Information Management

Student privacy notice

How we handle personal data of current students

Under the Data Protection Act 1998 the University of Surrey is a Data Controller and we are therefore legally responsible for the personal data we collect and hold about you. One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.

Personal data is data relating to a living individual who can be identified from that data or from that data and other information in the University’s possession. It includes data such as name, address, id number etc. Sensitive personal data is defined in the Data Protection Act and is data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions.

For what reasons do we collect personal data?

The University of Surrey collects only the data we need and we keep that data up to date and only for as long as it is needed. We collect data from applicants and students themselves through application forms and other means, as well as through other third parties such as schools or admissions services.

The University needs to process certain personal data about applicants and students for a number of purposes in order to support your time at University:

  • Administration of the application process, including informing the decision about suitability for potential programmes of study
  • Academic administration and to facilitate your education, including admission and registration, administering programmes of study, organising professional placements, recording progress, agreeing awards, organising examinations, course transcripts and certificates.

  • Administration of the financial aspects of your relationship with the University and with any funders, for example the assessment and collection of fees and other monies due to the University,

  • Management of your use of facilities and participation in events, for example production of the student campus card, provision of IT services, provision of accommodation, graduation, and other functions. We manage access to specific areas, such as the Library and may monitor access to certain buildings and rooms.

  • Enabling effective communications with you

  • Operation of security, disciplinary, complaint and quality assurance processes and arrangements. We may monitor use of IT services to ensure adherence to the Acceptable Use Policy.

  • Support of Health, Safety and welfare requirements. This includes the capture of images by CCTV systems. We may also share necessary information with appropriate third parties such as the police.

  • Production of statistics and research for internal and statutory reporting purposes.

How long do we hold personal data?

The University stores personal data for defined periods of time in line with the University’s Records Retention Schedule, after which it will be appropriately disposed of. Some information may be passed to the University Archive for long term historical preservation or to the Alumni and Development Office to continue a relationship with past students.

How do we use your data in the University?

The University processes personal data in accordance with the Data Protection Act and its own Data Protection Policy.

Within the University, personal data, including sensitive personal data may be shared between colleagues who legitimately need the information to carry out their normal duties to support your time with us. For example, Additional Learning Support or the Centre for Wellbeing may disclose data about health to a tutor or to the Accommodation Office for matters of ensuring individual student welfare. We may capture your image and/or voice recording as part of your learning if certain teaching locations have been recorded. These recordings may be made available via the University’s Virtual Learning Environment (“SurreyLearn”).

Information about your time at the University will be shared with the Alumni and Development Office once you leave to help them develop a relationship with the University’s Alumni. You will be given the opportunity to ask Alumni to remove your personal data from their systems when they first contact you following your graduation.

The University Careers Service may contact you after you have left regarding HESA’s “Destinations of Leavers from Higher Education” (DLHE) questionnaire. This is designed to gather data about your career or other activities at the time and the relevance of the course you undertook at the. If unable to speak to you, the Careers Service are authorised to accept information from a third party such as a near relative. The University may use information provided as part of HESA’s “Destinations of Leavers from Higher Education” (DLHE) questionnaire to assist its programme planning and general development.

The University will try to ensure that sensitive personal data is only shared with colleagues with your explicit consent. However, circumstances may arise where this data is shared with colleagues without gaining your consent. This will only occur if it is needed to protect your vital interests or the vital interests of another person; or for certain other reasons where it is not possible or appropriate to gain your consent such as disclosures to the police for prevention or detection of crime and apprehension or prosecution of offenders, to meet statutory obligations relating to equality monitoring, or for provision of confidential counselling.

How do we share your data with third parties?

The University may need to share your personal and sensitive personal data with third parties outside of the University. This will usually only be done with your consent, however we may share data with external organisations if the University considers it to be in our legitimate interests to do so. For example, information may be shared with partner organisations such as International Study Group to help track the success of the course and for future planning purposes. Selected data, such

as URN, name, programme of study, is shared with Surrey Sports Park when a student becomes a member of SSP.

Data held within our systems, including some sensitive personal data, is sometimes shared with external companies for testing purposes. This data is shared under controlled conditions. Data may also be supplied to providers of anti-plagiarism software. Occasionally, data held within University systems may be hosted outside of the University, for example the University’s Virtual Learning Environment “SurreyLearn”. University email is also provided via Microsoft369 and so selected personal data needed to run and authenticate email services is shared with Microsoft. This data will always be held within the European Economic Area.

Personal data of Undergraduate Degree Students will also be shared with GradIntel to help deliver your Higher Education Achievement Record.

The University sometimes uses images taken around campus or at events in promotional material and some data you supply when you apply to attend a graduation ceremony may also be published in the souvenir programme.

Unless you choose to opt out, the University will pass your details on to the Students’ Union which is separately responsible for processing data relating to its members. This will include any emergency contact details for use only in emergency medical situations. Similarly, the Students’ Union may share some of your data back to the University to allow any achievements made via the Union to be accredited, for example by inclusion in the Higher Education Achievement Report.

We may share personal data if it is required for the performance of a contract; for example between you and your sponsor or funding body. This may require sharing data outside of the EU where necessary. We may also share data with relatives or guardians where appropriate, however this will only be with your consent unless it is in your own vital interests or the vital interests of another person for us to do so.

The University shares data with outside organisations for a variety of legal or statutory reasons; for example making statements of student status to the local authority, to the Student Loans Company, to the Office for Fair Access (OFFA), to the Office of the Independent Adjudicator (OIA) to the Higher Education Funding Council for England, or to the Higher Education Statistics Agency. Any data collected by the University Careers Service as part of HESA’s “Destinations of Leavers from Higher Education” (DLHE) questionnaire will be passed to HESA and will be linked to the record which HESA holds about you.

The University releases data about finalists to an agency acting on behalf of the Higher Education Funding Council for England (HEFCE) for the purposes of the National Student Survey (NSS). The NSS is designed to gather feedback on the quality of teaching, and is supported by the National Union of Students. HEFCE’s appointed agent will make contact directly with finalists.

To assist in preventing immigration fraud the University is required to report to the Home Office details of students subject to immigration control who fail to enrol, who discontinue their studies or who fail to maintain contact with us. We may also be required to provide the Home Office with other information about students. The University may also share personal data with UK immigration

officials regarding the status of applicants or students to check whether an offer of a place has been made or whether a student has enrolled.

If your course of study involves a period of study or employment abroad, the University may transfer personal data to the overseas University or place of employment to support your study or employment. This may be outside of the EU.

The University may occasionally need to share your sensitive personal data outside of the University, for example to the Students’ Union to support welfare, complaint or disciplinary cases. The University will try to do so only with your explicit consent.

The University may share personal data, including sensitive personal data, outside of the University in certain other exceptional circumstances, for example if it is needed to protect your vital interests or the vital interests of another person; or for certain other reasons where it is not possible or appropriate to gain your consent such as disclosures to the police for prevention or detection of crime and apprehension or prosecution of offenders, to meet statutory obligations relating to equality monitoring, for provision of confidential counselling, if it is required by a Court Order, or to obtain legal advice.