Privacy Notices

Overview

Whether you are a student, member of staff or an organisation your privacy is important to us. Our privacy notices aim to advise you on the way we look after your data at various stages, including your rights to access this data.

The University of Derby uses your personal data to provide you with University services, to undertake its responsibilities and to monitor its own performance.  The University is registered with the Information Commissioners Office (ICO) with the registration number Z859984X.

Our Data Protection Officer can be contacted at: Corporate Information, Governance & Assurance, Legal, Governance & Assurance Services, Kedleston Road, Derby, DE22 1GB or email gdpr@derby.ac.uk.

As a data controller the University of Derby can process your personal data under the Data Protection Act 2018, GDPR and subsequent enactments.

We process your data for the following purposes:

  • Provision of University services including the administration of your studies. This includes welfare services, such as support from the Student Union. Your data is used without your consent if the law requires it for statutory services
  • All financial transactions to and from us, including payments, grants and benefits. You could lose out financially if you do not provide us with your data
  • Where you have agreed for the purpose of consulting, informing and gauging your opinion about our products and services. This is consent-based. There are no consequences to you if you do not provide your data
  • To ensure we meet our statutory obligations, including those related to diversity and equal opportunity. Your data is used as the law requires it for statutory services
  • To carry out legal duties, providing information to others (Local Councils, Department for Education etc)
  • To provide other opportunities within the University's business including developing and maintaining our alumni programme
  • To conduct equal opportunities monitoring and equality impact assessments using your 'Protected Characteristic Data'

The University relies on several different legal basis depending on the processing being performed:

(Article 6(1)(a)), Consent - on specific occasions the University will only process certain data if you consent eg on registration you only need to provide certain "special categories" of data if you agree that.

(Article 6 (1)(b)), Necessary for the performance of your student contract - on many occasions the University will process your data to enable it to meet its commitments to you eg those relating to education and assessment.

(Article 6 (1)(c)), Necessary to comply with a legal obligation - the University may have legal obligations to provide your personal data to others eg the Office for Students (OFS), HESA.

(Article 6 (1)(d)), For the purpose of protecting the vital interest of yourself or another - sometimes in extreme circumstances the University will have to release information to protect your interests or the interests of others eg in medical emergencies.

(Article 6 (1)(e)), Processing necessary for the performance of a task carried in the public interest - the University is an educational and research establishment and in particular its educational and research activity is conducted in a public interest (including your interest and the interest of others).

(Article 6 (1)(f)), Processing is necessary for the purposes of legitimate interest of the University or a third party subject to overridden interests of the data subject - the University (and sometimes third parties) has a broad legitimate interest in activities that connect to the activities and education of students.  Subject to those interests not being overridden by the interests of fundamental rights and freedom of students, it will pursue those interests.  A good example of this legitimate interest would be its Alumni activities.

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which it is collected.

Direct Collection

We collect data to operate effectively and provide you the best experience at this University. You may provide some of this data directly to us, such as when you apply for a University place or begin as a member of staff.

In-direct Collection

We also obtain data from third parties, for example UCAS (Universities and Colleges Admissions Service). UCAS collect your personal information to manage and support your application to higher education, which they then share with prospective universities.

The University may share your data with the following organisations:

  • Sponsors or funding organisations (including the Student Loans Company) where a contract exists in accordance with the terms of the contract (which usually relate to attendance and progress reports)
  • Student and Staff data will be submitted to HESA.  Please view the HESA Student and Staff Collection Notice
  • Other public authorities and public partnerships (eg councils, schools, NHS providers, Police, Government Departments etc) if the law requires us to do so
  • Voluntary and non-commercial sector organisations that help us deliver services
  • Businesses that we contract with to help us deliver services
  • Work Placement sites or other educational partners involved in joint course provision where this is necessary for the purposes of your study.

The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. For details, see our retention and disposal schedule.

You have the following rights:

  • To ask for a copy of the data we hold on you.  This is known as the right of subject access.  You can find out more about this right on the University's Individual's Rights webpage
  • Rights to rectification and erasure.  You have the right to correct any inaccurate personal data held by the University.  Once information the University has collected is no longer necessary for the purpose for which it was collected and processed, you sometimes have the right to have your data erased
  • To ask us to stop processing your data temporarily if you think it is wrong until we work out what is correct
  • To ask us to let you take a copy of your data in a portable format to another organisation.

You can put in a request for any of these by contacting us at GDPR@derby.ac.uk.

If you gave us your data with consent, you have the right to withdraw that consent at any time. Please get in touch with us.

Where the University transfers your data to any organisation in a third country or international organisation (eg using Cloud storage) appropriate or suitable safeguards will be written into the contract. You can ask for a copy of the contracts.

The University does not currently undertake any profiling activities or take automated decisions about you.

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try to put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner's Office (ICO). The ICO can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Contact us

If you have a question about how we use your personal information, please email us at gdpr@derby.ac.uk