Skip to main content

Privacy Notice - Students

Part 1: Generic Privacy Notice Information

Durham University has a responsibility under data protection legislation to provide individuals with information about how we process their personal data. We do this in a number of ways, one of which is the publication of privacy notices. Organisations variously call them a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we collect your data
  • How it will be used
  • Who it will be shared with

We will also explain what rights you have to control how we use your information and how to inform us about your wishes. Durham University will make the Privacy Notice available via the website and at the point we request personal data.

Our privacy notices comprise two parts – a generic part (ie common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact Information Governance Unit:

Telephone: (0191 33) 46246 or 46103

Email: information.governance@durham.ac.uk

Information Governance Unit also coordinate response to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:

Kristina Holt, email: info.access@durham.ac.uk 

Part 2: Tailored Privacy Notice for Students

Students: Type(s) of personal data collected and held by the University and method of collection

Personal data are normally initially provided to the University by a prospective student on a UCAS or Postgraduate application form. For successful applicants, the University will add further data at registration and then during the course of the student’s education in line with the business purposes specified in its data protection notification. After graduation/termination of studies, some data are passed to the Alumni function for approved purposes and then the records are retained and disposed of in line with the University’s Records Retention Schedule. The personal data of unsuccessful applicants are also retained and disposed of in line with the University’s Records Retention Schedule.

The University holds special category data (e.g. ethnicity, physical or mental health or disability) for the provision of student support services to individuals and for equal opportunities monitoring and statutory reporting.

Information on a student's health or disability may be required prior to admission to certain programmes of study, for purposes linked with academic progress and examinations, and in relation to provision of accommodation. Information on a student’s health may also be required by the University when a student undertakes fieldwork, such as for health and safety or insurance purposes.

Occupational Health use special category data in the following ways:

Using information about your physical or mental health or disability status to ensure that you are fit to train as a teacher and in health and social care professions, and to ensure your health and safety e.g.fitness for off site activities and health surveillance, and to consider any potential reasonable adjustments and support if you have any health concerns. 

The collection of health information related to outbreaks of infectious disease (such as Covid-19 or any subsequent such health issues) will also be necessary.

Further information may also be required when the student seeks work with the University in a paid or unpaid capacity.

Students: Lawful basis

The University processes your data prior to, during and for a period after a programme of study under the basis of a contract with you. We offer student support services, in the interests of academic progression and participation in University life. We are required to demonstrate our support for students with disabilities, and for this we need to request and hold Special Category data and medical evidence, which we process under our legal obligations to the Equality Act 2010. For example, if we were told that a student has a mental health issue that constitutes a disability (more than a year, impact upon day-to-day activities), we would need to act on this data to offer Disability Support services. At the point of disclosing special category data you will be given further details on how this specific data will be processed. The Counselling Service and Disability Support have specific Agreements outlining how special category data will be processed.

We may additionally enter into a contract with you regarding residence at one of our Colleges.

The University processes data to ensure that it is complying with our legal obligations, for example in respect of Council Tax, Home Office requirements regarding visas and obligations under the Equality Act 2010.

The University processes data in respect of statutory obligations, which is part of its public task.

The University processes information related to health where there is a legal obligation or a legitimate interest in doing so for reasons of public health including the protection of the University community and the wider public (locally and nationally) from potential infection outbreaks.

We may also use your personal information where we need to protect your (or someone else’s) interests or where it is in the public interest. When we process your personal information we will do so provided your fundamental rights do not override those interests.

Students: How personal data is stored

Student data is held in core student administrative systems (University’s student records system (Banner), the University contact management system (Target Connect) and the University student CRM system. Student data is also held in the University Alumni Relations system (Raisers Edge), the virtual learning environment (duo), the identity management system (DUND) and the data warehouse. Access to each system is limited to approved University staff members.

Student data is also held locally by academic departments, colleges and professional support services in email, network storage and paper files.

All health related information within Occupational Health is stored securely, is only accessible by those with a legitimate interest to view the data such as Occupational Health, Student Support Services, course leaders and College.

Core details of each student are transferred to the University Archives and Special Collections for permanent preservation.

Students: How personal data is processed

  • Administering study, such as recording of achievements, determination of award and monitoring of attendance
  • Providing student support services, such as counselling or careers advice or services for students with disabilities
  • Providing protection against and management of potential outbreaks of infectious disease
  • Providing facilities, such as the IT service and Library service
  • Contacting students electronically, such as by SMS text messaging, to forward high priority or emergency information
  • Administering finance, such as payment of fees
  • Administering tenancies of University-owned properties
  • Monitoring equal opportunities
  • Preventing and detecting crime, such as using CCTV or attaching photos to ID cards.
  • Maintaining contact with alumni and past employees
  • Fundraising and marketing (including postal appeals to friends and family of students)
  • Processing student academic appeals and student discipline cases including the voice recording of meetings in relation to these where consent is given
  • Direct mailing of or about (i) student benefits and opportunities offered by or through the University and (ii) University activities and events organised for students.
  • Host mailing of services or career opportunities of direct relevance to student interests.
  • Personal data released to professional and industrial bodies wishing to communicate with students about career opportunities and membership of their body.

The University routinely logs information about use of IT facilities for statistical purposes, to ensure effective systems operations and to ensure legal compliance relating to software usage. The University may also monitor electronic communications to ensure that they are being used in accordance with the University’s Policy and Regulations for the Use of University IT Facilities and, specifically, to prevent or detect crime. All activities comply with data protection and privacy legislation and the Regulation of Investigatory Powers Act (RIPA) 2000.

Personal data are normally initially provided to the University by a prospective student on a UCAS or Postgraduate application form. For successful applicants, the University will add further data at registration and then during the course of the student’s education in line with the business purposes specified in its data protection notification. After graduation/termination of studies, some data are passed to the Alumni function for approved purposes and then the records are retained and disposed of in line with the University’s Records Retention Schedule. The personal data of unsuccessful applicants are also retained and disposed of in line with the University’s Records Retention Schedule.

Student personal data and special category data held for the purposes of student support is passed between sections of the University only for the purposes of support, as necessary and proportionate to the intended purposes, and in line with our obligations under the Equality Act 2010. Special category data used for monitoring or reporting purposes will be anonymised where possible.

Student personal data (not including special category data) may be processed for academic research purposes (i.e. where there is only benefit to the researcher alone or the researcher and University combined) on the basis that the results of the research will not lead to decision-making about an individual or groups of individuals. Where a researcher wishes to use sensitive personal data, such as ethnicity or health, explicit consent will be sought beforehand from the individuals concerned.

Students: Who the University shares data with

The University may need to disclose students’ personal data to organisations contracted to work on its behalf, which could include its insurers or legal consultants. In certain circumstances the University passes the personal data of student debtors to an external debt collection agency if the University has been unable to recover the debt by normal internal processes. The University may also disclose data to auditors undertaking investigations, selected individuals acting on behalf of the University such as alumni organising alumni events, external organisations undertaking market research or academic researchers provided no personal data is published.

During the course of student support, data may be shared with external agencies, for example for medical or counselling support. Students will be asked for consent to share any data with an external agency if the purpose is to secure non-urgent but specialist student support. If there is an urgent need for specialist medical help, the University will seek consent to share any data, but where consent cannot or will not be given it might act without consent.

The University may, in order to protect the vital interests of the student or another person, contact third parties, such as medical professionals or emergency contact, concerning the health of a student when it believes it is reasonable and/or in the best interests of the student to do so. The University will attempt to gain the prior consent from the student to do so but where consent cannot or will not be given it might act without consent.

The University may share your data with third party agencies to satisfy any legal requirements or where there is a legitimate interest to do so, such as public health. Data would be shared to allow the University to receive external advice on infection control to protect the university community, and to support the identification, modelling and management of local and national outbreaks of infectious disease. Data would only be shared with third parties where necessary and the processing would only identify individuals if required.

The University will share your information where legally obliged to, for example with law enforcement agencies, and may not be able to inform you of the sharing, for example where this may compromise any investigation.

The University is legally obliged to provide student personal data to Council Tax Registration Officers and, where applicable, to the UK Visas and Immigration (UKVI).

The University has a statutory requirement to disclose student personal data to the following and/or their nominees/successors: Office for Students (OfS); the Higher Education Statistics Agency (HESA); the Learning and Skills Council; the Quality Assurance Agency; the Department for Innovation, Universities and Skills; the European Audit Commission; local authorities; the Student Loans Company and Electoral Registration Officers.

Further Information about Disclosures to HESA

The University will send some of the information it holds about its students to the Higher Education Statistics Agency (HESA):

Statutory functions

The HESA record is used by the organisations listed below, or agents acting on their behalf, to carry out their public functions connected with education in the UK:

  • Department for Business, Energy and Industrial Strategy
  • Welsh Assembly Government
  • Scottish Government
  • Department for the Economy, HE Division
  • Office for Students
  • Higher Education Funding Council for Wales
  • Scottish Further and Higher Education Funding Council
    • National College for Teaching and Leadership
    • Health and Care Professions Council
  • United Kingdom Research and Innovation and associated Research Councils

The HESA record may also be used by the Office for National Statistics and the National Audit Office to fulfil their statutory functions of measuring population levels and monitoring public expenditure.

Equivalent and lower qualifications – the University and the Higher Education Funding Council for England may compare student data to educational records from previous years to help determine the levels of current qualifications. This may, in turn, affect the fees required to pay by students.

A student’s HESA record will not otherwise be used in any way that affects them personally.

Student contact details may be passed to survey contractors to carry out the National Student Survey and surveys of student finances on behalf of the education organisations listed above. These organisations and their contractors will use student contact details only for that purpose and will then delete them.

Towards the end of a student’s course of study, the University will pass the student’s contact details to the organisation contracted to carry out the National Student Survey.

HESA publications

HESA use the HESA record to produce anonymised data in annual statistical publications. These include some National Statistics publications and online management information services.

Research, equal opportunity, journalism, other legitimate interest/public function

HESA will also supply anonymised data to third parties for the following purposes:

  • Equal opportunities monitoring – the HESA record may contain details of ethnic group and any disabilities. This data is only used where it is needed to promote or maintain equality of opportunity or treatment between persons of different racial or ethnic origins, religious beliefs or different states of physical or mental conditions.
  • Research – this may be academic research, commercial research or other statistical research into education where this is of benefit to the public interest
  • Journalism – where the relevant publications would be in the public interest e.g. league tables

Anonymised data for the above purposes is supplied by HESA to the following types of user:

  • Local, regional and national government bodies who have an interest in higher education
  • Higher education sector bodies
  • Higher education institutions
  • Academic researchers and students
  • Commercial organisations (e.g. recruitment firms, housing providers, graduate employers)
  • Unions
  • Non-governmental organisations and charities
  • Journalists

The HESA Student Collection Notice is reviewed annually and any amendments to the current version will be available at https://www.hesa.ac.uk/about/regulation/data-protection/notices along with links to earlier versions.

HESA will take precautions to ensure that individuals are not identified from the anonymised data which they process.

Under the GDPR, students have the right to a copy of the information HESA holds about them. Please make requests directly to HESA by emailing data.protection@hesa.ac.uk.

A student who has concerns about their information being used for the purposes outlined above or in the Collections Notice should contact HESA directly.

Students on Initial Teacher Training (ITT) Courses at Institutions in England

HESA will pass the records of students on an ITT course at an institution in England to the National College for Teaching and Leadership (NCTL)

The NCTL is a data controller under GDPR. The NCTL will process personal data in order to fulfil its remit and its statutory obligations, including the administration of provisional registration. Except where there is a legal obligation, the NCTL will not share data with any third party, except those fulfilling a service on their behalf and under their expressed instructions.

Student and Leaver Surveys

After you graduate you may be contacted and asked to complete one or more surveys into the outcomes of higher education and your activities after graduation. These surveys are used to create statistics to meet the public interest in the outcomes of higher education. Information from third parties (such a parent, or the University if you’re in further study) might be used to complete sections of the surveys if you can’t be contacted. The surveys may be undertaken by the University or by an organisation contracted for that purpose. The University will hold your contact details after you graduate in order for you to be contacted to complete a graduate outcomes survey.

Your contact details may be passed to HESA and/or an organisation contracted to undertake a graduate outcomes survey. The survey contractor will only use your contact details for the survey and will delete them when the survey is closed. HESA may hold your contact details for further graduate outcomes surveys where these are in the public interest.

Your responses to the survey of graduate outcomes will be made available to the University, and we may choose to add additional questions to the survey for our own use.

Further privacy and data protection information will be provided if you are contacted for any of these surveys. You might also be contacted as part of an audit to check that the survey has been undertaken properly.

Legal basis for processing your information to conduct national surveys

Processing of your information to conduct the student and graduate surveys is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (See GDPR Article 6(1)(e)) and for statistical and research purposes (See GDPR Article 89).

National Student Survey

Ipsos MORI - The University transfers contact details of final year students to the administrators of the National Student Survey, an independent market research agency named Ipsos MORI, who act on behalf of the Office for Students. Prior to transfer the University contacts final year students about the survey and gives the opportunity to opt out of participation. Ipsos MORI do not disclose information to anyone else and destroy it as soon as it is no longer required for the purpose of administering the survey. Individual responses to the survey remain anonymous throughout. For more information please see the Privacy Statement of Ipsos MORI.

Student Barometer and International Student Barometer Survey

i-graduate - Home and international students are asked by the University to participate in the annual Student Barometer or International Student Barometer Survey. The University may pass contact details to i-graduate, a third party contractor who will administer the survey. i-graduate will make contact with students to give the opportunity to opt out of participation. i-graduate do not disclose information to anyone else and destroy contact details as soon as they are no longer required for the purposes of administering the survey. Individual participants cannot be identified in the results that i-graduate provide to the University.

Postgraduate Research Experience Survey

Higher Education Academy - Postgraduate research students are asked by the University to participate in the biennial Postgraduate Research Experience Survey. Students are given details of the location of the online survey tool by the University and the University may partially pre populate survey fields with student details in advance of the survey going live. No student contact details will be provided to the survey administrators, the Higher Education Academy. Students will be given the opportunity to opt out of participation by the University. The anonymity of all participants is guaranteed. More information about the survey can be found on the Higher Education Academy website.

Published Personal Data

Registration with Computing and Information Services (CIS) means that a student’s name and email address will appear in the University's Global email system. This is only available to users of the email system and is not publicly available.

Sponsors

Where a student’s funding organisation requests progress reports, the University will normally comply. Any queries about the provision of such reports should be addressed to the funding organisation.

Points Based Immigration System

The University is an Approved Education Provider for the purposes of the Points Based Immigration System. The University will provide data about students on the Tier 4 Student Visa to the UK Visas and Immigration (UKVI) in order to fulfil our duties as an Approved Education Provider.

Fraud and Plagiarism, Disciplinary Procedures and Academic Appeals

The University may process a student’s personal data for the purpose of the prevention and detection of fraud, particularly plagiarism (this may involve disclosure to third parties e.g. in the use of plagiarism detection software). It may also process a student’s personal data in the course of disciplinary procedures or academic appeals (this may involve disclosure to third parties e.g. to seek legal advice).

Study, Employment and Placements at another Organisation

Where a student’s course of study at the University requires study, employment or a placement at another organisation it will be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad. Students should be aware that some countries outside of the EEA have lower standards for the protection of personal data that those within the EEA.

Business School external Accreditation and Professional Bodies

The Business School will provide information to the following for the purpose of accreditation and membership of the professional bodies.

  • Chartered Institute of Logistics and Transport (CILT)
  • Chartered Institute of Personnel and Development (CIPD)
  • Chartered Institute of Management Accountants (CIMA)
  • Chartered Institute of Marketing (CIM)
  • Institute of Chartered Accountants in England and Wales (ICAEW)
  • EQUIS
  • Association of MBAs (AMBA)
  • Association to Advance Collegiate Schools of Business (AACSB)
Medicine (MBBS) Phase I Students

Each year, as the selection procedure is completed, the names of successful applicants to Durham University’s Medicine (MBBS) Phase I programme will be provided to Newcastle University. Student files containing personal data will be copied to Newcastle University upon transfer of those students to Phase II. However, examination marks and records of any allegations of misconduct and student status will be copied to Newcastle University annually. Following transfer to Newcastle University, Durham University will retain students’ records in line with its University Records Retention Schedule.

Durham University will report students’ end of year performance to UKCAT. This processing will not lead to any decision-making about individuals.

Durham University collects and analyses assessment data and where this is published, the anonymity of students is maintained. Students may be asked to consent to the processing of their personal data for the purposes of medical education research being undertaken outside of Durham University. Where a student does not give consent, their personal data will not be processed.

Durham University may receive and hold personal data received from tutors and occupational health contractors regarding issues that could affect performance of individual students. Further, Durham University may disclose to employers personal data regarding issues that have arisen during a student’s period of study where Durham University believes those issues may affect fitness to practice, such as sanctions levied by Health and Conduct Committee.

Collaborative Programmes

Where Durham University manages admissions procedures it will provide partners with details of the students attending courses. Where required, Durham University will provide progress reports to partners or other relevant bodies. Where a student chooses to make use of the University’s complaints and academic appeals processes, the University will process personal data necessary for the purpose of administering the case and then retain such records in line with its University Records Retention Schedule.

Visual Images

Each student is required to provide a digital image of themselves to CIS for reproduction on their University campus card, which will be used for the purpose of identification. The digital image may also be:

Used on college or departmental lists or pictureboards that may be displayed in public buildings within the University

Attached to electronic student records that can be viewed by any member of University staff

Attached to hard copy student personal records that are stored securely and accessible only to those members of staff who require access

Published on a college or department website, where the page is password protected and accessible only to those members of staff who require access

The University may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material. Students may appear on the resulting images, and the resulting images may be published.

Durham Students Union

The Durham Students Union (DSU) is a separate legal entity from Durham University and therefore a separate data controller. The University shares student personal data with DSU in order for the Union to administer membership of DSU and its clubs and societies, to communicate with members, to hold elections of officers, to ensure the safety and security of members (including identification of individual members), to provide welfare services, to market services provided directly by DSU and to analyse DSU service provision and membership needs.

Disclosure and Barring Service (DBS)

The University is required to obtain information about past criminal convictions prior to offering a place on some of its programmes and as a condition of employment for certain posts. The University also undertakes DBS checks on those students who work with young and/or vulnerable people.

Students: How long personal data is held by the University

Personal data is kept, deleted or archived in accordance with the University Records Retention Schedule. Student data retention aligns to:

Administering study – successful applications, academic progress, transfers and withdrawals 

6 years after the end of the relationship with the student 

Handling of enquiries from prospective students 

1 year after current year 

Conduct and results of disciplinary proceedings and academic appeals 

6 years after the last action 

Timetabling of teaching space and lists of classes/tutorials 

Current year 

Timetabling and organisation of examinations, including attendance and reports of mitigating circumstances 

Current year + 1 year 

Pass lists / awards lists 

Year of issue + 10 years 

Organisation of award ceremonies and production of award certificates 

Completion of ceremony + 1 year 

Processing of tuition fees and scholarship funds 

Current financial year + 7 years 

Final reports of all research projects 

Completion of project + 5 years 

Administration of research grants provided by research councils or corporate sponsors 

End of grant + 7 years 

Health screening of a student for fitness to train and for course activities 

End of relationship with the student + 6 years 

Health screening of students exposed to hazardous substances 

End of relationship with the student + 40 years 

Students: Visitors to our websites/webpages

When someone visits www.durham.ac.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Students: Use of cookies

A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. Durham University also make use of the Google Analytics service to understand how you navigate around our site.

Durham University do not use cookies to collect personal information about you.

For more information about the use of cookies on Durham University's website, or to set your cookie usage preference, please see our Cookies Policy.

Students: Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Students: Changes to this privacy notice

We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.

Students: Further information

Durham University has a responsibility under data protection legislation to provide individuals with information about how we process their personal data. We do this in a number of ways, one of which is the publication of privacy notices. Organisations variously call them a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we collect your data
  • How it will be used
  • Who it will be shared with

We will also explain what rights you have to control how we use your information and how to inform us about your wishes. Durham University will make the Privacy Notice available via the website and at the point we request personal data.