Skip to main content
Centre for Neurodiversity & Development

GDPR Privacy Notice

Part 1 – Generic Privacy Notice

Durham University has a responsibility under data protection legislation to provide individuals with information about how we process their personal data. We do this in a number of ways, one of which is the publication of privacy notices. Organisations variously call them a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we collect your data
  • How it will be used
  • Who it will be shared with

We will also explain what rights you have to control how we use your information and how to inform us about your wishes. Durham University will make the Privacy Notice available via the website and at the point we request personal data.

Our privacy notices comprise two parts – a generic part (ie common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact Information Governance Unit:

Telephone: (0191 33) 46246 or 46103
E-mail: information.governance@durham.ac.uk

Information Governance Unit also coordinate response to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:

Jennifer Sewel
University Secretary
Telephone: (0191 33) 46144
E-mail: university.secretary@durham.ac.uk

 

Your rights in relation to your personal data

Privacy notices and/or consent

You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.

Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.

Accessing your personal data

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage.

Right to rectification

If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.

Once we have determined what we are going to do, we will contact you to let you know.

Right to erasure

You can ask us to erase your personal data in any of the following circumstances:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • The personal data have to be erased for compliance with a legal obligation
  • The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites).

Once we have determined whether we will erase the personal data, we will contact you to let you know.

Right to restriction of processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.

Retention

The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

Making a complaint

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: Information Commissioner’s Office

 

Part 2 – Tailored Privacy Notice

This section of the Privacy Notice provides you with the privacy information that you need to know before you provide personal data to the University for the particular purpose(s) stated below.

Project Title: CN&D Database
Type(s) of personal data collected and held by the researcher and method of collection:
Personal and demographic data will be collected through online form and stored on a database.

Lawful Basis

How personal data is stored:

All personal data will be held securely and will be strictly confidential to approved members of the CN&D team. The data we will have will be recorded using an online form, after which it will be transferred to the database & the online form copy of the data will be destroyed. The database (on Access) will be stored the S drive, accessible only to authorized members of the CN&D team and members of the technical team in the Department of Psychology.

How personal data is processed:

We will retain the data for a period of 10 years after an individual has signed up for the database (unless the individual requests their data to be removed from the database earlier than this, in which case they will be removed from the database immediately). Any data in relation to children from parents who have signed up, will be automatically removed when the child turns 18.

We will re-consent individuals after the 10 year period.

If you would like to remove your data from the database please get in touch using the CN&D email (CDD@durham.ac.uk).

Who the researcher shares personal data with:

No identifiable data will be shared outside of the Centre team at Durham University.

How long personal data is held by the researcher:

All data will be held confidentially for the standard period of 10 years, after which we will re-consent individuals. If we do not get a response, or the individuals wish to be removed, their data will be destroyed.

How to object to the processing of your personal data for this project:

If you have any concerns regarding the processing of your personal data, contact Prof Mary Hanley (mary.hanley@durham.ac.uk), Prof Debbie Riby (deborah.riby@durham.ac.uk ) or Jessica Hirst (jessica.r.hirst@durham.ac.uk ).

Further information:

Mary Hanley (mary.hanley@durham.ac.uk) CDD Email (cdd@durham.ac.uk)