When the University collects personal data from individuals it must provide them with information about what it intends to do with the data, what its lawful basis or condition from data protection law is that allows it to use the data, how it intends to manage it and how a data subject can exercise their rights in relation to their information.
The University has created a number of privacy notices to cover its major data collections and areas of processing. This is how we satisfy the transparency requirements in data protection law. These notices cover:
- DDAR Alumni
- People and OD - Staff
- Registered Students
- Website user
- Research participants
- Student Enquirer, applicant, offer holder
- Widening participation
- Patient & Public Contributors
Any new or existing data collections which are not covered by these notices should either be added to the relevant one (please contact the Information Governance Office to arrange this) or, if they are one off collections or are unsuitable for inclusion in any of the above, a new privacy notice will need to be written.
The information contained within a privacy notice must be concise, transparent, intelligible, and easily accessible and it must use clear and plain language. You can find further information on using plain language within the University’s guidance.
Privacy notices must regularly be reviewed, and where necessary updated. We must bring any new uses of an individual’s personal data to their attention before we can start the processing. Any updates or additions to a centrally identified privacy notice need to be approved by the Data Protection Officer.
If personal data is being collected for marketing purposes then we may need to gain the individual's consent and we will always need to give users an opportunity to change their mind and opt-out in the future should they wish to do so. These details will need to be added to forms or other sign-up information in the form of a clear statement and an opt-out reminder included in each marketing communication sent.
Should personal data be collected with the intention of selling it or sharing it then we must provide details of all of the parties involved.
When we collect personal data we must provide a legitimate reason for doing so and have this clearly listed within the privacy notice. This is the lawful basis or condition for processing and these are listed in Article 6 of the GDPR, and for special category data an additional condition from Article 9 or Schedule 2 of the Data Protection Act 2018 is also required. Any queries about the lawful basis for processing should be directed to the Information Governance Office.
It is a legal requirement that the University covers every collection of personal data with a privacy notice, and it also forms the basis of the relationship between the University and the individuals upon whom it holds data. If the University does not provide sufficient privacy information it leaves itself open to substantial fines, reputational damage and loss of trust.