Accommodation Services privacy notice

The University of Surrey is the data controller of your personal data. We are registered with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation.

We have a named Data Protection Officer, Elizabeth Powis, who can be contacted via

One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.

What information do we collect from you?

Accommodation Services holds and processes personal data about staff, students and visitors. The data that we process to enable us to provide you with accommodation services is stored on our Kinetics database.

Please see the below schedule for a breakdown of personal data that we process and our basis for doing so. Please note that this is neither an exclusive nor exhaustive list, but provides a comprehensive overview.

  • Name
  • Contact details (email address)
  • Family details
  • Visa application
  • Staff ID number
  • Date of birth
  • Gender
  • Destination details.

We collect this information to enable you to:

  • Access the Kinetics Application Portal and to enable you to be set up to pay fees
  • Book out our guest rooms.

We collect this information to enable us to:

  • Assess and make decisions regarding your eligibility and/or allocation
  • Correspond and communicate with you regarding maintenance and relevant information
  • Set you up in Agresso for fee payment if you are a staff member and to enable us to make and accept invoices, through XS portal, if you are a student and are already set up in Agresso
  • Ensure the wellbeing of our staff and students
  • Fulfil our council tax/electoral role obligations
  • Ensure the security of our campus and accommodation or operations
  • Prevent/detect offences or the apprehend/prosecute offenders
  • Keep in contact with you if you withdraw or leave the accommodation early

We collect this information to enable us and you to:

  • Uphold the regulations contained within the Staff and Student handbooks and Terms and Conditions of Residency and to investigate when it is suspected a breach of has occurred.​​​​​​​​​​​​

  • Disability adjustments

We collect this information to ensure that you receive appropriate accommodation that meets your requirements. We will receive this confirmation through the Disability and Neurodiversity Service.

  • Name
  • Contact details
  • Family details
  • Family visa details (if relevant).

We collect this information to enable you to book accommodation through the self-application form and through accommodation enquires.

  • Name
  • Contact details (email).

We collect this information to enable you to book accommodation. This is collected directly from you or the resident/member of the University that you are visiting through the accommodation enquires webform, email or telephone.

  • Name
  • Contact details.

We collect this information to enable us to instruct contractors to carry out maintenance work.

Other ways of collecting data

We receive data from you when you:

We may also collect information relating to you internally within the University including from:

  • Academic Registry
  • OSCAR Student Services and Administration (student staff disciplinary matters)
  • Disability and Neurodiversity (disability adjustments)
  • Wardens (provision of assistance and in respect of disciplinary and wellbeing matters)
  • Security Services (provision of assistance and in respect of disciplinary and wellbeing matters and the prevention, detection, investigation and prosecution of offences).

And from external third parties including:

  • Colleagues/peers/family members/friends when booking guest rooms or rooms for summer visitors
  • Police.

The University collects only the data we need and we keep the data up to date and only for as long as it is needed.

Lawful basis for processing your data

It is important for you to know the lawful basis for us processing your information:

We process data to meet our contractual duties to you and provide you with our accommodation services as set out in our contract with you.

We process data in our legitimate interests. These legitimate interests are determined through an assessment made by weighing our requirements against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please email Data Protection.

We also process data to meet our statutory and legal requirements, specifically the payment of council tax and to ensure that your details on the electoral roll are accurate and up to date.

We process data for reasons of substantial public interest. This is an assessment made by weighing our need to process your special category data against the impact of the processing on you. We will always ensure that the processing respects the essence of the right to data protection.

We process data because you give us your consent and you are free to decide whether or not to provide this data, however, we may not be able to arrange support for you if you choose not to provide it.

The University processes personal data and special category data in accordance with data protection legislation and its own Data Protection Policy (PDF).

We keep your personal data for as long as it is required to perform its purpose or for as long as is required by law.

These periods are defined in our retention schedules which are available by emailing the Information Compliance Unit.

We take the security of your data seriously. Details on university-wide measures surrounding IT security can be found in the principal IT Security Policy (PDF) which sets out the definition of commitment and requirements of Information Technology and Security. It also specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


Internally, we share your personal data with our:

  • Security Services to ensure the security of our campus and accommodation facilities or operations, to investigate any suspected breach of university regulations/terms and conditions of residency, to protect the wellbeing of university members and to detect, investigate any suspected breach or offence.
  • Wardens who are responsible for the welfare of students and discipline support in halls of residence.


We share your personal data externally with the following third parties:

  • Our local county council to maintain the electoral roll and to meet our council tax obligations.
  • The police, in liaison with our security services, in order for them to detect, investigate and prosecute any suspected or reported offences.

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
  • Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.