University Covid-19 response privacy notice

The University of Surrey is the “Data Controller” of your personal data. We are registered with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation.

We have a named Data Protection Officer, Elizabeth Powis, who can be contacted via

One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.

We receive this data from you when you complete the Covid-19 report form.

We will collect and process the following personal data about you:

  • Name
  • Student ID number (URN)
  • Staff ID
  • Date of birth
  • Mobile number
  • Email address
  • Location of residence on campus
  • Residential address
  • Department
  • Programme of study details
  • Whether you work in professional services or faculty
  • Whether you are going to be self-isolating from illness or a trip abroad and for how long or because you have been advised to self-isolate.
  • Country of origin and any transit stops, if applicable
  • Date of arrival in the UK
  • Designation as clinically vulnerable, if applicable
  • Date of any previous test. confirmation of any result or whether you are waiting for results of any previous test
  • Confirmation of any symptoms.

We collect the data so we can make contact with you to discuss the information you’ve provided.

We only collect the data we need and we keep the data up to date and only for as long as it is needed.

We process data in our legitimate interests

We also process data in both our and your legitimate interests to ensure that you and everyone on campus are as safe and healthy as possible during this uncertain time. We need to collect certain information from you, such as your URN, name and the address where you’ll be staying, so that we can alert our maintenance and cleaning teams. This ensures that they can, in turn, do their jobs safely, working around areas that need to be avoided.

We are providing wellbeing support throughout your time at the University, so our Wellbeing team or self-isolation buddy may need to check in with you from time to time, to help give that support while you’re in isolation. For this reason, we also ask for your phone number.

These legitimate interests are determined through an assessment made by weighing our requirements against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact the Data Protection team.

We also need to collect information concerning whether you have had any previous tests to enable us to support you in booking a test on campus.

We process your data for reasons of social protection law

When you complete the Covid-19 self-isolation status update form, when you advise us of a positive test result we will process your special category data on the basis that the processing of that data is necessary for the purposes of carrying out our obligations, and the exercise of both your and our rights in the field of social security and social protection law.

We do not use the data we collect to make decisions about individuals or to analyse information on an individual level.

The data you provide through the form will be processed by the Rapid Response Team to support you through booking a test, your self-isolation and to ensure the campus is maintained and cleaned.

We will keep your information for 12 months from the date that you make a submission to the Covid-19 self-isolation status update form.

We take the security of your data seriously. Details on university wide measures surrounding IT security can be found in the principal IT Security Policy (PDF) which sets out the definition of, commitment to and requirements of information technology and security.

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

We share your personal data with:

  • Accommodation Services to ensure that you are provided with appropriate accommodation, where applicable
  • IT Services in order for them to make alternative arrangements where there are issues with your room’s IT system
  • Wardens in order to check on your wellbeing
  • Our cleaning supervisors so they can ensure areas are avoided/cleaned thoroughly during and after isolation
  • The University’s Silver Command Group to enable the University to coordinate a response across the University and to liaise with Public Health England/NHS track and trace or any appropriately designated body, when we are requested to do so.

Where we have your consent, we may share your special category data with Disability and Neurodiversity to enable any medical condition you may have to be risk assessed.

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
  • Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights please visit our make a privacy request section.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.