In order to fulfil their educational, pastoral, and administrative responsibilities before, during and after your studies at Oxford, your College, the Department and the University will need to collect and process personal data about you. GDPR requires that any such information is processed fairly and lawfully, is held securely, and is kept up-to-date. In some cases this processing is permitted under GDPR as being necessary to enable your College, the Department and the University to fulfil their operational responsibilities and where your rights and legitimate interests are not prejudiced by the processing.
Your consent is not needed for processing of this data, which is described in section 1(a) below. There are other cases where your consent is similarly not required and these are described in 1(b) and 1(c) below.
The final category of processing is that of sensitive personal data which does require your consent and that is described in section 2 below. In the case of students data is typically collected by your College and may be passed to the Department and University and vice versa, so that necessary processing can be undertaken. Data may also be shared with other Colleges. In the case of other department members data is typically collected by both the Department and University passed from one to the other for processing as necessary.
- Non-sensitive personal data
Categories of the non-sensitive personal data which may be collected and processed are set out below; these lists are not exhaustive but indicate the main sorts of such data.
(a) Non-sensitive data which may be collected during the applications process and during your studies/employment at Oxford
Name, address, telephone number and email address; any other contact details; date of birth and gender; marital and family/household details; name of doctor; person to be contacted in case of emergency and contact details; school and admissions documentation; matriculation details and course studied; information on academic performance; examination details; distinctions, prizes, positions of responsibility held; membership of University clubs and societies; disciplinary action taken; financial matters (including loans, fees, college invoices, scholarships and bursaries etc).; information provided to the College/University during the course of your studies; information needed to permit access to College/University facilities such as computing facilities, libraries and for the issue of the University card, where access will be subject to regulations available from the provider of the facility; passwords and IDs used to access College or University facilities; provision of student advice and support (eg OUSU and Careers Service).
Your consent for such processing is not required as it is processing needed to allow the College(s) and the University to fulfil their educational, pastoral and administrative responsibilities.
(b) Additional non-sensitive data which may be collected and processed after your studies/employment have been completed.
Details of qualifications and skills; employment details; membership of professional bodies; publications.
Processing of data of this kind does not require your written consent but you may wish to indicate to your College/the University if you do not wish it to be collected or processed.
(c) Alumni data
Unless you request otherwise, your College, the Department and the University will add your details to their alumni records so that you may receive relevant publications and information about alumni activities, events and programmes and be kept informed more generally about the activities of your College and the University . Your data may also be included in College/University alumni publications.
Such data will be held securely and will be treated confidentially for your benefit and the benefit of your College, the Department and the University. The data will be available to your College, the Department and the University's Development Office, International Offices, faculties, academic and administrative departments, and to the Oxford University Society and other recognised alumni societies, sports and other clubs associated with your College and the University. It may be disclosed to bodies outside your College/the University where such bodies are acting as agents of your College/the University . Data will be used for a full range of alumni activities as described above. Data may also be used in fundraising programmes, which might include an element of direct marketing by your College/the University. Data will not, however, be passed to external commercial organisations without your explicit consent.
- Sensitive personal data
GDPR defines sensitive personal data as information about racial or ethnic origins; political opinions; religious beliefs or other beliefs; trade union membership; physical or mental health; sex life; criminal allegations, proceedings or convictions. Save in limited circumstances specified in the Act, those collecting and processing sensitive personal data are required to seek explicit consent to do so. However, much of the sensitive personal data handled by the Colleges and University will be provided by students themselves so that consent to process in those cases is not an issue.
The Colleges, the Department and University have no need or intention to collect information concerning the political beliefs, sexual orientation, or trade union affiliations of students. Nor do they have any need or intention to collect or process data on religious beliefs or practices except in so far as students may, for example, require special dispensation to avoid sitting examinations on certain days or may have special dietary requirements. However the student will probably have volunteered the sensitive data him/herself so consent to collect and process is unlikely to present a problem.
If a student is convicted of an offence under the criminal law, this may be the subject of further disciplinary proceedings within the Colleges when data may be collected and processed; this will not happen without the student's knowledge. Conviction of a criminal offence may in certain limited circumstances have to be mentioned in a reference to an employer or professional body.
The University and Colleges may need to process information relating to a student's health. For example, it may be necessary to ask for dispensation to miss an examination or special provision may be needed for certain health problems or in cases of disability, or suspension of status may be needed for graduate students.
If a student is following a course leading to a professional qualification, the College/University will need to be able to report to the appropriate professional body, such as the General Medical Council, that he or she is 'a safe and suitable entrant to a given profession'.
GDPR allows action to be taken to process personal sensitive data, and to disclose such information to an individual/body outside the College/University, without consent, where it is regarded as in the student's vital interest. However, this is generally likely to apply only in cases of illness or accident where the student is unable or unwilling to give consent. This exemption may only be used in exceptional circumstances.
There is also an exemption in the Act to allow collection of data without explicit consent in order to identify or keep under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins. Such data is collected by the Colleges and University for the purposes of monitoring and of upholding equal opportunities policies.
If you have any concerns about the processing of any information in the sorts of circumstances outlined above you should contact the College Data Protection Officer or the University Data Protection Officer via email to firstname.lastname@example.org.
Disclosure of Data to Bodies Outside Your College, The Department and The University
Your College, the Department or the University may be required to provide non-sensitive personal data to the Inland Revenue, Community Charge Registration Officers, local authority electoral registration, assessment and valuation departments, other education and training establishments and examining bodies, and students' sponsors (eg local authority education departments, the Student Loan Company and funding councils (and including the Higher Education Statistics Agency)).
Your College/the University will respond to requests for references, transcripts or other information on your educational attainments, from employers or prospective employers or from other educational institutions, funding bodies or recognised voluntary organisations. However, the information will not be provided unless the request is made in writing and appears to be bona fide.
Disclosure may also be necessary in certain other circumstances, for example to comply with legal or statutory requirements; in any legal proceedings; or for medical reasons to medical staff.
Your College, the Department or the University will not normally send information about you to outside organisations at home or overseas other than of the kind indicated. Your personal data will not be placed on any website by your College, the Department or the University without your consent.
You should be aware that many countries outside the European Economic Area do not have data protection legislation and so may not always protect your personal data to the same standard.
Keeping Your Personal Data Up-To-Date
GDPR requires that your College and the University take reasonable steps to ensure that any personal data which they process is accurate and up-to-date. It is therefore important that you let your College and Department know of any changes to your personal data, or of any error in those data. The University will be informed of changes as appropriate.
Queries and Access Requests
GDPR gives you the right to know what personal data your College, the Department and the University are processing, subject to certain exemptions provided in the legislation and to consideration of third party rights. If you wish to seek access under the GDPR provisions, you should contact the relevant person, within a college or Department this is likely to be an Administrator, within the University email email@example.com. A fee is required for such access.
General queries about GDPR may be addressed to the University's Data Protection Officer using the email address, firstname.lastname@example.org
The College, Department and University records are normally archived as a matter of routine, but your College, the Department and the University are not liable for any failure to archive, or maintain the archive or for deletion of archive material however arising and you are advised to retain any original certificates issued by the University safely and securely.
As indicated in section 2 above it is possible that sensitive data may appear on your file. It is unlikely that your College, the Department or the University will have to process sensitive data without your knowledge and consent. It may, however, be necessary to process information about your health. If when you leave Oxford you are concerned about the retention of any such material on your file or about the possibility that other types of sensitive data (as defined by the Act) may have been collected, you should discuss these concerns with the your college Data Protection Officer or the Departmental Administrator as appropriate.