Applicant privacy notice

As part of the application process, we (the University of Derby) collect and process personal data relating to you. The University is committed to being transparent about how we collect and use that data to meet our data protection obligations.

What information does the University collect?

Information held about you may include:

• Your name, contact information such as address, email address and telephone number, as well as your date of birth, country of domicile and your nationality. If you are an overseas student, we also collect information about your passport and visa
• Information relating to your education and employment history, the school(s), sixth form college(s) and other colleges or universities you have attended and places where you have worked, the courses you have completed, dates of study and examination results
• Information used to contact you or your next of kin in case of an emergency
• Information about your family or personal circumstances, and both academic and extracurricular interests, for example, where this is relevant to the assessment of your suitability to receive a bursary
• Financial information collected for the purposes of administering fees and charges, loans, grants, studentships and financial support

The University also needs to collect and process personal ‘special categories of data’ under the GDPR including:

• Your health and disabilities, to provide support and enable access to university services and to determine course suitability. This may include physical or mental health or condition, religious belief, sexual orientation, racial/ethnic origin
• Gender preference
• Previous criminal convictions, before a place can be offered on certain programmes

You can access the data we have about you by logging in to your applicant area and viewing the information you have submitted.

Why do we collect your data?

The University needs to collect, maintain and use your personal data in order to administer your course, facilitate your education and to deliver and improve services and facilities during your time as a student. It also helps us to work with you for example providing disability support and support for students from overseas.

We may collect your personal data in a number of ways, for example:

• As soon as you contact us, we create a record in your name. To that record we add information that you give us when reserving, registering or enrolling and throughout your studies. We keep records of your participation in learning activities and your use of other services we offer, e.g. disability services and employability services.
• From the information you give us when you interact with us before joining, for example when you express your interest in studying with us, order a prospectus or share your details at an open day.
• When you apply to study with us and complete application forms via the Universities and Colleges Admissions Service (UCAS) and when you complete other admissions processes and procedures. See the UCAS privacy policy.
• When you apply to study with us and complete application forms via the Department of Education (DfE) and when you complete other admissions processes and procedures. See the Department for Education privacy policy
• When you communicate with us by telephone, email or via our website, for example in order to make enquiries or raise concerns.
• In various other ways as you interact with us during your time as a student, for the various purposes set out below.

Legal basis for holding your data

We collect your data on the basis of 'legitimate interest' to enable us to provide you with the information you have requested in your enquiry.

By accepting an offer, we will rely on legitimate interest to collect your data as well as your explicit consent where the University is processing special category data, as per Schedule 1 of the Data Protection Act 2008, for the purposes and in the manner set out in this notice.

How your data is held?

Your personal data is held within our University records database and accessed by staff within admissions and by admissions staff within the academic school.

All data relating to applicants is held within the European Economic Area and will not be transferred outside of this area.

Who has access to data?

We may share your data with a number of internal departments to ensure fair assessment of your application and as part of the normal processing of your application. This may include:

• If you tell us about a disability, this information is shared with the Student Wellbeing team, who contact you to find out about your support needs
• If you are an international applicant we will share data with our international student support team so they can invite you to additional events/activities during the enrolment period
• If you are offered / accepted / are eligible to apply for halls, your data will be shared with Student Living, DSRL
• If you are from a group that is considered to be under-represented in Higher Education, we will share your data with colleagues directly concerned with widening participation at the University

We may disclose certain personal information to external organisations to carry out our legal responsibilities, functions and manage our operations, or because you asked us to. These may include:

• Higher Education Statistics Agency (HESA)
• Relevant government departments (eg Home Office, including UK Visas and Immigration, Foreign and Commonwealth Office, Department of Health. Department of Education)
• Office for Students (OFS)
• Universities and Colleges Admissions Service (UCAS)
• Office of the Independent Adjudicator (OIA)
• Student Loans Company (SLC)
• Relevant professional or statutory regulatory bodies and other course accrediting organisations, which could include representatives of course delivery partners on interview panels
• Local authorities to administer council tax and for electoral registration
• Health trusts or private companies contracted to provide occupational health assessments
• The Police and other law enforcement agencies
• Auditors
• Your sponsors or international agent, where a contract exists
• The providers of any external learning or training placements
• Library services, including access to online resources and dyslexia support
• Third parties who work with us to provide/improve student accommodation
• Your parents/guardian if you are under 18 years old
• Department of Education
• TP Health
• CAS Shield by Enroly

We will not normally disclose any other personal information about you to other external organisations without your consent unless it is in your vital interests to do so (for example an emergency situation).

How does the University protect data?

We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

How long we will keep your data?

We keep personal data for as long as it is needed for the purpose for which it was originally collected. We keep applicant data for one year after the end of the recruitment cycle in which you applied, though if you become a student your data will be kept according to the Records Retention Policy.

Data subject's rights

As a data subject, you have a number of rights. You can:

• Access and obtain a copy of your data via a subject access request
• Require the University to change incorrect or incomplete data
• Require the University to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
• Object to the processing of your data, in certain circumstances, for example, where the University is relying on its legitimate interests as the legal ground for processing; or for direct marketing purposes
• Ask the University to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the University's legitimate grounds for processing data
• Withdraw your consent at any time, where we have requested and obtained your consent
• Where our lawful basis is consent or performance of a contract we will allow portability of your data

If you would like to exercise any of these rights, please contact us at gdpr@derby.ac.uk.

Use of automated decision making and profiling

The University does not currently undertake any profiling activities or make automated decisions about you.

The right to complain to the Information Commissioners Office

If you are unsatisfied with the way the university has processed your personal data, we ask that you let us know so that we can try and put things right, or if you have any questions or concerns about your data please contact us at gdpr@derby.ac.uk.

If we are not able to resolve the issue to your satisfaction, you have the right to complain to the Information Commissioner’s Office.

Data Controller

The Data Controller is the University of Derby, Kedleston Road, Derby. If you would like information about how the university uses your personal data please email us at gdpr@derby.ac.uk

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. Contact our Data Protection Officer at dpo@derby.ac.uk

Other privacy notices

We do our utmost to protect your privacy. Please be aware that other privacy notices exist within the University in respect of data held, including but not limited, to activities in relation to your enquiries, application, current students, alumni and use of our website.