Whether you are a student, member of staff or an organisation your privacy is important to us. Our privacy notice(s) aim to advise you on the way we look after your data at various stages, including your rights to access this data.
There are five stages to the student journey:
There are four stages to the staff data journey:
Each privacy notice should explain why we are asking you for particular data, how we will use that and how long we will keep it for. Our privacy notices will also advise you how to access your data, make changes and keep informed.
We are currently developing the Privacy Notices for all stages of staff and student journeys.
Who we are
The University of Derby uses your personal data to provide you with University services, to undertake its responsibilities and to monitor its own performance. The University is registered with the Information Commissioners Office (ICO) with the registration number Z859984X.
Our Data Protection Officer can be contacted at: Data Governance, IT Services, University of Derby, Kedleston Road, Derby, DE22 1GB or email firstname.lastname@example.org.
Why we proces your data
As a data controller the University of Derby can process your personal data under the Data Protection Act 1998 and subsequent enactments.
We process your data for the following purposes:
- Provision of University services including the administration of your studies. This includes welfare services, such as support from the Student Union. Your data is used without your consent if the law requires it for statutory services.
- All financial transactions to and from us, including payments, grants and benefits. You could lose out financially if you do not provide us with your data.
- Where you have agreed for the purpose of consulting, informing and gauging your opinion about our products and services. This is consent-based. There are no consequences to you if you do not provide your data.
- To ensure we meet our statutory obligations, including those related to diversity and equal opportunity. Your data is used as the law requires it for statutory services.
- To carry out legal duties, providing information to others (Local Councils, Department for Education etc).
- To provide other opportunities within the University's business including developing and maintaining our alumni programme.
- To conduct equal opportunities monitoring and eqaulity impact assessments using your 'Protected Characteristic Data'.
Our legal basis for using your information
The University relies on several different legal basis depending on the processing being performed:
(Article 6(1)(a)), Consent - on specific occasions the University will only process certain data if you consent e.g. on registration you only need to provide certain "special categories" of data if you agree that.
(Article 6 (1)(b)), Necessary for the performance of your student contract - on many ocassions the University will process your data to enable it to meet its commitments to you e.g. those relating to education and assessment.
(Article 6 (1)(c)), Necessary to comply with a legal obligation - the University may have legal obligations to provide your personal data to others e.g. the Office for Students (OFS), HESA.
(Article 6 (1)(d)), For the purpose of protecting the vital interest of yourself or another - sometimes in extreme circumstances the University will have to release information to protect your interests or the interests of others e.g. in medical emergencies.
(Article 6 (1)(e)), Processing necessary for the performanace of a task carried in the public interest - the University is an educational and research establishment and in particular its educational and research activity is conducted in a public interest (including your interest and the interest of others).
(Article 6 (1)(f)), Processing is necessary for the purposes of legitimate interest of the University or a third party subject to overridden interests of the data subject - the University (and sometimes third parties) has a broad legitimate interest in activities that connect to the activities and education of students. Subject to those interests not being overridden by the interests of fundamental rights and freedom of students, it will pursue those interests. A good example of this legitimate interest would be its Alumni activities.
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which it is collected.
How we collect your data
We collect data to operate effectively and provide you the best experience at this University. You may provide some of this data directly to us, such as when you apply for a University place or begin as a member of staff.
We also obtain data from third parties, for example UCAS (Universities and Colleges Admissions Service). UCAS collect your personal information to manage and support your application to higher education, which they then share with prospective universities.
Who we share your data with
The University may share your data with the following organisations:
- Sponsors or funding organisations (including the Student Loans Company) where a contract exists in accordance with the terms of the contract (which usually relate to attendance and progress reports).
- Other public authorities and public partnerships (e.g. councils, schools, NHS providers, Police, Government Departments etc) if the law requires us to do so.
- Voluntary and non-commercial sector organisations that help us deliver services.
- Businesses that we contract with to help us deliver services.
- Work Placement sites or other educational partners involved in joint course provision where this is necessary for the purposes of your study.
How long we keep your data for
The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Details of the University's retention and disposal schedule can be found here.
You have the following rights:
- To ask for a copy of the data we hold on you. This is known as the right of subject access. You can find out more about this right on the University's Subject Access Requests webpage.
- Rights to rectification and erasure. You have the right to correct any inaccurate personal data held by the University. Once information the University has collected is no longer necessary for the purpose for which it was collected and processed, you sometimes have the right to have your data erased.
- To ask us to stop processing your data temporarily if you think it is wrong until we work out what is correct
- To ask us to let you take a copy of your data in a portable format to another organisation
You can put in a request for any of these here.
If you only gave us your data with consent, you have the right to withdraw that consent at any time. Please get in touch with us.
How we keep your data secure in other countries
Where the University transfers your data to any organisation in a third country or international organisation (e.g. using Cloud storage) appropriate or suitable safeguards will be written into the contract. You can ask for a copy of the contracts here.
Profiling and automated decisions
The University does not currently undertake any profiling activities or take automated decisions about you.
Making a complaint
If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. You can complain to the University here. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner's Office (ICO). The ICO can be contacted at:
Information Commissioner's Office
Telephone: 0303 123 1113
Contact email@example.com or call +44 (0)1332 592151.
Last updated: May 2018