Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in a number of ways, one of which is the publication of privacy notices. This privacy notice provides a general description of the broad range of processing activity in addition there are tailored privacy notices covering some specific processing activity.
The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact:
Kristina Holt, Head of Information Governance and University Data Protection Officer
The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.
What we use your data for
You have the right to be provided with information about how and why we process your personal data. We will only process data where we have a lawful reason to do so our main reasons are s follows:
As part of agreements between us, we will process personal data for
Admission to the university, registration and support for your studies
Academic assessment and progression
Maintaining an academic record including qualifications
Providing access to services including IT, Library and other facilities
Providing ID for security purposes
Administration of payments such as fees
Providing reports to your sponsor (if any) including Student Loans Company
Administration of complaints, disciplinary processes and other similar processes
Provision of accommodation, catering and other services related to accommodating you
We carry out a number of tasks in the public interest including
Managing public health risks
Managing risks related to public safety or concern to the local community (including reporting crime where we are not required to do so but it is in the public interest to do so)
We are a regulated body which means we are required to collect certain information including for
Compliance with tax and immigration requirements
Providing census and fee information
Supporting local authorities on fraud investigation, electoral registration and council tax collection
Reporting to the Office for Students and other regulators
Reporting crime (where we are required to do so)
We will process data where it is in our legitimate interests to do so including
To improve the services we provide to you including organising events that may interest you.
To provide information to you about goods or services we offer
To support marketing and brand related activity (which may include collecting some data about brand from social media and that might incidentally include personal data).
Photographing and recording events around the University including seminars for both training and marketing purposes.
Where you have the choice to determine how your personal data will be used, we will ask you for consent. Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at anytime
In addition, we may provide you with a privacy notice in relation to specific uses of your data where this is appropriate. A privacy notice is a verbal or written statement that explains how we use personal data.
Sensitive personal data
Some of the information we collect is sensitive personal data (also known as special categories of data). In particular, we may process personal data that relates to your health (such as your medical information for example to help support you), and any criminal convictions and offences (for reasons of safeguarding). If we use sensitive personal data, we will usually do so on the legal basis that it is in the wider public interest, to establish, take or defend any legal action or, in some cases, that we have your permission (consent).
How we collect your data
Most of the personal information we process is provided to us directly by you. Often this will be actively provided by you for example by you filing in a form. In other situations your data may be gathered with less active participation by you, for example we may record a Teams video call for business purposes, or capture device ID for technical reasons when connecting with the University network. You will be provided with notification of this.
We may also receive personal information indirectly:
For the purpose of student admissions and ongoing administration sources, include UCAS, funding bodies such as the Student Loans Company, US Loans, parents/guardians and schools/colleges.
For the purpose of support sources, include: medical, health care professionals, psychologists, psychiatrists or those providing you with evidence of your disability or mental health.
For the purpose of conducting research data set sources might include: data in the public domain, data from domestic and international governmental bodies including Department for Health, Department for Education, local authorities, other Universities.
When we obtain personal data about you from third party sources, we will look to ensure that the third party has lawful authority to provide us with your personal data.
We may also share information with the same set of organisations for the purposes mentioned above.
Accessing your personal data
You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access.
You can find out more about this right on the University’s Subject Access Requests webpage. Right to rectification If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data. Once we have determined what we are going to do, we will contact you to let you know.
Right to erasure
You can ask us to erase your personal data in any of the following circumstances:
We no longer need the personal data for the purpose it was originally collected
You withdraw your consent and there is no other legal basis for the processing
You object to the processing and there are no overriding legitimate grounds for the processing
The personal data have been unlawfully processed
The personal data have to be erased for compliance with a legal obligation
The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites). Once we have determined whether we will erase the personal data, we will contact you to let you know.
Right to restriction of processing
You can ask us to restrict the processing of your personal data in the following circumstances:
You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
The processing is unlawful and you want us to restrict processing rather than erase it
We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.
Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.
Making a complaint
If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:
Information Commissioner's Office, Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: +44 (0)303 123 1113