Fair Processing Notice for prospective students, applicants and offer holders

About this notice

This notice explains how we, the University of Bristol (the University) collect, use, and share the personal data of prospective students, applicants and offer holders (you/your). It also outlines your rights when it comes to how we handle your data.

Unless the University processes your personal data on behalf of another organisation for purposes that have been determined by that organisation, the University is a ‘controller’ in relation to your personal data and is registered as such with the Information Commissioner’s Office (ICO) (registration number Z6650067).

Personal data is processed for a variety of reasons (as set out below) and all such personal data will be collected and processed in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and any subsequent relevant legislation.

In this notice:

  • personal data means any data which can identify you directly or indirectly (whether by itself or when combined with other data). This includes data that can identify you when combined with other data that is held separately (pseudonymous data) but does not include data where individuals are no longer identifiable (anonymous data).
  • processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.

Changes to this notice

The University may update this notice at any time and may provide you with further notices on specific occasions. You should check this notice regularly for any changes.

How do you collect my personal data?

We collect some of your personal data directly from you, such as:

  • When you show interest in studying here: for example, if you book an open day or request a prospectus.
  • When you apply to the University: that might be through UCAS, or by applying directly to us online.
  • When you contact us: Whether it’s by phone, email, our website, or on social media.

Do you collect data about me from other sources?

Sometimes we collect information about you from other places, not just directly from you. For example:

  • UCAS
  • Schools, colleges, or universities you’ve studied at before.
  • The Student Loans Company
  • The Home Office (for visa or immigration purposes) and other Government departments.
  • Employers or sponsors (if they’re funding your studies or providing references).
  • Partner institutions (if you're on a joint or exchange programme).
  • The Students’ Health Service or other health organisation, where they need to share information with us to help us provide you with the right support.
  • International agents assisting with admissions.

What data is being collected about me?

Here are some examples of the types of personal information we might collect and use while you are thinking about or applying to study at the University (non-exhaustive list):

  • Your student IDs: including your UCAS ID.
  • Your contact details: name, phone number, email, term-time and home addresses, and your date of birth.
  • Application details: information you give us when you apply, or information gathered during the course of assessing your application, including interview scores and notes.
  • Financial information: such as tuition fee payments, funding details, or financial support.
  • Attendance data: for pre-registration events such as visit days and interviews.
  • Visa and immigration details: including passport and visa documentation.
  • Information relating to extenuating circumstances, appeals and complaints.
  • References: for example from your secondary school or college.
  • Pastoral and academic support info: anything we need to help support you during your time at university.

Do you collect sensitive special category data?

We may collect, or you may choose to provide us with, special categories of personal data, such as information relating to your:

  • race or ethnicity
  • religious or similar beliefs,
  • sex life or sexual orientation (whether or not indicated by your gender or gender identity)
  • physical and mental health: including any disabilities, medical conditions and dietary requirements
  • criminal convictions or offences.

We take additional steps and measures to ensure the security and confidentiality of these sensitive special categories of data.

How does the University use my personal data?

We collect and use your personal information (including special categories of data) to support your time at university. Here’s how we may use it (non-exhaustive list):

  • Administration of applications: for example, receiving and processing UCAS forms and applications, and applications received directly, compilation of statistics, assessments of applications and interviews.
  • Preparing for your studies: for example, registering you on courses and units, creating your timetable and checking if you're eligible for bursaries or grants.

Providing student services and systems: for example, setting up your student card and providing services such as money advice.

  • Handling finances: including managing your tuition fee payments, providing loans or bursaries.
  • IT and online access: we use your data to give you access to things like email, internet and other digital services.
  • Safety and security: We may use building access logs, CCTV footage and security reports to help keep our campus and facilities safe and to prevent and detect crime.
  • Housing: We use your information to manage accommodation applications.
  • Meeting legal requirements: we may need to check and share your data to meet visa requirements, follow University policies, or comply with other legal requirements (including responding to Freedom of Information requests).
  • Dealing with appeals and complaints: If there’s ever a complaint, appeal or investigation, your data may be used as part of the process.
  • Improving student experience and equality monitoring: We may use data to help monitor equality and improve how we support prospective students, applicants and offer holders. Where possible this will be anonymous (non-identifiable) data but there may be times that this is pseudonymised or personally identifiable data.
  • Keeping you informed: we may contact you about academic and extracurricular opportunities and events we think you might be interested in, including programmes and events hosted, co-hosted or supported by us on and off campus.

Lawful grounds for processing your personal data

We will only use your personal data when we have lawful grounds to do so. Most commonly, we will use your personal data:

  • to perform a contract the University has entered into with you or take steps before entering into a contract with you at your request.
  • to comply with the University’s legal obligations (for example, complying with immigration, anti-money laundering, health and safety and safeguarding laws, preventing and detecting crime, assisting the police and other authorities with their investigations).
  • to perform tasks carried out in the public interest which are mainly set out in the University’s Charter (and related Acts, Statutes, Ordinances and Regulations) and most often relate to teaching and research activities.
  • To pursue our legitimate interests or those of a third party: This includes activities that support the running of the University, such as improving our processed, promoting equality and diversity, managing services and sending you marketing materials long as these don’t override your rights or interests.
  • To protect someone’s vital interest: for example, if we believe you or someone else may be at serious risk of harm.

Where you have a genuine choice as to whether we should process your personal data, we will ask you for your consent.

In relation to special categories of personal data and personal data relating to criminal convictions and offences, we may request your explicit consent unless a condition applies allowing us to process such personal data without consent.

Who do you share my personal data with?

The University often needs to share your personal data with third parties for legitimate reasons. We only do this when there are lawful grounds to do so. Below is an indication of the circumstances in which this may happen:

Within the University

  • Staff and those engaged by the University: so they can perform their duties and support you and your application.

Education Bodies

  • HESA/JISC: every year the University is required to send some of the information it holds about you to The Higher Education Statistics Agency (HESA). HESA is an official source of data about UK higher education. Your HESA information is used for a variety of purposes by HESA and by third parties. For example, it is used by Higher Education funding and regulatory bodies for their statutory and/or public functions including funding, regulation and policy-making purposes. It is also used for statistical and research purposes, such as the Graduate Outcomes survey for which you may be contacted by phone, SMS or email after you graduate. On 4 October 2022 HESA merged with Jisc. HESA is now part of Jisc, a not-for-profit company limited by guarantee, registered in England (company number: 05747339; charity number: 1149740). This means that Jisc is now the data controller for all data sent to HESA. See more information about HESA/Jisc's use of your personal data
  • Student Loans & Finance Bodies: for example, Student Awards Agency Scotland, Student Finance England, Student Finance Wales, Student Finance Northern Ireland, and Student Finance European Union to allow you to receive funding.
  • Department for Education & Local Authorities – For official education purposes.

Immigration & Professional Registration

  • UK Visas and Immigration (UKVI) and the Foreign & Commonwealth Office: for visa and immigration information.
  • Professional Bodies: including the General Medical Council (GMC), General Dental Council (GDC), and the Royal College of Veterinary Surgeons (RCVS) for graduates in medicine, dentistry, or veterinary sciences, to process and maintain registration.

University Partners & Support Services

  • External accommodation providers: where the accommodation is provided on behalf of the University.
  • Admissions assistance: Agents helping in admissions processes such as application, enrolment, interviews and assessments.
  • Agents for International Admissions: limited to what is strictly necessary for the performance of the agent’s role - this may include the disclosure of personal data outside the European Economic Area.
  • Other Universities, Schools, NHS or Industry Partners: If your course involves collaboration or placements.
  • Student sponsors: information will only be disclosed when in compliance with sponsorship agreements and will be kept to the minimum required (for example, providing award verification letters).

Research, Admin & Feedback

  • Research Councils: including where necessary to secure funding or comply with terms and conditions.
  • Auditors & External Examiners: to ensure quality and standards.

Legal & Safety Obligations

  • Police and other investigative agencies: only when necessary and proportionate in assisting with the investigation of a crime or other alleged offence or misconduct, and such disclosures are necessary and proportionate to the aims of the investigation.
  • Government & Local Authorities: during information gathering exercise when the University is legally obliged to provide data.

Where the University uses third parties to process personal data on its behalf (acting as data processors), a written contract will be put in place to ensure that any personal data shared will be held in accordance with the requirements of data protection law and that such data processors have appropriate security measures in place in relation to your personal data.

Parents, family members and guardians are considered to be third parties and your personal data will not be disclosed to such persons unless you have given your consent at application or registration to the disclosure of limited information in certain circumstances, or the disclosure is otherwise made in accordance with data protection law.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law.

Where do you store my personal data?

Most personal data about you will be stored on servers within the UK or elsewhere within the European Economic Area (EEA). However, some personal data that the University processes about you may be accessed from, transferred to, or stored in, a country or territory outside of the EEA. The University will only transfer your personal data outside of the EEA:

  • to a country or territory that has been assessed by the UK Government as providing an adequate level of protection for your personal data.
  • where the transfer is subject to one or more appropriate safeguards prescribed by law, including the international data transfer agreement, standard contractual clauses or other provisions approved by the UK Government.
  • in the case of a third party based in the United States of America, where such third party is certified under a relevant certification scheme approved by the UK Government.
  • if the transfer is otherwise permitted by law, or necessary for the performance of a contract, or where you have given your explicit consent.

How do you keep my personal data secure?

We take your privacy seriously and have strong security measures in place to meet required standards and protect your personal data. This means we take all reasonable steps to stop it from being lost, accessed without permission, changed, or shared in error.

Only the people and organisations who need to see your data are allowed to access it.

We also have clear steps to follow if something goes wrong — like if there’s a data breach. If that happens and the law says we need to, we’ll let you know and also inform the relevant authorities.

You can learn more about how we protect your data on the University’s Information Security page.

How long will you keep my data for?

The University must only retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to satisfy any legal, regulatory, accounting or reporting requirements. 

Specified retention periods are captured in the University's Record Retention Schedule and applied to each category of personal data that we may process about you. In setting these retention periods, the University has taken into account:

  • the nature, sensitivity and volume of the personal data
  • the potential risk of harm to you arising from the University’s continued retention of the personal data
  • the purposes for which the University may process your personal data
  • whether the University is required to retain any personal data by law or in accordance with its legitimate interests

Generally speaking, records held by the University in relation to your application and studies will be retained by the University for six years after your graduation or departure, after which time they will be securely disposed of. Core information about your studies relating to registration and academic performance (e.g. periods of study, modules studied, transcripts, degree and module marks, graduation date) will be retained permanently.

Retention of personal information for unsuccessful applications will be retained for 1 year from the data of submission and then securely disposed of.

In some cases, the University may anonymise your personal data so that you can no longer be identified by it, in which case the University may retain such data for a particular business requirement.

If notice of a legal claim or other proceeding is received, then the University may retain and process relevant personal data in order to defend the claim for the relevant duration.

While the University may dispose of any personal data after the conclusion of the claim, please be aware that all litigation documents disclosed, or evidence given, may be a matter of public record.

Collaborative programmes of doctoral training

Please be aware that if you are applying for a collaborative programme of doctoral training (such as those listed on the Bristol Doctoral College website) then the University will need to make some further uses and disclosures of your personal data to administer your place on the programme. For further information, please see the relevant Data Protection Statement.

Is there anything else I should know?

Contact directories

The name and email address of all students will be included in the University contact directory, the contents of which are accessible to all University staff and students, but not to external audiences.

Postgraduate Research students' details will be included in the Explore Bristol Research and Pure directories, which are public-facing.

If students do not wish their details to feature in these directories they need to contact the University Secretary's Office who will consider their request. Please contact data-protection@bristol.ac.uk .

Your responsibilities

You have a responsibility to ensure your personal details are up to date, applicants should contact UCAS or the University to update any details.

You may provide us with personal data about other individuals, for example, emergency contact details and information about your family circumstances and dependents (for example to assess bursary and grant eligibility and provide pastoral care services). Students should notify the relevant person that they are providing their contact details to the University as their listed emergency contact.

What rights do I have in regards to my personal data?

You have a number of rights when it comes to how the University uses your personal data. Here’s a summary:

  • Right of Access: you can ask to see the personal data we hold about you and how we’re using it.
  • Right to Rectification: you can ask us to correct any inaccurate or incomplete information.
  • Right to Erasure: in certain situations, you can ask us to delete your personal data.
  • Right to Restrict Processing: you can ask us to limit how we use your data (e.g. while checking its accuracy or our reasons for using it).
  • Right to Object: you can object to us processing your data if we’re doing it for our own legitimate interests, or for marketing purposes.
  • Right to Portability: You have the right to receive or request that the University transfers a copy of your personal data in an electronic format where the basis of the University processing such personal data is your consent or the performance of a contract, and the information is processed by automated means.
  • Rights related to automated decision making: Applications to study at the University may be subject to elements of automated decision making; for example, identifying qualifications from non-accredited institutions and scoring grades against those required for a particular course. If you wish to object to these processes or to find out more please contact the University's Data Protection Officer.
  • Right to Complain – You can contact the Information Commissioner’s Office (ICO) if you’re unhappy with how we’ve handled your data.

To exercise any of these rights, email the University’s Data Protection Officer at data-protection@bristol.ac.uk.

We may need to confirm your identity first, and in some cases, we may not be able to meet your request, but we’ll always explain why. There’s no charge for making a request, unless it’s clearly unreasonable or excessive. Where this is the case, you will be notified accordingly.

If you’ve given consent for us to use your data, you can change your mind and withdraw it at any time, but this might affect the services we can offer you.

Questions or comments

If you have any questions or comments regarding this notice or you wish to exercise any of your rights (see above), you should contact our Data Protection Officer by email at data-protection@bristol.ac.uk.