General Privacy Notice

How the University uses the personal data of individuals who interact with the University.

On this page

About this notice

This notice explains how the University of Bristol (the University) collects, uses, and shares the personal data relating to individuals who interact with the University and are not staffcurrent students, prospective students or research participants. This includes, but is not limited, to:

  • Visitors
  • Alumni - please also refer to the Privacy Notice for the Global Engagement Division
  • Donors
  • Event attendees
  • Individuals who use the sports facilities
  • Individuals who have a professional relationship with the university (such as members of boards, professional partners, external assessors, collaborators etc.)
  • Individuals acting as suppliers or service providers (for example, self-employed professionals such as musicians, performers, or therapists) where business details may also constitute personal data, including name, home address, and contact information
  • Individuals participating in activities with the University
  • Other members of the public who interact with the university

This notice also outlines your rights in relation to the processing of your personal data.

This is a General Privacy Notice and may be superseded by a ‘Local Privacy Notice.’

Unless the University processes your personal data on behalf of another organisation for purposes that have been determined by that organisation, the University is a ‘controller’ in relation to your personal data, and is registered as such with the Information Commissioner’s Office (ICO) (registration number Z6650067).

Personal data is processed for a variety of reasons (as set out below), and all such personal data will be collected and processed in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any subsequent relevant legislation.

In this notice:

  • Personal data means any data which can identify you directly or indirectly (whether itself or when combined with other data), regardless of the format or media in which the data are stored. This includes data that can identify you when combined with other data that is held separately (pseudonymous data), but does not include data that has been manipulated so that you can no longer be identified from it (anonymous data).
  • Processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.

Changes to this notice

We may update this notice at any time and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly to take notice of any changes. Where any change affects your rights and interests, we will inform you and clearly explain what this means for you.

How the University collects your personal data

We may collect your personal data in a number of ways, including:

  • Directly from you when you contact the University for information regarding its services, or provide preferences and requirements where you attend University events, or use University facilities. This includes contact by phone, email, the University website, or on social media.
  • We collect your personal data from third-party organisations (e.g. from partners or service providers that we collaborate with for specific approved purposes).

Types of personal data processed

Personal data the University may process includes (non-exhaustive list):

  • Personal details (such as your name, contact details and email address)
  • Donation history
  • Payment details
  • Any preferences or requirements you specify during registration to an event
  • CCTV images
  • Contact details for next of kin, or others, to be used in an emergency
  • Any other information about you that is obtained or shared due to your presence on University premises or attendance at an event, or interest in the University’s activities.
  • Any other information about you that is obtained or shared during your interaction, correspondence or contact with the University

Special category data

We may collect, or you may choose to provide us with, special categories of personal data, such as information relating to your:

  • Race or ethnicity
  • Religious or similar beliefs
  • Sex life or sexual orientation (whether or not indicated by your gender or gender identity)
  • Physical and mental health: including any disabilities, medical conditions and dietary requirements
  • Criminal convictions or offences.

We take additional steps and measures to ensure the security and confidentiality of these sensitive special categories of data.

How the University uses personal data about you

Your personal data (including special categories of personal data) may be processed for the following purposes:

  • To assist with your enquiry or request
  • To enable the University to provide you with a product, facility or service we offer 
  • To comply with a legal or regulatory obligation 
  • To comply with an information rights request or a freedom of information request
  • To enable our suppliers or partners to carry out their obligations
  • To enable information to be lawfully shared following an incident, including emergency situations

Lawful grounds for processing your personal data

We will only use your personal data when we are permitted to do so by law. Most commonly, we will use your personal data:

  • To perform a contract the University has entered into with you, or to take steps before entering into a contract with you at your request (for example, by booking to attend an event, we will be required to collect, store, use and otherwise process information about you for any purposes deemed necessary for entering into or, for the performance of, your contractual agreement with the university.)
  • Where we have your consent (for example, to provide you with any advice and information which you have requested)
  • To comply with the University’s legal obligations (for example, to provide support for disability or health-related adjustments)
  • Where necessary for our legitimate interests or those of a third party, provided your interests and rights do not override those interests

We will only use your personal data for the reasons we collected it. If we need to use it for a different but related reason, we will only do so if that reason is compatible with the original purpose. If we ever need to use your personal data for a completely different reason, we will let you know and explain the legal basis for doing so.

Who will access your personal data?

Employees within the University will be able to access your data if they need to do so to perform their roles within the University. Only members of staff who need access to relevant personal data will be authorised to do so.

Sharing your personal data with third parties

Where we have lawful grounds for doing so, we may share your personal data with the following third parties:

  • Third-party service providers such as IT suppliers, event platforms, catering providers, and security services
  • The Higher Education Statistics Agency and Office for Students
  • UK agencies with duties relating to prevention and detection of crime, collection of a tax or duty, or safeguarding national security
  • Insurers, debt collection agencies, and other agents of the University
  • Legal advisors and representatives handling disputes
  • The Government and local authorities during information gathering exercises when the University is legally obliged to provide data

We do not allow our third-party service providers to use your personal data for their own purposes. They are permitted only to process your personal data for specified purposes and in accordance with our agreement.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law.

Where your personal data are stored

Most personal data about you will be stored on servers within the UK or elsewhere within the European Economic Area (EEA). However, some personal data that the University processes about you may be accessed from, transferred to, or stored in, a country or territory outside of the EEA. The University will only transfer your personal data outside of the EEA:

  • To a country or territory that has been assessed by the UK Government as providing an adequate level of protection for your personal data.
  • In the case of a third party based in the United States of America, where such third party is certified under a relevant certification scheme approved by the UK Government.
  • Where the transfer is subject to one or more appropriate safeguards prescribed by law, including the international data transfer agreement, standard contractual clauses or other provisions approved by the UK Government.
  • If the transfer is otherwise permitted by law or where you have given your explicit consent.

How the University keeps your personal data secure

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in any unauthorised way, or altered or disclosed. In addition, we limit access to your personal data to the persons and organisations, including those described above, who have a lawful and legitimate need to access it. For further information, visit the University’s Information Security page.

We have also put in place procedures to deal with any suspected personal data security breach and will notify you and any applicable regulator of a suspected breach where required to do so.

How long the University will retain your personal data

We must only retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to satisfy any legal, regulatory, accounting or reporting requirements.

Specified retention periods are applied to each category of personal data that we may process about you. In setting these retention periods, have taken into account:

  • The nature, sensitivity and volume of the personal data
  • The potential risk of harm to you arising from the University’s continued retention of the personal data
  • The purposes for which the University may process your personal data
  • Whether the University is required to retain any personal data by law or in accordance with its legitimate interests

Please refer to the University's Records Retention Schedule for further information.

In some cases we may anonymise your personal data so that you can no longer be identified by it, in which case we may retain such data indefinitely.

If we receive notice of a legal claim or similar action, we may keep and use any relevant personal data for as long as needed to deal with and defend the claim. Although we may delete personal data after a claim has ended, please be aware that any documents disclosed or evidence given during legal proceedings may become part of the public record.

CCTV

We operate CCTV around University properties for security and crime detection purposes. For further information, please see the University’s CCTV Code of Practice.

Your rights

You have a number of rights in relation to the processing of your personal data by the University:

  • Access: You have the right to request access to, and be provided with, a copy of the personal data held about you, together with certain information about the processing of such personal data, to check that the University is processing it lawfully and fairly.
  • Correction: You have the right to request correction of any inaccurate or incomplete personal data held about you.
  • Deletion: You have the right to request erasure of any personal data held about you where there is no good reason for the University to continue processing it, or where you have exercised your right to object to the processing of your personal data.
  • Restriction: You have the right to request restriction of how the University processes your personal data; for example, to confirm its accuracy or the University’s reasons for holding it or as an alternative to its erasure.
  • Objection: You have the right to object to the University’s processing of any personal data which is based on the legitimate interests of the University or those of a third party, based on your particular circumstances. You also have the right to object to the University processing your personal data for direct marketing purposes.
  • Portability: You have the right to receive or request that the University transfers a copy of your personal data in an electronic format where the basis of the University processing such personal data is your consent or the performance of a contract, and the information is processed by automated means.
  • Complaints: You have the right to complain to the Information Commissioner’s Office (ICO) or any other EU supervisory authority in relation to how the University processes your personal data.

To exercise any of these rights, you must contact the University's Data Protection Officer at data-protection@bristol.ac.uk. The University may be entitled to refuse any request in certain circumstances and where this is the case, you will be notified accordingly.

If the University is using your personal data based on your consent, you can withdraw that consent at any time and you do not need to give a reason. However, if you do this, the University may not be able to provide some services to you, or those services may be affected.

You do not usually have to pay a fee to use your data protection rights. However, the University may charge a reasonable fee or refuse a request if it is clearly unreasonable or excessive. If this is the case, you will be told.

To keep your personal data secure, the University may ask you to confirm your identity before dealing with any request about your personal data.

Your responsibilities

It is important that the data we hold about you is up to date and accurate. Please keep us informed of any changes that may be necessary during your relationship with us.

Questions or comments

If you have any questions or comments regarding this notice or you wish to exercise any of your rights, you should contact our Data Protection Officer by email at data-protection@bristol.ac.uk.