Student privacy notice

When you apply, register or enrol at the University of Derby on any undergraduate, postgraduate, research based, apprenticeship programme and those registered on continuing professional development modules, a record will be created in your name.  You will be assigned a unique student ID number, login and University email address. 

During your student journey we collect and process personal data relating to you. The University is committed to being transparent about how we collect and use that data to meet our data protection obligations.

Additional information may be collected for cohorts of students on courses that are regulated by professional and regulatory bodies, apprentices and non-EEA students with immigration considerations that may affect their right to study.

We keep records of your participation in learning activities and your use of other services we offer, e.g. disability services and employability services. 

What information does the University collect?

Data that we collect may include 'special category data' such as racial or ethnic origin, religious beliefs, physical or mental health, or sexual orientation.  You may also give us information about your criminal convictions.

You may provide us with further information if you use some of our services, for example, our employability service.  Should this happen we will explain what we do with this additional data.

Information held about you may include:

  • Your name, contact information such as address, email address and telephone number, as well as your date of birth, country of domicile and your nationality and right to study in the UK.  If you are an overseas student, we also collect information about your passport and immigration documentation.
  • Information relating to your education and employment history, the school(s), sixth form college(s) and other educational establishments you have attended, the courses you have completed, dates of study and examination results.
  • Information used to contact you or your next of kin in case of an emergency.
  • Information about your family or personal or academic circumstances, where this is relevant to the assessment of your suitability to receive a bursary or in order to provide you with academic and non-academic support services, such as study skills, wellbeing services, counselling services.
  • Information about your attendance and engagement with your studies, assessment and feedback and qualifications awarded, as well as your participation in online learning and assessment activities.
  • Details of your courses, enrolments, selected and registered modules, timetables.
  • Financial information collected for the purposes of administering fees and charges, loans, grants, studentships and financial support and debt collection, which includes bank details so that we can pay money owed to you (for example, from a bursary or studentship).
  • Information about your engagement with and use of University services, such as the Library, sport and recreation, as well as information on the provision of advice and support, such as the Careers Service.
  • If you use a University email address and other Microsoft Office 365 services, then we collect and log data about your use of the service. Our digital telephony system logs incoming telephone numbers, these numbers may not be linked to your student record.
  • Photographs, for the purpose of identification, study administration, attendance monitoring, student assessment and examination, examination, examination monitoring and graduation.
  • Video recordings for the purpose of recording lectures, student assessment and examination and examination monitoring and of our graduation ceremonies (live stream and download).
  • Information related to the prevention and detection of crime and the safety and security of our staff and students, including but not limited to, CCTV recording and data relating to breaches of University regulations.

The University also needs to collect and process personal ‘special categories of data’ under the GDPR including:

  • your health and disabilities, to provide support and enable access to university services or to make adjustments to study, assessment and examination.
  • You may give us information relating to your racial or ethnic origin, religious beliefs, physical or mental health, or gender identity and sexual orientation, which we will use for equal opportunities monitoring.
  • If you give us any information about your criminal convictions, or restrictions you are subject to, we may use the information to restrict your access to services where required, to ensure a safe environment.

Why do we collect your data?

The University needs to collect, maintain and use your personal data in order to administer your course, facilitate your education and to deliver and improve services and facilities during your time as a student.  It also helps us to work with you for example providing disability support and support for students from overseas. 

We may collect your personal data in a number of ways, for example:

  • As soon as you contact us, we create a record in your name.  To that record we add information that you give us when reserving, registering or enrolling and throughout your studies.  We keep records of your participation in learning activities and your use of other services we offer, e.g.disability services and employability services.
  • From the information you give us when you interact with us before joining, for example when you express your interest in studying with us, order a prospectus or share your details at an open day.
  • When you apply to study with us and complete application forms via the Universities and Colleges Admissions Service (UCAS) and when you complete other admissions processes and procedures.  See the UCAS privacy policy.
  • When you apply to study with us and complete application forms via the Department of Education (DfE) and when you complete other admissions processes and procedures.  See the Department for Education privacy policy.
  • When you communicate with us by telephone, email or via our website, for example in order to make enquiries or raise concerns.
  • In various other ways as you interact with us during your time as a student, for the various purposes set out below.

We may receive some information about you from third parties

We may contact the Higher Education Statistics Agency (HESA) or other educational institutions to confirm the qualifications you have obtained or to check whether you have been included in a previous HESA or funding from a UK funding authority or government agency, such as a loan or grant, we will receive basic information from the funding provider.  If your fees are paid by another organisation, they may provide some information about you to us.

Legal basis for holding your data

Our legal basis for collecting / processing the data you have submitted is ''contractual' enabling us to provide you with the services you require throughout your student journey.

How your data is held?

Your personal data is held within our University records database and accessed by staff across the University.

Who has access to data?

We may disclose certain personal information to external organisations to carry out our legal responsibilities, functions and to manage our operations or because you have asked us to.  Some data that we share is anonymised or aggregated.  These may include:

  • Higher Education Statistics Agency (HESA).
  • Relevant Government Departments (e.g. Home Office, including UK Visas and immigration, Foreign and Commonwealth Office, Department of Health, Department of Education).
  • Relevant executive agencies or non-departmental public bodies (e.g. HM Revenue and Customs Health and Safety Executive).
  • Office for Students (OFS).
  • Universities and Colleges Admissions Service (UCAS).
  • Office of the Independent Adjudicator (OIA).
  • Department for Education.
  • Organisations running student experience surveys, including the Student Experience Survey (SES), National Student Survey (NSS), the Postgraduate Taught Experience Survey (PTES), the Postgraduate Research Experience Survey (PRES) and the National Student Housing Survey and Graduate Outcomes Survey.
  • Providers of anti-plagiarism software.
  • Student Loans Company (SLC) and other loan and grant providers e.g. US Federal Loans, Canadian Loans, Channel Islands Government.
  • Relevant professional or statutory regulatory bodies and other course accrediting organisations in relation to the confirmation of qualifications, professional registration and conduct and the accreditation of courses.
  • Ofsted, if you are studying for an Initial Training Education Course - see also Initial Teacher Education (ITE) partnerships: Ofsted privacy notice.
  • Anonymised equality data will be shared with third parties including Stonewall and Advance Higher Education for equality benchmarking.
  • Local Authorities to administer Council Tax and for electoral registration.
  • The police and other law enforcement agencies / MASH.
  • Our insurers in respect of accidents.
  • Internal and external auditors.
  • Your sponsors or international agent, where a contract exists.
  • The providers of any external learning.
  • Current or potential employers (to provide references and, where students are sponsored by their employer and/or where you take part in a placement, to provide details of progress / attendance).  We will seek your permission for any disclosure.
  • Library services, including access to online resources and dyslexia support.
  • Companies providing specific services on behalf of the University for graduation.
  • Companies providing specific services on behalf of the University for student trips and/or exchange programme.
  • Third parties who work with us to provide student support services.
  • Third parties who work with us to provide student accommodation.
  • Third parties who are contracted to provide IT services for us.
  • Union of Students at the University of Derby.
  • Your parents/guardian if you are under 18 years old.
  • Enquiries may be received by law enforcement bodies.
  • Banks and employers, when you ask us to confirm that you are a student here or write a reference.
  • Debt collection agencies if you owe us money which we haven't been able to recover from you.
  • Third party software systems required to facilitate applicant and enrolled student data functions.

Some of the personal data we process about you will be transferred to, and stored at, a destination outside the European Economic Area ('EEA'), for example where it is processed by staff operating outside the EEA who work for us or for one of our suppliers, or where personal data is processed by one of our suppliers based outside the EEA or who uses storage facilities outside the EEA.

In these circumstances, your personal data will only be transferred on one of the following bases:

  • Where the transfer is subject to one or more of the 'appropriate safeguards' for international transfers prescribed by applicable law (e.g. standard data protection clauses adopted by the European Commission).
  • A European Commission decision provides that the country or territory to which the transfer is made ensures an adequate level of protection.
  • Where there exists another situation where the transfer is permitted under applicable law (e.g. where we have your explicit consent).

We will not normally disclose any other personal information about you to other external organisations without your consent unless it is in your vital interests to do so, for example an emergency situation.

How does the university protect data?

We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

How long we will keep your data?

Unless we have provided you with other notices concerning the retention of your data, we retain your personal data until the end of our association with you plus 6 years.

After this time we retain a minimum amount of data please see our Alumni Privacy Notice.

We do retain a core record of data indefinitely, in order to provide you or employers references and verify your study with us after you have graduated.

Your data will be kept according to our Records Retention Policy.

Data subject's rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data via a subject access request
  • require the university to change incorrect or incomplete data
  • require the university to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • object to the processing of your data, in certain circumstances, for example, where the university is relying on its legitimate interests as the legal ground for processing; or for direct marketing purposes
  • ask the university to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the university's legitimate grounds for processing data
  • withdraw your consent at any time, where we have requested and obtained your consent
  • where our lawful basis is consent or performance of a contract we will allow portability of your data.

If you would like to exercise any of these rights, please .

Use of automated decision making and profiling

The University does not currently undertake any profiling activities or make automated decisions about you.

The right to complain to the Information Commissioners Office

If you are unsatisfied with the way the university has processed your personal data, we ask that you let us know so that we can try and put things right, or if you have any questions or concerns about your data please contact us.

If we are not able to resolve the issue to your satisfaction, you have the right to complain to the Information Commissioner’s Office.

Data Controller

The Data Controller is the University of Derby, Kedleston Road, Derby. If you would like information about how the university uses your personal data please email us at gdpr@derby.ac.uk or call +44 (0) 1332 592151.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. Our Data Protection Officer is Mrs Helen Selby. Contact our Data Protection Officer

Other privacy notices

We do our utmost to protect your privacy. Please be aware that other privacy notices exist within the university in respect of data held, including but not limited, to activities in relation to your enquiries, application, current students, alumni and use of our website.

November 2019
  • Reviewed and confirmed as up to date.
June 2020
  • Data Protection Officer - Updated.
January 2021
  • Data Protection Officer - Updated.
August 2021
  • Reviewed and confirmed as up to date.
September 2021
  • 'Why do we collect your data?' - Addition of DfE.
  • 'Who has access to data?' - Addition of DfE.