Skip to navigation | Skip to main content | Skip to footer
Menu
Search the Staffnet siteSearch StaffNet

Information Governance Office

Running competitions and outreach activities

Competitions or other types of outreach activities targeted at school age children, are likely to involve the processing of personal data. The guidance below helps University departments ensure that their activities comply with data protection law and that appropriate technical and organisational measures are in place to manage the security of that data.

  • For new competitions or other outreach activities for which the University is the lead partner, or will be managing or processing personal data, an IGRR assessment should be completed.

  • Determine what role the University has in relation to the activity – is the University the lead partner organising the activity with responsibility for managing and making decisions around how personal data is to be processed? In this case the University is the data controller. Alternatively, if the University is providing support to another organisation such as a Council or schools, for instance by storing or collecting data on their behalf, but for which the partner is the party responsible for making decisions on how the data will be processed, the University is the data processor. Where the University is acting as a processor there should be an agreement setting out the ‘processing instructions’. The data controller will usually be responsible for putting this in place.

  • There must be a privacy notice/statement advising participants how their information will be processed, how long it will be stored and, if applicable, which third parties the information will be shared with.  Ensure that only the minimum amount of information that is required for the processing is being collected. If the University is the data controller, it will be the responsibility of the University to produce this statement. A statement will also be required in any location where personal data is being collected.

  • Consider where personal data will be stored and whether this is appropriate for the information security classification of the data. Ensure that access to the personal data is limited to those who require access and that a secure transfer method is used if information will be shared. 

  • If you are planning on taking photographs as part of the outreach activity, you will need to follow guidance around the correct use of images.