The University is the ‘data controller’ as we collect and use information about you to carry out the services the University provides to you. The University is committed to protecting your data and being transparent about how we use your data, in line with the current Data Protection Act (2018), the General Data Protection Regulations (GDPR) and any resulting legislation.
We collect the vast majority of the information directly from you, through open day activities, the application process, and during registration. Most of this data is provided and processed in line with your student contract with us. However, we may also collect additional information from third parties such as UCAS, former schools and higher education institutions, agents/agencies, and government departments. Through your period of study, we will also collect and generate additional information about you, such as during tutorials, in connection with your attendance and accommodation, and access of University services.
The University will collect information about you in the course of its business in providing services to you as a current or former student. This includes details when you apply for a course at the University, when you enrol at the University and as you progress through your course. This will also include data received from external sources such as UCAS and external referees.
These details will include, but are not limited to, the following:
The University collects and processes your personal data for a number of reasons. Our grounds for doing so (i.e. our “lawful bases”) are covered in the table below:
Point |
Legal basis for processing your information |
1 |
Contract (GDPR Article 6(1)(b)) By commencing or enrolling as a University of Bedfordshire student, the University will be required to collect, store, use, and otherwise process information about you for any purposes connected with teaching, support, research, administration, your health and safety and for other reasons deemed necessary for the performance of your contractual agreement with the University. |
2 |
Consent (GDPR Article (6)(1)(a)) In some cases where other lawful bases do not apply, we will process your data on the basis of your consent. For example, in order to assist with your pastoral and welfare needs (e.g. the counselling service and services to students with disabilities). |
3 |
Legitimate Interests GDPR Article (6)(1)(f) Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests – but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the student. |
4 |
Public Task (GDPR Article 6(1)(e)) Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University |
5 |
Legal Obligation (Article 6(1)(c)) Processing is necessary for compliance with a legal obligation to which the University is subject. |
6 |
Vital Interests (Article 6(1)(d)) Processing is necessary in order to protect the vital interests of the data subject or of another natural person |
Some of the above grounds for processing will overlap and there may be a number of lawful bases which justify our use of your personal information.
Special Category Data
Sensitive personal data, known as “special category data”, includes data revealing:
The most common situations where the University may process such data are:
Point |
Basis for processing special category data |
i |
With your explicit written consent (GDPR Article 9(2)(a)) |
ii |
Where it is necessary in the substantial public interest (GDPR Article 9(2)(g)), in particular
|
iii |
Where it is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law (GDPR Art 9(2)(j)) |
Less commonly, we may process special category data: |
|
iv |
Where we need to do so in relation to legal claims (GDPR Art 9(2)(f)) |
v |
Where it is necessary to protect your vital interests (or someone else’s vital interests) and you are not capable of giving consent (GDPR Art 9(2)(c) |
vi |
Where you have already made the data public (GDPR Art 9(2)(e)) |
In every case where we process special category data, we will put in place safeguards for your rights and freedoms, which we are required by law to maintain.
Some of the above grounds for processing will overlap and there may be a number of lawful bases which justify our use of your personal information.
Criminal Convictions and allegations of criminal activity
We may process such data on the same grounds as those identified for “Special Category Data” above. However, we will not maintain a comprehensive register of criminal offences.
During the course of its activities, the University will use your data to carry out its functions and to provide services to you as part of your student journey. In general, this means we will process your personal data for the administration and delivery of your student contract with us, including the use of our services such as residential services, lecture capture, attendance monitoring, the Library and sport facilities. Due to the vast amount of activities the University undertakes, it is not possible to state every instance where your data will be used; however, the University is committed to ensure your data is only used in carrying out the University’s business.
The below provides examples of how we use your information. Please note the numbers in brackets refers to the legal basis for processing:
The University may process “sensitive personal data”/”special categories of data” for the following purposes and for release to the following third parties:
Where necessary, personal information will be shared internally within and across other departments at the University. Personal information is protected by the University and may be shared with external parties, as required in the course of your studies.
The list below outlines the major organisations and most common circumstances in which the University will disclose your personal information. Where this is outside of the EEA, the University will only transfer information if it meets the conditions under the GDPR.
Where we share your information with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose. Our third-party service providers are only permitted to process your personal data for specified purposes (as written in the contract between us), and will not do so for their own purposes.
In some instances, we may need to share your personal data with other organisations based in the European Union or outside the European Union, in order to fulfil our purposes.
Where this is necessary, we will ensure we only do so if there are appropriate safeguards in place.
If you are resident outside the EU in a country where there is no “adequacy decision” by the European Commission (a decision whereby the EC states that the country has an appropriate level of data protection), and there is no alternative safeguard available, we may still transfer data to you which is necessary for performance of your contract with us, or to take pre-contractual measures at your request.
Otherwise, we will not transfer your data outside the EU without notifying you first of our intentions and of the relevant safeguards which we have put in place.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
After you have graduated, the University is required to retain some of your information to provide statutory analytical data and to verify awards, provide transcripts of marks and to provide academic references for career support. Once you are no longer a student we will retain or securely destroy your personal information in accordance with our Records Management Policy and Retention Schedule.
In some circumstances we may anonymise your personal information so that it can no longer be used to identify you, in which case we may use such information without further notice to you.
The University is required under data protection legislation to keep your information secure, and measures are in place to prevent unauthorised access and disclosure of your information. Only relevant members of staff who require access to your records will be authorised to do so. Systems and electronic files are subject to password restrictions and other security measures. Paper files will be stored in secure areas with controlled access.
Some processing of your information may be undertaken on the University’s behalf by third party organisations. Organisations processing personal data on the University’s behalf are also bound by the GDPR and the University has sought assurances from these organisations to ensure they are aware of their obligations under the GDPR and resulting legislation.
In certain circumstances, you have the following rights available to you under GDPR:
Please be aware that these rights are subject to certain conditions and exceptions as set out in the data protection legislation.
For more information, please see: ico.org.uk
If you wish to exercise any of your rights, please contact the Data Protection Officer in writing and they will explain any conditions that may apply.
Please note that we may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a necessary security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You will not have to pay a fee to exercise any of your rights; however, if your request is clearly unfounded or excessive, we may charge a reasonable fee. Alternatively, in such situations, we may refuse to comply with the request.
Throughout the course of your studies, you have a responsibility to keep your personal details up to date. You can update your details via e-vision
During your time as a student, you may have access to other individuals' personal data and you are legally obliged to handle this in a confidential, professional and responsible manner in line with data protection legislation and any other codes of conduct or ethics.
If you are made aware of an individual’s personal information then you are expected to keep this confidential and to not tell anyone without the individual’s prior consent (unless there is an exceptional circumstance). You should also not seek to actively obtain another individual's personal information to which you are not entitled.
In the instance where data protection legislation or a duty of confidence has been breached, disciplinary action will be considered.
We will inform you of any changes to this Privacy Policy. This will be done through an appropriate method of communication, for example where our main contact with you is by email we will email you.
If you have any questions about this privacy policy, please contact our Data Protection Officer:
Alexandra Pavel
Data Protection Officer
University of Bedfordshire
University Square
Luton
Bedfordshire
LU1 3JU
By telephone
During office hours
(Monday-Friday 08:30-17:00)
+44 (0)1234 400 400
Outside office hours
(Campus Watch)
+44 (0)1582 74 39 89
By email
admission@beds.ac.uk
(admissions)
international@beds.ac.uk
(international)
sid@beds.ac.uk (student support)
help@beds.ac.uk (registration)
erasmus@beds.ac.uk (exchanges)
By post
University of Bedfordshire
University Square
Luton
Bedfordshire
UK, LU1 3JU