Skip to main content

Privacy Notice: Staff and Student Covid-19 Testing and Self-Isolation


In order to protect the health and wellbeing of students, staff, and the wider community and to provide students with the necessary welfare and study support, the University processes the personal data relating to student Covid-19 testing and self-isolation.  Please read the privacy information below – Part 1 comprises Durham University’s Generic Privacy Notice and Part 2 comprises privacy information specific to the processing of the personal data in respect of student Covid-19 testing and self-isolation.


Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in a  number of ways, one of which is the publication of privacy notices. Our privacy notices comprise two parts – a generic part and a part tailored to the specific processing activity being undertaken.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact E-mail:

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact:

Kristina Holt, Head of Information Governance and University DPO T E-mail:


The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

What we use your data for

You have the right to be provided with information about how and why we process your personal data. We will only process data where we have a lawful reason to do so our main reasons are as follows:


As part of agreements between us, we will process personal data for

  • Admission to the university, registration and support for your studies
  • Academic assessment and progression
  • Maintaining an academic record including qualifications
  • Providing access to services including IT, Library and other facilities
  • Providing ID for security purposes
  • Administration of payments such as fees
  • Providing reports to your sponsor (if any) including Student Loans Company
  • Administration of complaints, disciplinary processes and other similar processes
  • Provision of accommodation, catering and other services related to accommodating you

Public Task

 We carry out a number of tasks in the public interest including

  • Research
  • Archiving
  • Diversity Monitoring
  • Managing public health risks
  • Managing risks related to public safety or concern to the local community (including reporting crime where we are not required to do so but it is in the public interest to do so)

Legal Obligation

We are a regulated body which means we are required to collect certain information including for

  • Compliance with tax and immigration requirements
  • Providing census and fee information
  • Supporting local authorities on fraud investigation, electoral registration and council tax collection
  • Reporting to the Office for Students and other regulators
  • Reporting crime (where we are required to do so)

Legitimate Interests

We will process data where it is in our legitimate interests to do so including

  • To improve the services we provide to you including organising events that may interest you.
  • To provide information to you about goods or services we offer
  • Photographing and recording events around the University including seminars for both training and marketing purposes.

Where you have the choice to determine how your personal data will be used, we will ask you for consent.

In addition, we will provide you with a privacy notice in relation to specific uses of your data where this is appropriate. A privacy notice is a verbal or written statement that explains how we use personal data.

Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time.

Sensitive personal data

Some of the information we collect is sensitive personal data (also known as special categories of data). In particular, we may process personal data that relates to your health (such as your medical information for example to help support you), and any criminal convictions and offences (for reasons of safeguarding). If we use sensitive personal data, we will usually do so on the legal basis that it is in the wider public interest, to establish, take or defend any legal action or, in some cases, that we have your permission (consent).

Accessing your personal data

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access.

You can find out more about this right on the University’s Subject Access Requests webpage. Right to rectification If you believe that personal data, we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data. Once we have determined what we are going to do, we will contact you to let you know.

Right to erasure

You can ask us to erase your personal data in any of the following circumstances:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • The personal data have to be erased for compliance with a legal obligation
  • The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites). Once we have determined whether we will erase the personal data, we will contact you to let you know.

Right to restriction of processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.

Making a complaint

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner's Office, Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: +44 (0191) 303 123 1113

Website: Information Commissioner’s Office


This section of the Privacy Notice provides you with the privacy information that you need to know before you provide personal data to the University for the particular purpose(s) stated below.

Type(s) of personal data collected and held by the University and method of collection. The University already holds personal data about you for the purposes of employment, providing education and other services. This notice concerns information about

  • Whether you have tested positive or negative for Covid-19
  • If you need to self-isolate or quarantine for a Covid-19 related reason
  • Which College or University locations you attended prior to your test result/symptoms requiring self-isolation or quarantine and your location following a positive test result, quarantine requirement or during participation in test to release process

This information may be self-reported using the Covid-19 reporting form in Banner (for students) or submitted on your behalf by a trained member of University staff (for both students and staff). 

We may link your Covid-19 testing and self-isolation data to other information available to us to ensure your data is processed accurately. 

How this data will be used and our legal reasons for using it

As this information is related to health it is special category data

Legal reasons


Public Task

Vital Interests


The data will be used to:

  • monitor for outbreaks of Covid-19 with a view to taking action to reduce further infections such as surge testing, supporting self-isolation or quarantine and managing a test to release process.
  • safeguard vulnerable staff, students and members of the public by allowing contact tracing, and by restricting access to events or facilities where it is assessed to be proportionate to do so
  • maintain a record of test results for the purposes of research in an important area of public health


We may need to inform others of your testing status such as staff, other students or third parties if it is necessary and proportionate to do so.

Special category of data reasons:


Public interest in the area of public health

Scientific Research

How personal data is stored

Student data is held in core student administrative system (University’s student records system (Banner) and the virtual learning environment (duo). Access to each system is limited to approved University staff members.

Staff data is held in core human resource administrative system (Oracle HR, the virtual learning environment (duo) and in SharePoint

Student data is also held locally by academic departments, colleges and professional support services in email, network storage and paper files.

Who the University shares personal data with

During the course of staff or student support, data may be shared with external agencies, for example for medical or counselling support. Staff and students will be asked for consent to share any data with an external agency if the purpose is to secure non-urgent but specialist student support.

The University may, in order to protect the vital interests of the student or another person, contact third parties, such as medical professionals or emergency contact, concerning the health of a student when it believes it is reasonable and/or in the best interests of the student to do so. The University will attempt to gain the prior consent from the student to do so but where consent cannot or will not be given it might act without consent.

The University may share your data with third party agencies, such as Public Health England and Durham County Council to satisfy any legal requirements or where there is a legitimate interest to do so, such as public health. Data would be shared to allow the University to receive external advice on infection control to protect the university community, and to support the identification, modelling and management of local and national outbreaks of infectious disease. Data would only be shared with third parties where necessary and the processing would only identify individuals if required.

How long personal data is held by the University

Personal data is kept, deleted, or archived in accordance with the University Records Retention Schedule. Student Covid-19 testing and self-isolation information will be held as follows:

Health screening of a student for fitness to train and for course activities - End of relationship with the student + 6 years

Visitors to our websites/webpages

When someone visits the Durham University website we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Use of cookies

A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices, and selections, such as what's in your shopping basket. Durham University also make use of the Google Analytics service to understand how you navigate around our site. Durham University do not use cookies to collect personal information about you

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.

Further information

If you have any questions which you feel have not been covered by this Privacy Notice, please email us, or write to: Information Governance Unit email: