Cyber security training privacy notice

The University of Surrey is the “data controller” of your personal data. We are registered with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation.

We have a named Data Protection Officer, Elizabeth Powis, who can be contacted at

One of our responsibilities is to tell you about the different ways we collect and use your personal data when you undertake our cyber security training.

Do note that you may be given further information about the uses of your personal data, in addition to this notice, when you use certain services offered by the University of Surrey.

We hold and process the following personal data about our staff and students who undertake cyber security training. This includes your single sign on information, in particular your:

  • First and last name
  • Username
  • Email address
  • AD group
  • Department
  • Manager.

We obtain this data directly from you at the time that you set up an IT account.

The University collects only the data we need to enable us to identify you and enable you to log on to undertake the required training. We keep the data up to date and only for as long as it is needed. 

We process your data in our legitimate interests to ensure that staff and students are aware of their obligations to help protect the University from cyber security incidents. These legitimate interests are determined through an assessment made by weighing our requirements against the impact of the processing on you.

Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact

The University processes personal data in accordance with data protection legislation and its own Data Protection Policy (PDF)

We will use your single sign on data for this purpose to:

  • Authenticate users against the training platform
  • Enable you to access your allocated cyber security training courses
  • Allow the University to understand the vulnerabilities associated with staff and student cyber awareness and prioritise training
  • Monitor completion and follow up on non-completion, identified challenges and issues
  • Test your understanding
  • Monitor the effectiveness of training
  • Identify any further training needs.

We may also use your data as part of a university based research project, to evaluate the effectiveness of cyber security training.

We keep your personal data for as long as you are employed or studying here and hold a university IT account. It will then be securely destroyed.

We take the security of the personal data we hold seriously. Details on university wide measures surrounding IT security can be found in the principal IT Security Policy (PDF) which sets out the definition of, commitment to and requirements of information technology and security.

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


We share your personal data with our cyber operations manager, as application administrator, in IT security or their authorised representative.

We may also share your data with university based researchers to enable them to undertake evaluative research into cyber security training on behalf of the University.


We share your personal data with Proofpoint, who are our training platform provider, to enable you to undertake the required training. For more information, please read their privacy policy.

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
  • Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.