Student support services privacy notice

The University of Surrey is registered as a Data Controller with the Information Commissioner’s Office (our notification number is Z6346945), and we are committed to ensuring that the data we process is handled in accordance with data protection legislation.

We have a Data Protection Officer who can be contacted via

One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.

Our legal obligations

We take our obligations for data handling very seriously and it is therefore important for you to know the lawful basis for us processing your information:

What information we collect and why we collect it

The University collects only the data we need and we keep the data up to date and only for as long as it is needed.

Due to the wide range of support services that we offer, we hold and process personal data about prospective, current and former students, current and former staff as well as third parties (where you provide us with information from them).

Please note that this is not an exclusive nor exhaustive list but provides a comprehensive overview.

We receive this data from you when you:

  • Contact us directly by email/telephone
  • Attend an appointment
  • Complete the report and support form
  • Submit information as part of one of the student facing regulations i.e. academic appeals and extenuating circumstances
  • Complete online enrolment and/or a registration form for student support
  • Apply for a late arrival point.

Depending on the service that you are accessing, we may collect information relating to you from:

How long we keep your information

We keep your personal data for as long as it is required to perform its purpose or for as long as is required by law. These periods are defined in our retention schedules which are available by emailing the Information Compliance Unit

In the event that you are referred to the Centre for Wellbeing from other support services, we will store your records on our CORE system for one year. If you then register with us, these records will then be kept in accordance with our retention schedules.

How we protect your data

We take the security of your data seriously. Details on university-wide measures surrounding IT security can be found in Our Data Policy Statement (PDF) (incorporating Information Security Policy) which sets out the definition of, commitment to and requirements of information technology and security. It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

What we do with your information and who we share it with

The University processes personal data and special category data in accordance with data protection legislation and Our Data Policy Statement (PDF). We share your information with the following services:

What rights you have in relation to the way we process your data

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent in circumstances where we are processing your personal data on that basis.
  • Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this, for example, where we must comply with a legal obligation or in managing your health and social care. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.