How the University uses student personal data (Fair processing notice)

About this notice

The University needs to collect and process personal data in order to function effectively as an educational institution and to provide students with the support they require while undertaking their studies. Personal data is processed for a variety of reasons (as set out below) and all such personal data will be collected and processed in accordance with the requirements of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

This notice explains how the University collects, uses and shares personal data relating to applicants and prospective, current and former students (you/your) and your rights in relation to the processing of your personal data.

In this notice:

• personal data means any data which can identify you directly or indirectly (whether itself or when combined with other data), regardless of the format or media on which the data are stored. This includes data that can identify you when combined with other data that is held separately (pseudonymous data) but does not include data that has been manipulated so that you can no longer be identified from it (anonymous data).
• processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.

Unless the University processes your personal data on behalf of another organisation for purposes that have been determined by that organisation, the University is a ‘controller’ in relation to your personal data and is registered as such with the Information Commissioner’s Office (ICO) (registration number Z6650067).

Changes to this notice

The University may update this notice at any time and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly to take notice of any changes, however where any change affects your rights and interests, we will make sure we bring this to your attention and clearly explain what this means for you.

Questions or comments

If you have any questions or comments regarding this notice or you wish to exercise any of your rights (see below), you should contact our Data Protection Officer by email at data-protection@bristol.ac.uk or by phone on ext. 41824.

How we collect your personal data

We may collect your personal data in a number of ways, including:

• personal data provided by you when you express an interest in applying to the University (for example, by booking a place on one of our open days or requesting a printed prospectus).
• personal data provided by you when you apply to be a student at the University (for example, by applying online through the Universities and College Admissions Service (UCAS), or directly to the University).
• personal data provided by you when you register as a student with the University.
• personal data provided by you when you communicate with us by telephone, email or via our website and social media (for example when you contact us or any member of our staff to make an enquiry or raise a concern).
• personal data collected from or observed about you in the course of your studies including your use of University resources, services and systems and other interactions with the University.
• personal data from third parties in the course of the application and admissions process, or during the course of your studies (for example, UCAS, other institutions that deliver joint programmes with the University, Government departments such as the Home Office, the Student Loans Company and your previous or current school, college, university or employer who may provide a reference about you or who may sponsor your studies).

Types of personal data processed

Personal data the University may process includes:

• your unique University student number and other examples of unique system IDs (e.g. UCAS personal ID)
• contact information (including name, term-time and holiday addresses, date of birth, phone numbers and email addresses)
• photographs
• information provided as part of your application to study at the University, or created during the application process (e.g. interview scores and notes)
• financial information
• attendance information (for teaching and pre-registration events such visit days and interviews)
• visa and immigration information (including visa and passport details)
• academic marks and progress
• information provided in relation to extenuating circumstances, appeals and complaints
• references
• disciplinary information
• caring responsibilities   
• information regarding hobbies and interests
• other legitimate personal data relating to academic and pastoral support

We may also collect, or you may choose to provide us with, the following special categories of more sensitive personal data:

• information revealing your race or ethnicity, religious beliefs, sex life or sexual orientation (whether or not indicated by your gender or gender identity) and political opinions
• information about your health, including any disability or medical condition, and dietary requirements
• information about criminal convictions or offences

These types of personal data require us to take additional steps to ensure their security and confidentiality.

Personal data provided by you about others

You may provide us with personal data about other individuals, for example, emergency contact details and information about your family circumstances and dependents (for example to assess bursary and grant eligibility and provide pastoral care services). Students should notify the relevant person that they are providing their contact details to the University as their listed emergency contact.

How the University uses personal data about you

The University may process personal data (including special categories of personal data) about you for the following purposes:

• administration of applications (for example, receiving and processing UCAS forms and applications, compilation of statistics, assessments of applications and interviews including offers at different stages of progression)
• educational administration (for example, programme and unit registration, progress monitoring, timetabling, calculation and publication of assessments and results, provision of references and assessing eligibility for bursaries and grants)
• provision of library and information services (for example, administration of membership, cards, loans and fines)
• provision and maintenance of computing facilities (for example, email accounts and internet access)
• financial administration (for example, payment of tuition fees and other services administered by Finance Services, provision of loans and bursaries via the Student Funding Office, and the use of debtor information to make decisions about withholding bursary payments, preventing re-registration of returning students and inviting students to graduation ceremonies)
• administration of student welfare/pastoral care services (for example, contact with personal tutor, Counselling Service, Disability Services, Careers Service and financial advice services)
• administration and provision of health care services (for example, Student Health Service and Counselling Service)
• security and crime prevention/detection (for example, the use of regulated CCTV, security incident reports)
• provision of student ID card (UCard)
• provision and management of University owned and privately-owned property for students
• promotion of the University (for example, providing information about programmes that may be of interest to you, summer schools and events hosted, co-hosted or supported by the University on and off-campus)
• auditing compliance with the University’s legal and regulatory obligations and policies (including those relating to visa/Tier 4 requirements)
• handling complaints, appeals and disciplinary actions

The University will also use student personal data to produce non-identifiable statistical data for analysis to fulfil its commitment to equality monitoring, to provide a more targeted response to improving the student experience, and to respond to freedom of information requests.

Lawful grounds for processing your personal data

We will only use your personal data when we are permitted to do so by law. Most commonly, we will use your personal data:

• to perform a contract the University has entered into with you or take steps before entering into a contract with you at your request (for example, as part of the admissions process and once you have enrolled as a student, to provide you with the services set out in the Student Agreement).
• to comply with the University’s legal obligations (for example, complying with immigration, anti-money laundering, health and safety and safeguarding laws, preventing and detecting crime, assisting the police and other authorities with their investigations).
• to perform tasks carried out in the public interest which are mainly set out in the University’s Charter (and related Acts, Statutes, Ordinances and Regulations).
• where necessary for our legitimate interests or those of a third party provided your interests and rights do not override those interests (for example, providing services that do not form part of the Student Agreement, monitoring the effectiveness and performance of the University’s teaching, promoting equality and diversity, providing administrative and management services and recovering monies owed to us).
• to protect your vital interests or those of another person (for example where we know or have reason to believe that you or another person may suffer harm)

In circumstances, where you have a genuine choice as to whether we should process your personal data, we will ask you for your consent. The method used to obtain your consent will depend on the scope and context of the processing that we propose.

In relation to special categories of personal data and personal data relating to criminal convictions and offences, we may request your explicit consent unless a condition applies which allows us to process such personal data without doing so.

Sharing your personal data with third parties

Where there are lawful grounds for doing so, the University may share your personal data with the following third parties:

• Individuals employed or engaged by the University, to the extent necessary to perform their duties
• The Higher Education Statistics Agency (HESA). Every year the University is required to send some of the information it holds about you to HESA. HESA is an official source of data about UK higher education. Your HESA information is used for a variety of purposes by HESA and by third parties. For example, it is used by Higher Education funding and regulatory bodies for their statutory and/or public functions including funding, regulation and policy-making purposes. It is also used for statistical and research purposes, such as the Graduate Outcomes survey for which you may be contacted by phone, SMS or email after you graduate. On 4 October 2022 HESA merged with Jisc. HESA is now part of Jisc, a not-for-profit company limited by guarantee, registered in England (company number: 05747339; charity number: 1149740). This means that Jisc is now the data controller for all data sent to HESA. See more information about HESA/Jisc's use of your personal data
• The Office for Students, or parties acting on its behalf (for example, Ipsos MORI conducting the National Student Survey)
• Student Loans Company and other bodies involved in student finance (for example, Student Awards Agency Scotland, Student Finance England, Student Finance Wales, Student Finance Northern Ireland, Student Finance European Union) - to allow students to receive their loans
• Department of Education and Local Education Authorities
• Local authorities (primarily Bristol City Council, but potentially other neighbouring authorities) - in relation to Council Tax exemption, maintaining the electoral roll and administration of housing benefit
• UK Visas and Immigration - information on immigration and visas
• General Medical Council (GMC) - for medical graduates, to process and maintain registration with the GMC
• General Dental Council (GDC) - for dental graduates, to process and maintain registration with the GDC
• Royal College of Veterinary Surgeons (RCVS) – for veterinary graduates, to process and maintain registration with the RCVS
• The Students’ Union (Bristol SU) - the University will provide Bristol SU with student personal data to allow it to create and manage its membership list, though students can decide not to be a member
• JISC Plagiarism Detection Service (Turnitin^®)
• External accommodation providers - where student accommodation is provided on behalf of the University
• Research Councils
• External parties assisting with admissions or examination procedures (for example, interviewing for certain programmes)
• Agents assisting the University with international admissions (limited to what is strictly necessary for the performance of the agent’s role) - this may include the disclosure of personal data outside the European Economic Area
• Internal and external auditors
• External examiners
• Other education institutions, partners or research organisations where a student's programme is being run collaboratively, or where such parties host students for elements of their programme (for example, other universities, schools, NHS and industry bodies)
• Sponsors of students - information will only be disclosed when in compliance with sponsorship agreements and will be kept to the minimum required (for example, providing award verification letters)
• Third parties performing administrative functions on behalf of the University (acting as data processors)
• Debt collection agencies – when students have not paid fees that they owe
• Police and other investigative agencies - only where the disclosure of personal data would assist with the investigation of a crime or other alleged misconduct, and such disclosures are necessary and proportionate to the aims of the investigation
• Organisations seeking student views to enable the University to endeavour to improve the experience offered to students (for example, the National Student Survey)
• The Government and local authorities during information gathering exercises when the University is legally obliged to provide data
• Potential employers and other educational institutions requesting a reference for a current or past student (consent is implied by providing the University’s details as a referee). This includes confirmation of awards.
• Academic and research staff for the purposes of research (potentially involving disclosures to external organisations or regulators, under contract and properly assessed) – steps will be taken to protect your identity, which will not be published, and data will not be used to take decisions about you individually. 

Where the University uses third parties to process personal data on its behalf (acting as data processors), a written contract will be put in place to ensure that any personal data shared will be held in accordance with the requirements of data protection law and that such data processors have appropriate security measures in place in relation to your personal data.

Parents, family members and guardians are considered to be third parties and your personal data will not be disclosed to such persons unless you have given your consent at application or registration to the disclosure of limited information in certain circumstances, or the disclosure is otherwise made in accordance with data protection law.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law.

Where your personal data are stored

Most personal data about you, including your core student records, will be stored on servers within the UK or elsewhere within the European Economic Area (EEA). However, some personal data that the University processes about you may be accessed from, transferred to, or stored in, a country or territory outside of the EEA. The University will only transfer your personal data outside of the EEA:

• to a country or territory that has been determined by the European Commission as providing an adequate level of protection for your personal data.
• where the transfer is subject to one or more appropriate safeguards prescribed by law, including the standard contractual clauses approved by the European Commission.
• in the case of a third party based in the United States of American, where such third party is certified under a relevant certification scheme approved by the UK Government.
• if the transfer is otherwise permitted by law, or necessary for the performance of a contract, or where you have given your explicit consent.

How the University keeps your personal data secure

The University has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in any unauthorised way or altered or disclosed. In addition, the University limits access to your personal data to the persons and organisations described above who have a need to access it. For further information, visit the University’s Information Security page.

The University has also put in place procedures to deal with any suspected personal data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so.

How long the University will retain your personal data

The University must only to retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to satisfy any legal, regulatory, accounting or reporting requirements.

Specified retention periods are applied to each category of personal data that we may process about you. In setting these retention periods, the University has taken into account:

• the nature, sensitivity and volume of the personal data
• the potential risk of harm to you arising from the University’s continued retention of the personal data
• the purposes for which the University may process your personal data
• whether the University is required to retain any personal data by law or in accordance with its legitimate interests

Generally speaking, all relevant correspondence in relation to your application and studies will be held by the University and retained for six years after your graduation or departure, after which time it will be securely disposed of. Core information about your studies and academic awards (e.g. dates of study, courses studies, main academic details etc) will be retained indefinitely.

In some cases, the University may anonymise your personal data so that it can no longer be identified with you, in which case the University may retain such data indefinitely.

If notice of a legal claim or other proceeding is received, then the University may retain and process relevant personal data in order to defend the claim for the duration of the same.

Whilst the University may dispose of any personal data after the conclusion of the claim, please be aware that all litigation documents disclosed, or evidence given, may be a matter of public record.

Collaborative programmes of doctoral training

Please be aware that if you are applying for or enrolling on a collaborative programme of doctoral training (such as those listed on the Bristol Doctoral College website) then the University will need to make some further uses and disclosures of your personal data to administer your place on the programme. For further information, please see the relevant Data Protection Statement.

Contact directories

The name and email address of all students will be included in the University contact directory, the contents of which are accessible to all University staff and students, but not to external audiences.

Postgraduate Research students' details will be included in the Explore Bristol Research and Pure directories, which are public-facing.

If students do not wish their details to feature in these directories they need to contact the University Secretary's Office who will consider their request. Please contact data-protection@bristol.ac.uk . 

Email

Email for students is provided by a third party. This requires the University to disclose some personal data (name and email address) to this third party. Students using the service are also subject to the third party's terms of use and privacy policy and are notified of these terms when issued with their account.

Your responsibilities

You must ensure that any personal data collected and processed by you in the course of your studies is held in accordance with the University’s Data Protection Policy. Any research involving the use of personal data should only be conducted following an ethical review. You are also subject to the University’s Information Security Policy.

You have a responsibility to ensure your personal details are up to date. Registered students can do this online at Student Info, and applicants should contact UCAS or the University.

UCard (University ID card)

The UCard Privacy Policy sets out how personal data, and other information related to the UCard, is handled.

CCTV

The University operates CCTV around its properties for security and crime detection purposes. For further information, please see the University’s CCTV Code of Practice.

Alumni

Once you graduate, you will automatically become a member of the University’s alumni community and your data will be held securely on the University’s alumni database. The University keeps alumni up to date with news from Bristol and information about activities including events, volunteering opportunities and fundraising. You can change the way the University communicates with you at any time by emailing alumni@bristol.ac.uk. You can read more about the alumni data policy here: www.bristol.ac.uk/alumni-your-data.

Your rights

You have a number of rights in relation to the processing of your personal data by the University:

• Access: You have the right to request access to and be provided with a copy of the personal data held about you together with certain information about the processing of such personal data to check that the University is processing it lawfully and fairly.
• Correction: You have the right to request correction of any inaccurate or incomplete personal data held about you.
• Deletion: You have the right to request erasure of any personal data held about you where there is no good reason for the University to continue processing it, or where you have exercised your right to object to the processing of your personal data.
• Restriction: You have the right to request restriction of how the University processes your personal data, for example, to confirm its accuracy or the University’s reasons for holding it or as an alternative to its erasure.
• Objection: You have the right to object to the University’s processing of any personal data which is based on the legitimate interests of the University, or those of a third party, relating to your particular circumstances. You also have the right to object to the University processing your personal data for direct marketing purposes.
• Portability: You have the right to receive or request that the University  transfers a copy of your personal data in an electronic format where the basis of the University processing such personal data is your consent or the performance of a contract, and the information is processed by automated means.
• Complaints: You have the right to complain to the Information Commissioner’s Office (ICO) or any other EU supervisory authority in relation to how the University processes your personal data.

Applications to study at the University may be subject to elements of automated decision making; for example, identifying qualifications from non-accredited institutions and scoring grades against those required for a particular course. If you wish to object to these processes or to find out more please contact the University's Data Protection Officer.

To exercise any of these rights you will need to contact the University’s Data Protection Officer at data-protection@bristol.ac.uk. The University may be entitled to refuse any request in certain circumstances and you will be notified accordingly where this is the case.

Where the lawful ground relied upon by the University to process any of your personal data is your consent, you have the right to withdraw such consent at any time without having to give any reason. However, if you do so, the University may not be able to provide some or all of its services to you or the provision of those services may be affected.

You will not have to pay any fee to exercise any of the above rights, though the University may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, you will be notified accordingly.

To protect the confidentiality of your personal data the University may ask you to verify your identity before fulfilling any request in relation to your personal data.

June 2023