Student privacy notice
How the University of Surrey handles the personal data of students
The University of Surrey is the “Data Controller” of your personal data. We are registered with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation.
We have a named Data Protection Officer, Suzie Mereweather, who can be contacted via firstname.lastname@example.org
One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.
Under data protection legislation we are only allowed to collect the minimum amount of personal data that we need to carry out a specific purpose. The data we hold and process about you is:
Information to help identify you:
- first name, last name
- date of birth
- contact information (email address, postal address, phone numbers)
- National Insurance Number (or other Tax Identification number)
- Passport Number (or National Identity Card details)
- Country of domicile and nationality
- University URN and username
Information relating to your education and employment history:
- name and address of the education institution(s) you attend(ed)
- dates of study and exam results
- places of work and vocational qualifications achieved
Information about your family, personal or lifestyle circumstances, extracurricular interests or information to help assess your suitability to receive a bursary or to provide you with appropriate pastoral care.
The University may process some information about you that is classed as ‘special category’ data in this category. Special category data receives additional protections. The special category data we collect about you is:
- data relating to health and medical conditions
- racial or ethnic origin
- religious or similar beliefs
- sexual orientation
- criminal convictions (where relevant to assessing your suitability for certain courses of study)
- any data that indicates that you may fall into one of our Widening Participation categories. You can find more information about this on our Widening Participation and Outreach webpage https://surreynet.surrey.ac.uk/staff-services/widening-participation-and-outreach
You will be able to choose when you register with us as a student whether to share with us certain types of special category data. The Online Registration process will guide you through this and provide you with more information.
We collect data about you at various stages in your relationship with us. The main stages are:
- when you apply to study at the University of Surrey and complete an application form
- when we validate your academic achievements with your previous education provider
- when you register with us as a student
- from third party sources (for example, UCAS, other institutions involved in the delivery of joint programs, Government Departments such as the Home Office or the Student Loans Company). Where we obtain personal data from third party sources, we will look to ensure that the third party has lawful authority to provide us with your personal data.
- when you communicate with us, via phone, email or via the website, for example to make enquiries or raise concerns.
- throughout your time as a student, collating information relating to your work, examinations and other information in your Student Record
- through engagement with University services, such as careers advice, counselling and financial support. Whenever you engage with one of these services you will be provided with further details about how your data will be used for this purpose at the relevant time.
- when you go on a placement as part of your course of study
The University collects only the data we need and we keep the data up to date and only for as long as it is needed. We take our obligations for data handling very seriously and it is therefore important for you to know that we process your personal data on the following legal bases:
We process data to ensure that we can carry out our role as an educational and research establishment, meeting legal, moral and contractual obligations as laid out in the University’s Charter.
We process data to meet this public task role when we carry out activities to meet our teaching, learning and research obligations such as:
- student administration, including registration, provision of student ID card, timetabling, engagement monitoring, maintenance of the student record, organizing professional placements,
- provision of core teaching, learning and research services, including assessment, managing progress, academic misconduct investigations, graduation and organising course transcripts and certificates
- quality assurance processes around development and upkeep of courses and modules
We also process data to meet our statutary and legal requirements.
We process your data for this purpose when we:
- perform monitoring and gathering of information to meet equal opportunities obligations and declarations of “good character” for certain courses
- report to governmental bodies
- ensure we are meeting our obligations under equality legislation
We also process data to meet our contractual duties to you as a student and provide you with educational and other services as laid out in our student contract with you.
We process data to meet our contractual obligations when we
- manage your use of facilities and participation in events
- provide email and other IT services, access to the University networks and Wifi, IT accounts and library services
- administer the financial aspects of your relationship with the University, such as tuition fee payment, liaison with the Student Loans Company
We also process data in our legitimate interests
This is an assessment made by weighing our need to process your data against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact email@example.com
We process data for these purposes when we:
- provide opportunities for student wellbeing and support, including pastoral support, counselling services, personal tutoring, careers and employability services
- administer financial support services such as assessing eligibility for bursaries and scholarships
- enable effective communications with you regarding information you need to know for campus security or operations
- operate and keep a record of disciplinary and complaint issues, and the fitness to study process
- ensure the security of campus and those people within it
- produce statistics and research for internal improvements in the way the University develops and delivers its courses and modules
We process data for reasons of substantial public interest
We process special category data for the purpose of substantial public interest. This is an assessment made by weighing our need to process your special category data against the impact of the processing on you. We will always ensure that the processing respects the essence of the right to data protection.
We process for this purpose when we:
- operate and keep a record of fitness to study and fitness to practice procedures
- operate and keep a record of disciplinary and complaint issues, including managing any appeals to these process
- operate and keep a record of academic misconduct and integrity processes
We process data with your consent
We may process special category data with your consent where we use it:
- to operate and keep a record of any additional learning support processes you require
- to operate and keep a record of any extenuating circumstances you require
You are free to decide whether or not to provide this data and there are no consequences if you choose not to provide it.
These processes are managed by the University’s Additional Learning Support service based in the Library and Learning Support department. They have a separate privacy notice which details how and why they process your data which you can obtain from firstname.lastname@example.org
The University processes personal data and special category data in accordance with data protection legislation and its own Data Protection Policy.
We combine the data you provide us at Registration with other data generated during your time with the University in order to maintain a summary record of your academic journey with us which is stored in our student management system (SITS) within University networks.
The data is used for the purposes described above to meet the following primary purposes:
Student administration, including registration, provision of student ID card, timetabling, engagement monitoring, maintenance of the student record;
Provision of core teaching, learning and research services, including assessment, managing progress, academic misconduct investigations, fitness to study, fitness to practice, disciplinary and complaint processes, certification and graduation;
Provision of email and other IT services, access to the University networks and Wifi, IT accounts and library services;
Student wellbeing and support, including pastoral support, counselling services, personal tutoring, careers and employability services;
Financial administration, including tuition fee payment, liaison with the Student Loans Company, assessing eligibility for bursaries and scholarships;
Complying with statutory requirements, such as monitoring equal opportunities & declarations of “good character” for certain courses
We keep your personal data for as long as it is required to perform its purpose or for as long as is required by law. These periods are defined in our retention schedules which are available by contacting email@example.com.
We take the security of your data seriously. Details on University wide measures surrounding IT security can be found in the principal IT Security Policy which sets out the definition of, commitment to and requirements of Information Technology and Security. It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.
We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Your information may be shared internally with:
- academic staff, student support staff, your personal tutor and other tutors involved in delivering your course of study
- Finance teams, Library, Security staff and staff in the Centre for Wellbeing if access to the data is necessary for performance of their roles.
- IT Services, in order to provide you with an IT account, email address and access to relevant buildings, IT networks, systems and resources
- Our Internal Audit team, to ensure University compliance with policies and processes
- Advancement, for them to contact you regarding ongoing involvement with the Alumni of the University. Advancement have their own privacy notice which you can find on their webpage and you will be given further information about this at that time.
We may also share special category data internally to provide you with support. This will usually be done only with your consent but it may happen where it is necessary to protect your vital interest, or the vital interest of others, and we are unable to get consent from you.
Sometimes we need to share your personal data with third parties to help us to meet our contractual needs or to provide a better service. We also share data to meet our statutory and regulatory requirements or as required by law for crime prevention, investigation or detection purposes. We also share data where you request us to do so to provide references.
We share your personal data, where required, with the following external third parties:
Related organisations, only with your consent:
- Surrey Sports Park, where you have become a member of the Sports Park and would like them to collect relevant details from us. Surrey Sports Park have their own privacy notice which they will make available to you when you join
- Sponsoring organisations where you need us to share data to meet contractual obligations
- relatives or guardians, where appropriate. We will only share information with parents, guardians and next-of-kin when there is a valid reason for disclosure
Our employees, agents and contractors where there is a valid reason for their receiving the information:
- third parties who provide IT support
- third parties who provide the Campus Card production
- third parties who support financial transactions
- organisations operating anti-plagiarism software on our behalf
- third parties who provide our virtual learning environment, SurreyLearn. There is a separate privacy notice for data processed via SurreyLearn which can be obtained by contacting the Technology Enhanced Learning team
- External auditors, to ensure University compliance with policies and processes
- third parties who act on our behalf to recover money you owe to us
- third parties who conduct surveys, for example the National Student Survey
Those with an interest in tracking student progress and attendance:
- Funders, such as the Student Loan Company, research sponsors, research councils and NHS
- Current or potential education providers or employers, where you take part in an exchange or a placement as part of your course to confirm details of progress and attendance.
- Current or potential employers, to provide references
Professional and regulatory bodies, in relation to the confirmation of qualification, professional registration and conduct and the accreditation of courses, including:
- Nursing & Midwifery Council
- Health and Care Professions Council
- British Psychological Society
- Association of Chartered and Certified Accountants
Where we need to share your details with an accrediting body, you will be given more details in your course handbook.
Government departments and agencies where we have a statutory obligation to provide information:
- The Office for Students (OfS) (formerly the HEFCE)
- The Higher Education Statistics Agency (HESA)
- The Home Office (in connection with UK visas and immigration)
- Council Tax & Electoral Registration Officers (for the purpose of assessing liability for Council Tax & for electoral registration purposes
Crime prevention or detection agencies
- The police
- Department for Work & Pensions
Do we transfer information overseas?
Some of the personal data we process about you may be transferred to, and stored outside the European Economic Area (EEA). This may happen where it is processed by members of University staff, or staff of one of our suppliers, who operate outside the EEA.
All transfers to overseas agents is bound by a data processor contract or binding clauses/controller contract which sets out how they will handle your data in accordance with UK data protection legislation.
As an individual whose data we process (a data subject), you have certain rights in relation to the processing. You can find detailed information about your rights as a data subject on the University’s webpage.
You have the right to:
- withdraw your consent for us to process your personal data
- ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
- request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete
- have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the data subject rights information on the University’s webpage
- restrict the processing of your personal data in certain ways
- obtain your personal data for reuse
- object to certain processing of your personal data
You have the right to object to the way we process your data. To exercise this right, please contact firstname.lastname@example.org.
You also have the right to complain to the Information Commissioner’s Office about the way in which we process your personal data.