relating to students on programmes which include placements will be shared with the providers of those placements. The information shared will depend on the nature of the placement and the programme in question and may include special category personal data. The placement providers will provide information to the University on the student’s performance and any concerns or issues that arise on the placement.
Police, crime and taxation
The University may be informed by the Police when students are convicted or cautioned etc.
The University may also provide information to the Police or other organisations that have a crime prevention or law enforcement function, such as benefit fraud departments of Local Authorities, about students if it is necessary for the prevention or detection of a crime or the collection of taxes etc.
Personal data relating to students on specific programmes will be passed to professional bodies which accredit those programmes at the University, those with a regulatory function over our programmes or where qualification on a programme facilitates membership or registration of that body.
Students are asked whether they consent to their personal data appearing in the relevant graduation ceremony programme and other related graduation material and products.
Students are asked whether they consent to their personal data appearing in resources aimed at other students or potential students e.g. newsletters, case studies, blogs etc
The University receives requests for personal data from solicitors acting on a student’s behalf. In such cases, before any personal data is disclosed, the University requires the solicitor to provide consent from the student to demonstrate that they are acting on behalf of that student. Solicitors often refer to this as a form of authority.
In rare cases where a solicitor acting on the other side of a legal case requests information, information will only be provided where the University receives consent or a court order.
The University is required to pass data about its students to the University regulator, the Office for Students, for them to conduct the National Student survey, Graduate Outcomes survey, i-graduate survey and other surveys.
These surveys give students and alumni the chance to give feedback on their experiences at the University, provide information on where you are studying or working after you graduate etc. and the results therefore inform the choices of prospective students and enable the Office for Students to monitor the performance of Universities.
Further information is provided on the websites of these surveys:
National Student Survey: http://www.thestudentsurvey.com/
Graduate Outcomes Survey: https://www.hesa.ac.uk/innovation/outcomes/students
i-graduate Survey: https://www.i-graduate.org/privacy-policy
The University also participates in the Postgraduate Taught Experience Survey (PTES), Postgraduate Research Experience Survey (PRES) and UK Engagement Survey (UKES) administered by the Advance HE under contractual terms and conditions in compliance with the GDPR. The privacy notice relating to these surveys is on the Advance HE website: https://www.advance-he.ac.uk/sites/default/files/2020-01/Privacy-Notice-Surveys-AHE-Data-Processor.pdf
Sponsors, loan organisations and scholarship schemes
Where students have a sponsor, scholarship scheme or a loan provider, the University may disclose student personal data to these organisations.
In such cases information will only be provided where the University is provided with a contractual agreement for the provision of such information or where the student has given permission for such disclosure.
The University makes use of the Turnitin UK system to enable academic staff to assess more effectively students' work for the employment of appropriate citations and references and for potential plagiarism. You may be required to provide a limited amount of personal data, for instance name, email address and course details and submissions, to Turnitin when using the service.
For more information please refer to our website:
Use of Turnitin means that personal data is transferred to the United States. Turnitin participates in the EU-U.S. Privacy Shield Framework (Privacy Shield), and is committed to applying the Privacy Shield Principles to all personal information received from countries in the European Economic Area (EEA). The "Privacy Shield” ensures that personal data is processed in the US under the same standards of protection as required by the GDPR.
For more information please refer to the Turnitin website: http://turnitin.com/en_us/about-us/privacy#eu-compliance
We receive and share personal data from UCAS if you apply to study here via UCAS. More information is available in the UCAS privacy notice https://www.ucas.com/about-us/policies/privacy-policies-and-declarations/ucas-privacy-policy
UK National Recognition Information Centre (NARIC)
UK NARIC is the designated United Kingdom national agency for the recognition and comparison of international qualifications and skills. We share information with NARIC to confirm the validity of international qualifications.
UK Visas and Immigration (UKVI)
We have a legal obligation to share information relating to students studying on a Tier 4 student visa. We must report students subject to immigration control whose circumstances change for example when they do not register, withdraw, change their expected end date and fail to maintain contact with the University. We may also have to provide other information to the UKVI and other agencies in the Home Office.
The University of Bradford Union of Students
Some students' personal data will be shared with the University of Bradford Union for the provision of membership, governance, student representation, student support and the delivery of services that the Union provides on our behalf.
The University’s website Privacy and Cookies Policy states what the University processes information it obtains from those viewing its website.