Prospective student privacy notice

This privacy notice relates to prospective students, our student recruitment activity and how we handle personal data. As part of this activity, we collect and process personal data relating to you. We are committed to being transparent about how we collect and use your data and to meeting our data protection obligations.

What information does the University collect?

Information held about you may include:

Why do we collect your data?

We collect and process your information to deliver the recruitment-related services you have requested through activities such as:

We may also receive the information required to provide these services from third-party sources such as a UCAS fair or an International agent.

We may also use the information you provide us to:

If you provide consent but later decide you want to withdraw this, you have the right to change your mind.

Legal basis for holding your data

We collect your data on the basis of 'legitimate interest' to enable us to provide you with the information you have requested in your enquiry.

How your data is held?

Depending on the service you require your personal data could be held within our email system Dotmailer, the Student Data CRM, Microsoft Dynamics CRM, EventBrite, GeckoEngage or the University edublog network.

These systems are accessed by staff within the Marketing and Communications department who manage the recruitment process.

Who has access to data?

We may share your details with other teams within the university in order to fulfil the service you require. These teams may use a range of systems to store and process data, including, but not limited to the CMS for the website, the Student Data CRM, dotMailer, Eventbrite, SITS.

We work with organisations who help us to process data. Some personal details are held on:

All data relating to your enquiry is held within the European Economic Area and will not be transferred outside of this area.

How does the University protect data?

The university takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

How long we will keep your data?

Your data is kept until the end of the recruitment cycle in which you contacted us. If you ordered a 2019 prospectus in December 2017 we will keep you data until October 2019, for example. If you become a student with us, this data will be then kept according to the student records retention schedule.

Data subject's rights

As a data subject, you have a number of rights. You can:

Use of automated decision-making and profiling

The University does not currently undertake any profiling activities or make automated decisions about you.

The right to complain to the Information Commissioner's Office

If you are unsatisfied with the way the University has processed your personal data, we ask that you let us know so that we can try and put things right, or if you have any questions or concerns about your data please contact us at

If we are not able to resolve the issue to your satisfaction, you have the right to complain to the Information Commissioner’s Office.

Data Controller

The Data Controller is the University of Derby, Kedleston Road, Derby. If you would like information about how the University uses your personal data please email us at or call 01332 592151.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. Contact our Data Protection Officer at

Other privacy notices

We do our utmost to protect your privacy. Please be aware that other privacy notices exist within the University in respect of data held, including but not limited, to activities in relation to your enquiries, application, current students, alumni and use of our website.

February 2019
  • We have updated this privacy notice to make some sections clearer and easier to understand
  • The data controller section has been moved for consistency.
June 2020
  • Data Protection Officer - Updated.
January 2021
  • Data Protection Officer - Updated.