The University's role
The University is the ‘data controller’ as we collect and use information about you to carry out the services the University provides to you. The University is committed to protecting your data and being transparent about how we use your data, in line with the current Data Protection Act (2018), the General Data Protection Regulations (GDPR) and any resulting legislation.
Where do we get your personal data from?
We collect the vast majority of the information directly from you, through open day activities, the application process, and during registration. Most of this data is provided and processed in line with your student contract with us. However, we may also collect additional information from third parties such as UCAS, former schools and higher education institutions, agents/agencies, and government departments. Through your period of study, we will also collect and generate additional information about you, such as during tutorials, in connection with your attendance and accommodation, and access of University services.
What information do we collect about you?
The University will collect information about you in the course of its business in providing services to you as a current or former student. This includes details when you apply for a course at the University, when you enrol at the University and as you progress through your course. This will also include data received from external sources such as UCAS and external referees.
These details will include, but are not limited to, the following:
- Your contact details and other information submitted during the application and enrolment processes, and at graduation.
- Contact details of your next of kin to be used in case of emergency.
- Medical information (where applicable) including information about any disabilities or health conditions you have, data about your ethnicity, gender, religious beliefs, and/or sexual orientation. You may also provide this information to us as part of the equality monitoring we carry out pursuant to our legal obligations under the Equality Act 2010
- Details of your modules, courses, timetables, assessment marks and examinations, and any qualifications you are awarded.
- Information about previous qualifications
- Any communications you have with us, and any communications we generate about you
- Financial and personal information collected for the purposes of administering fees and charges, loans, grants, scholarships and hardship funds, and if applicable to assess student eligibility to obtain a visa to study with us
- Photographs and video recordings for the purposes of recording lectures, assessments and examinations.
- Information related to the prevention of and detection of crime and the safety and security of staff and students, which includes, but is not limited to, CCTV recordings and data relating to breaches of the University’s regulations
- Details of any relevant criminal convictions, allegations or charges that we ask you to declare to us either when you apply to us, or whilst you are a student, or which are reported to us, and of any Disclosure and Barring Service checks that we request.
- Details of your engagement with the University such as attendance information and use of electronic services such as BREO, e-vision, Pebble Pad
- Copies of passports and any identification data to ensure eligibility to receive financial support from the UK government and in compliance with right to study and identification requirements.
- Where applicable, this will also include details of visas and any other documents required for compliance with Home Office requirements, as well as biometric data for attendance purposes.
- Information you have directly provided for other services the University provides, such as Student Support (for the provision of advice, support and welfare), the ‘Go Global’ scheme and the University’s career service)
- Data about you that we have to collect by law (for example where UK immigration law requires us to record information about you, or to report it to the immigration authorities)
- Data that we voluntarily provide about you, either whilst you are a student or after you graduate, for example if you ask us for a reference
Why do we collect this information?
The University collects and processes your personal data for a number of reasons. Our grounds for doing so (i.e. our “lawful bases”) are covered in the table below:
Legal basis for processing your information
Contract (GDPR Article 6(1)(b))
By commencing or enrolling as a University of Bedfordshire student, the University will be required to collect, store, use, and otherwise process information about you for any purposes connected with teaching, support, research, administration, your health and safety and for other reasons deemed necessary for the performance of your contractual agreement with the University.
Consent (GDPR Article (6)(1)(a))
In some cases where other lawful bases do not apply, we will process your data on the basis of your consent. For example, in order to assist with your pastoral and welfare needs (e.g. the counselling service and services to students with disabilities).
Legitimate Interests GDPR Article (6)(1)(f)
Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests – but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the student.
Public Task (GDPR Article 6(1)(e))
Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University
Legal Obligation (Article 6(1)(c))
Processing is necessary for compliance with a legal obligation to which the University is subject.
Vital Interests (Article 6(1)(d))
Processing is necessary in order to protect the vital interests of the data subject or of another natural person
Some of the above grounds for processing will overlap and there may be a number of lawful bases which justify our use of your personal information.
Special Category Data
Sensitive personal data, known as “special category data”, includes data revealing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying someone
- Data concerning health
- Data concerning someone’s sex life or sexual orientation
The most common situations where the University may process such data are:
Basis for processing special category data
With your explicit written consent (GDPR Article 9(2)(a))
Where it is necessary in the substantial public interest (GDPR Article 9(2)(g)), in particular
Where it is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law (GDPR Art 9(2)(j))
Less commonly, we may process special category data:
Where we need to do so in relation to legal claims (GDPR Art 9(2)(f))
Where it is necessary to protect your vital interests (or someone else’s vital interests) and you are not capable of giving consent (GDPR Art 9(2)(c)
Where you have already made the data public (GDPR Art 9(2)(e))
In every case where we process special category data, we will put in place safeguards for your rights and freedoms, which we are required by law to maintain.
Some of the above grounds for processing will overlap and there may be a number of lawful bases which justify our use of your personal information.
Criminal Convictions and allegations of criminal activity
We may process such data on the same grounds as those identified for “Special Category Data” above. However, we will not maintain a comprehensive register of criminal offences.
How will your information be used?
During the course of its activities, the University will use your data to carry out its functions and to provide services to you as part of your student journey. In general, this means we will process your personal data for the administration and delivery of your student contract with us, including the use of our services such as residential services, lecture capture, attendance monitoring, the Library and sport facilities. Due to the vast amount of activities the University undertakes, it is not possible to state every instance where your data will be used; however, the University is committed to ensure your data is only used in carrying out the University’s business.
The below provides examples of how we use your information. Please note the numbers in brackets refers to the legal basis for processing:
- To administer your studies and record your academic achievements, which includes your course choices, examinations and assessments, publishing results and graduation programmes. (1)
- To assist in pastoral and welfare needs for example the counselling service and services to students with disabilities (2)(i)(ii)
- To administer financial aspects of your enrolment as a student (such as payment of fees, debt collection) (1)
- To provide or offer facilities and services to students (for example sporting facilities, computing facilities and Library services) (1)
- To carry out investigations in accordance with academic and misconduct regulations (1)(ii)
- To operate security, disciplinary, complaint and quality assurance processes and arrangements (1)
- To produce management statistics and to conduct research into the effectiveness of our programmes of study as well as produce statistics for statutory purposes. (4), (iii)
- To monitor engagement of students on Tier 4 Visas to ensure compliance with the terms of their sponsorship (5)
- To maximise individual’s opportunities to succeed through the use of learning analytics which are used to monitor individual’s engagement with their studies. This will involve the processing of data such as attendance and assessment to develop an overall picture of engagement. Such processing will only take place where it is necessary for the pursuit of the legitimate interests of the University or the student and only where the processing is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the student. Sensitive/special category personal data will only be processed where the University is looking at trends and patterns analysis to produce management statistical reports. (3), (iii)
- To monitor our responsibilities under equal opportunities policies (4), (ii), (iii)
- For Higher Education Statistics Agency (HESA) purposes, the University has a statutory obligation to send some of the information we collect about you to HESA for statistical analysis purposes (4), (iii)
- For Higher Education Statistics Agency (HESA) to conduct the Graduate Outcomes Survey after you graduate (4)
- For the provision of University accommodation and other support services such as those of the Library (1)
- Where the student is employed by the University, for the administration of employment contracts (1)
- For the consideration and granting of prizes, scholarships and bursaries, discretionary funding, and other such awards (1), (3)
- For direct mailing of or about (i) student benefits and opportunities offered by or through the University and (ii) University activities and events organised for students (1), (3)
- To ensure the safety of individuals and their property, and for the protection of University assets, including the use of CCTV (1), (3)
- To close family and the emergency services where there is an emergency situation such as illness, serious injury or bereavement (3), (6)
- For Council Tax exemption purposes where personal information is collated at enrolment and shared with Local Authorities (3)
- Where your consent has been provided, the University will register you to vote in the UK and General Elections (2)
- To make contact with you after you graduate about Careers Support, Alumni membership and events, new developments at the University and to update your communication preferences to ensure your experience of the University of Bedfordshire Alumni Association is as rewarding as possible. (3)
The University may process “sensitive personal data”/”special categories of data” for the following purposes and for release to the following third parties:
- To the Higher Education Statistics Agency (HESA), the Office for Students (OFS), government departments and other authorised users for the analysis of student statistics and/or to enable them to carry out their statutory functions. (4), (iii).
- To other bodies involved in the delivery of the course or programme e.g. partner colleges or placement providers, for the purpose of programme administration and/or statistical analysis (1), (ii)
- For admission to and the administration of student programmes (1), (i)
- To professional bodies where it is a requirement of the student’s studies to be registered with that body e.g. the NMC for nursing students (1), (ii)
- For the assessment and provision of services to disabled students (1), (i)
- Where necessary, to third party security providers, the police or other agencies for the prevention or detection of crime (1), (4), (ii)
- To the University’s external lawyers or insurers regarding legal claims, or accidents which have occurred within the institution (3), (iv)
- To Occupational Health Services for the purpose of safeguarding individuals at risk (1),(4),(ii)
Who is your information shared with?
Where necessary, personal information will be shared internally within and across other departments at the University. Personal information is protected by the University and may be shared with external parties, as required in the course of your studies.
The list below outlines the major organisations and most common circumstances in which the University will disclose your personal information. Where this is outside of the EEA, the University will only transfer information if it meets the conditions under the GDPR.
- To sponsors, agents and parents where consent has been provided
- Other Higher Education Institutions or organisations, or apprenticeship providers involved in the delivery of your course
- Higher Education Statistical Agency (HESA)
- Higher Education Access Tracker (HEAT)
- Office for Students
- Education and Skills Funding Agency (ESFA)
- Accommodation providers where you have applied through the University's approved accommodation system
- Where applicable, professional bodies, such as the National Health Service and Law Society, in order to confirm your qualifications and accredit your course
- With external examiners for the purpose of marking your assessments
- Work placement sites or educational partners involved in joint course provision
- National College for Teaching and Leadership for the administration of bursaries for teacher training (for students on professional programmes, Early Years Teacher Status and English as a Foreign Language)
- Nursing and Midwifery Council, the Health and Care Professions Council and the General Medical Council (for students on nursing, midwifery, social work or youth courses)
- NHS Bursaries Unit (for students of NHS-funded courses)
- Health Education England and Health Education Thames Valley
- Public sector regulatory bodies such as The British Council and the Office for Standards in Education
- The Student Loan Company to confirm enrolment, attendance and identity so students can access financial support (where applicable)
- Bodies which are responsible for professional accreditation
- Frontline (a Government funded body which commissions social work training)
- Debt recovery and control companies in order to recover debt on behalf of the University, where internal debt recovery procedures have been unsuccessful
- Potential employers or providers of education whom you have approached (for example, where you have listed the University of Bedfordshire as a referee)
- Plagiarism detection service providers in accordance with University regulations
- Local authorities for purposes of council tax exemption and voting purposes where it is necessary for the pursuit of the legitimate interests of the Local Authorities or the student but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the student.
- The University of Bedfordshire’s Student Union, Beds SU, in order to provide you with the services offered by Beds SU, including, but not limited to, take part in democratic processes, benefit from representation services, join sports clubs and societies and receive communications. The University may also share sensitive information to monitor and promote equal opportunities.
- Organisations the University works alongside to provide graduation ceremony services to students, this includes, but is not limited to sharing details of names, courses and results in order to provide graduation ceremony programmers, gowns, and video recordings of graduation ceremonies.
- Systems used in the course of your studies and during your time as a student, which are not managed directly by the University, for example BREO, E-Vision, Pebble Pad
- Any services where you have provided direct consent, for example the University’s careers service and Go Global
- Occupational Health providers, to enable the provision of these facilities, where applicable
- Agencies with responsibilities for the prevention and detection of crime, apprehension and prosecution of offenders, or collection of a tax or duty, such as law enforcement or counter-fraud investigators.
- The Home Office; UK Visas and Immigration (for international students), in order to fulfil the University’s obligations as a visa sponsor.
- Disclosure and Barring Service (DBS), for certain roles to assess an individual’s suitability for positions of trust or where the role works with vulnerable people or children.
- Third party service providers, in order to facilitate activities of the University, or activities carried out by the provider on behalf of the University. Any transfer will be subject to an appropriate, formal agreement between the University and the third party service provider, and subject to the third party taking appropriate security measures to protect your personal information in line with our policies.
Where we share your information with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose. Our third-party service providers are only permitted to process your personal data for specified purposes (as written in the contract between us), and will not do so for their own purposes.
International transfers of data
In some instances, we may need to share your personal data with other organisations based in the European Union or outside the European Union, in order to fulfil our purposes.
Where this is necessary, we will ensure we only do so if there are appropriate safeguards in place.
If you are resident outside the EU in a country where there is no “adequacy decision” by the European Commission (a decision whereby the EC states that the country has an appropriate level of data protection), and there is no alternative safeguard available, we may still transfer data to you which is necessary for performance of your contract with us, or to take pre-contractual measures at your request.
Otherwise, we will not transfer your data outside the EU without notifying you first of our intentions and of the relevant safeguards which we have put in place.
How long will your information be held?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
After you have graduated, the University is required to retain some of your information to provide statutory analytical data and to verify awards, provide transcripts of marks and to provide academic references for career support. Once you are no longer a student we will retain or securely destroy your personal information in accordance with our Records Management Policy and Retention Schedule.
In some circumstances we may anonymise your personal information so that it can no longer be used to identify you, in which case we may use such information without further notice to you.
Keeping your information secure
The University is required under data protection legislation to keep your information secure, and measures are in place to prevent unauthorised access and disclosure of your information. Only relevant members of staff who require access to your records will be authorised to do so. Systems and electronic files are subject to password restrictions and other security measures. Paper files will be stored in secure areas with controlled access.
Some processing of your information may be undertaken on the University’s behalf by third party organisations. Organisations processing personal data on the University’s behalf are also bound by the GDPR and the University has sought assurances from these organisations to ensure they are aware of their obligations under the GDPR and resulting legislation.
In certain circumstances, you have the following rights available to you under GDPR:
- The right to know how we are using your data
- The right to request a copy of your data (commonly known as a “subject access request”)
- The right to request correction or completion of your data
- In certain circumstances, the right to ask us to delete or remove your data from our systems, for example, if you consider that there is no good reason for us to continue to process it
- The right to object to how we are using your data
- The right to request that we restrict how we are using your data
- The right to request a copy of your data in a commonly used electronic form
- The right to withdraw consent, where that is the legal basis of our processing
Please be aware that these rights are subject to certain conditions and exceptions as set out in the data protection legislation.
For more information, please see: ico.org.uk
If you wish to exercise any of your rights, please contact the Data Protection Officer in writing and they will explain any conditions that may apply.
Please note that we may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a necessary security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You will not have to pay a fee to exercise any of your rights; however, if your request is clearly unfounded or excessive, we may charge a reasonable fee. Alternatively, in such situations, we may refuse to comply with the request.
Throughout the course of your studies, you have a responsibility to keep your personal details up to date. You can update your details via e-vision
During your time as a student, you may have access to other individuals' personal data and you are legally obliged to handle this in a confidential, professional and responsible manner in line with data protection legislation and any other codes of conduct or ethics.
If you are made aware of an individual’s personal information then you are expected to keep this confidential and to not tell anyone without the individual’s prior consent (unless there is an exceptional circumstance). You should also not seek to actively obtain another individual's personal information to which you are not entitled.
In the instance where data protection legislation or a duty of confidence has been breached, disciplinary action will be considered.
Changes to this Notice
Data Protection Officer
University of Bedfordshire
During office hours
+44 (0)1234 400 400
Outside office hours
+44 (0)1582 74 39 89
Our Tweets: @uniofbeds
Apr 20, 2021
Apr 19, 2021
Apr 19, 2021
Apr 19, 2021
Apr 19, 2021
Apr 18, 2021
Apr 17, 2021
Apr 17, 2021