Student privacy notice

Under data protection legislation we are only allowed to collect the minimum amount of personal data that we need to carry out a specific purpose. The data we hold and process about you is the following.

Information to help identify you

• First and last name
• Date of birth
• Contact information (email address, postal address, phone numbers)
• National Insurance Number (or other tax identification number)
• Passport number (or National Identity Card details)
• Country of domicile and nationality
• Residency status
• Nationality
• University URN and username.
• Photo for purposes of issuing an ID 

Information relating to your education and employment history

• Name and address of the education institution(s) you attend(ed)
• Dates of study and exam results
• Places of work and vocational qualifications achieved.

Family and interests

Information about your family, personal or lifestyle circumstances, extracurricular interests or information to help assess your suitability to receive a bursary or to provide you with appropriate pastoral care.

NHS track and trace

In-line with government Covid-19 secure guidelines we support NHS track and trace by asking all our students, and any members of their party, who use our Library or visit one of our catering facilities to provide their name, contact number and time of visit.

Special category data

The University may process some information about you that is classed as ‘special category’ data in this category. Special category data receives additional protections. The special category data we collect about you is:

• Gender
• Data relating to health and medical conditions
• Racial or ethnic origin
• Religious or similar beliefs
• Sexual orientation
• Sex
• Criminal convictions, where relevant as outlined in the University’s Procedure for Expulsions and Criminal Convictions
• Any data that indicates that you may fall into one of our Widening Participation categories.
• Photo for ID Card Purposes 

You will be able to choose when you register with us as a student whether to share with us certain types of special category data. The online registration process will guide you through this and provide you with more information.

The main stages of data collection

We collect data about you at various stages in your relationship with us.

The main stages are:

• When you apply to study at the University of Surrey and complete an application form.
• When we validate your academic achievements with your previous education provider.
• When you register with us.
• From third party sources (for example, UCAS, other institutions involved in the delivery of joint programs, Government Departments such as the Home Office or the Student Loans Company). Where we obtain personal data from third party sources, we will look to ensure that the third party has lawful authority to provide us with your personal data.
• When you communicate with us, via phone, email or via the website, for example to make enquiries or raise concerns.
• Throughout your time as a student, collating information relating to your work, examinations and other information in your Student or Individualised Learner Record.
• Through engagement with University services, such as careers advice, counselling and financial support. Whenever you engage with one of these services you will be provided with further details about how your data will be used for this purpose at the relevant time.
• When you go on a placement as part of your course of study.
• If you use the Travel Management company

The University collects only the data we need and we keep the data up to date and only for as long as it is needed. We take our obligations for data handling very seriously and it is therefore important for you to know that we process your personal data on the following legal bases:

We process data to ensure that we can carry out our role as an educational and research establishment, meeting legal, moral and contractual obligations as laid out in the University’s Charter.

We process data to meet this public task role when we carry out activities to meet our teaching, learning and research obligations such as:

• Student administration, including registration, provision of student ID card, timetabling, engagement monitoring, maintenance of the student record, organizing professional placements
• Provision of core teaching, learning and research services, including assessment, managing progress, academic misconduct investigations, graduation and organising course transcripts and certificates
• Quality assurance processes around development and upkeep of courses and modules
• As an established research institution, we may use your personal information for research purposes. This includes our research core purpose of facilitating and carrying out research in any field and encouraging and carrying out research that looks to address global challenges and provide long-term benefits to humanity.

We also process data to meet our statutory and legal requirements

We process your data for this purpose when we:

• Perform monitoring and gathering of information to meet equal opportunities obligations and declarations of “good character” for certain courses
• Report to governmental bodies
• Ensure we are meeting our obligations under equality legislation.

We also process data to meet our contractual duties to you as a student and provide you with educational and other services as laid out in our student contract.

We process data to meet our contractual obligations when we:

• Manage your use of facilities and participation in events
• Provide email and other IT services, access to the University networks and Wi-Fi, IT accounts and library services
• Administer the financial aspects of your relationship with the University, such as tuition fee payment, liaison with the Student Loans Company or with the ESFA.
• Administrating travel bookings and claims

Where you have visited our library or one of our catering facilities, we will collect your details, and those of any member of your party, to enable us to comply with our track and trace obligations.

We also process data in our legitimate interests

This is an assessment made by weighing our need to process your data against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please email the Information Compliance Unit.

We process data for these purposes when we:

• Provide opportunities for student wellbeing and support, including pastoral support, counselling services, personal tutoring, careers and employability services
• Provide opportunities for student support through our engagement monitoring
• Administer financial support services such as assessing eligibility for bursaries, payments and scholarships
• Enable effective communications with you regarding information you need to know for campus security or operations
• Operate and keep a record of disciplinary and complaint issues; and the support to study and fitness to practice and employer complaints process.
• Ensure the security of campus and those people within it
• Manage and process Covid-19 exceptional agreements for your late arrival on campus or to enable you to undertake online study, where appropriate
• Produce statistics and research for internal improvements in the way the University develops and delivers its courses and modules
• To enable us to secure and administer appropriate insurance cover for our students when on university business or field trips abroad, study abroad or work placements abroad and manage any claims that may arise
• Ask you to volunteer to support our marketing activities by providing biographical information and testimonials relating to your experience at Surrey for publication online and in print. We will only publish information about you that you specifically give us consent to share for this purpose.
• We collect your data for the purpose of issuing you with an ID card for control access to University of Surrey buildings and printing purposes. It will also be used as a form of identifying who is under 18 years of age, to support the Students' Union, Wellbeing Services and Campus Safety in identifying those under this age.

We process data for reasons of substantial public interest

This is an assessment made by weighing our need to process your special category data against the impact of the processing on you. We will always ensure that the processing respects the essence of the right to data protection.

We process for this purpose when we:

• Collect and use information relating to criminal convictions in accordance with the University’s Criminal Convictions Policy
• Operate and keep a record of fitness to study and fitness to practice procedures
• Operate and keep a record of disciplinary and complaint issues, including managing any appeals to these process
• Operate and keep a record of academic misconduct and integrity processes
• Operate and manage insurance cover for University business or field trips abroad, study abroad or work placements abroad and manage any claims that may arise.

We process data with your consent

We may process special category data with your consent where we use it to operate and keep a record of any:

• Additional learning support processes you require
• Extenuating circumstances you require
• Where you choose to take part in voluntary placements and knowledge exchange partnerships.

You are free to decide whether or not to provide this data, however, we may not be able to arrange additional learning support or look at any extenuating circumstance for you if you choose not to provide it.

These processes are managed by the University’s Disability and Neurodiversity Service, view their privacy notice.

We process your data for reasons of social protection law

Where we have agreed to enter into a Covid-19 exceptional agreement with you for your late arrival on campus, or to enable you to undertake online study, we will process your special category (sensitive) data on the basis that the processing of that data is necessary for the purposes of carrying out our obligations, and the exercise of your or our rights in the field of social security and social protection law.

We will process your special category (sensitive) data to enable us to trigger our response processes and support the NHS track and trace legislation, where we are aware that a student has tested positive for Covid-19.

The University processes personal data and special category data in accordance with data protection legislation and its own Data Protection Policy (PDF).

We combine the data you provide us at registration with other data generated during your time with the University in order to maintain a summary record of your academic journey with us which is stored in our student management system (SITS) within university networks.

Primary purposes

The data is used for the purposes described above to meet the following primary purposes:

• Student administration, including registration, provision of student ID card, timetabling, engagement monitoring, maintenance of the student record.
• Provision of core teaching, learning and research services, including assessment, managing progress, academic misconduct investigations, fitness to study, fitness to practice, disciplinary and complaint processes, certification and graduation.
• Provision of email and other IT services, access to the University networks and WiFi, IT accounts and library services.
• Student wellbeing and support, including pastoral support, counselling services, personal tutoring, careers and employability services. We will use information on religion and worldview to contact you about religious provisions and upcoming religious festivals.
• Financial administration, including tuition fee payment, liaison with the Student Loans Company and the ESFA, assessing eligibility for bursaries, scholarships and payments.
• Administration of travel bookings and claims.
• Complying with statutory requirements, such as monitoring equal opportunities and declarations of “good character” for certain courses.

We keep your personal data for as long as it is required to perform its purpose or for as long as is required by law. These periods are defined in our retention schedules which are available by emailing the Information Compliance Unit.

We take the security of your data seriously. Details on university-wide measures surrounding IT security can be found in Our Data Policy Statement (PDF) (incorporating Information Security Policy) which sets out the definition of, commitment to and requirements of Information Technology and Security. It specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Internally

Your information may be shared internally with:

• Academic staff, student support staff, your personal tutor and other tutors involved in delivering your course of study.
• Finance teams, Library, Security staff and staff in the Centre for Wellbeing if access to the data is necessary for performance of their roles.
• IT Services, in order to provide you with an IT account, email address and access to relevant buildings, IT networks, systems and resources.
• Our Internal Audit team, to ensure University compliance with policies and processes.
• Advancement, for them to contact you regarding ongoing involvement with the Alumni of the University. Advancement have their own privacy notice which you can find on their webpage and you will be given further information about this at that time.
• Our Covid Support Working Group to enable us to trigger our internal processes, in the event that a student tests positive for the virus.

We may also share special category data internally to provide you with support. This will usually be done only with your consent but it may happen where it is necessary to protect your vital interest, or the vital interest of others, and we are unable to get consent from you.

We may share data relating to criminal convictions that you disclose during your time with us internally as explained within the Procedure for Expulsions and Criminal Convictions to assess your ongoing suitability for your course of study.

Sometimes we need to share your personal data with third parties to help us to meet our contractual needs or to provide a better service. We also share data to meet our statutory and regulatory requirements or as required by law for crime prevention, investigation or detection purposes. We also share data where you request us to do so to provide references.

Externally

In our external communications

• Where you have consented to support our marketing activities by providing biographical information and testimonials relating to your experience at Surrey for publication.

Related organisations, only with your consent

• University of Surrey Students’ Union (USSU) to enable it to manage your student union relationship by communicating with you. USSU have their own privacy policy which they will make available on their first contact with you.
• Surrey Sports Park, where you have become a member of the Sports Park and would like them to collect relevant details from us. Surrey Sports Park have their own privacy notice which they will make available to you when you join.
• Sponsoring organisations where you need us to share data to meet contractual obligations
• Relatives or guardians, where appropriate. We will only share information with parents, guardians and next-of-kin when there is a valid reason for disclosure.

Our employees, agents and contractors where there is a valid reason for their receiving the information

• Third parties who provide IT support
• Third parties who provide the campus card production (Card Exchange & Digital ID)
• Third parties who support financial transactions
• Third parties who support our engagement monitoring
• Organisations operating anti-plagiarism software on our behalf
• Third parties who provide our virtual learning environment, SurreyLearn. For more details please review the SurreyLearn Privacy Notice
• External auditors, to ensure University compliance with policies and processes
• Third parties who act on our behalf to recover money you owe us
• Third parties who conduct surveys, for example the National Student Survey
• With the University’s insurance brokers and insurers and related third parties, e.g. lawyers and loss adjustors for the purpose of risk mitigation, securing insurance cover, maintaining and administering that cover and processing any claims that may arise as a result.
• Contracted Offsite Teaching Providers

Those with an interest in tracking student progress and attendance

• Funders, such as the Student Loan Company, the ESFA, research sponsors, research councils and NHS.
• Current or potential education providers or employers, where you take part in an exchange or a placement as part of your course to confirm details of progress and attendance.
• Current or potential employers to provide references.

Professional and regulatory bodies, in relation to the confirmation of qualification, professional registration and conduct and the accreditation of courses

• Nursing and Midwifery Council.
• Health and Care Professions Council.
• British Psychological Society.
• General Medical Council.
• Other medical schools, foundation schools or postgraduate deaneries.
• Association of Chartered and Certified Accountants.
• Advance HE.
• The Department for Education (DfE).
• Royal College of Veterinary Surgeons

Where we need to share your details with an accrediting body, you will be given more details in your course handbook.

Government departments and agencies where we have a statutory obligation to provide information

• The Office for Students (OfS) (formerly the HEFCE).
• The Higher Education Statistics Agency (HESA). HESA collection notices webpage.
• The Home Office (in connection with UK visas and immigration).
• Council Tax and Electoral Registration Officers (for the purpose of assessing liability for Council Tax and for electoral registration purposes.
• The Department for Education (DfE).
• Public Health England/NHS track and trace or any appropriately designated body, when we are requested to do so.

Crime prevention or detection agencies

• The police
• Department for Work and Pensions.

Some of the personal data we process about you may be transferred to, and stored outside the European Economic Area (EEA). This may happen where it is processed by members of University staff, or staff of one of our suppliers, who operate outside the EEA. 

 All transfers to overseas agents is bound by a data processor contract or binding clauses/controller contract which sets out how they will handle your data in accordance with UK data protection legislation.

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

• Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
• Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
• Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
• Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
• Restrict the processing of your personal data in certain ways.
• Obtain your personal data for reuse.
• Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.