Data Protection Statement for Students
Buckinghamshire New University is a registered data controller and will collect and use information about its students in accordance with the data protection principles set out in the Data Protection Act 1998 and the European General Data Protection Regulation (GDPR).
This privacy notice outlines what you can expect when Buckinghamshire New University collects your information, if you are or have been or are applying to become a student at the University or one of its partners. It includes information about how student data is used and where it is supplied by the University to the Higher Education Statistics Agency (HESA) and other external parties.
Buckinghamshire New University must collect and process data about our students and applicants in order to implement and manage education related services and processes, including student recruitment, admission, registration, teaching and learning, examination, graduation and other services such as accommodation, student support and careers.
The University holds and processes personal data and sensitive personal data about its current, past or prospective students and others who are defined as data subjects under the Data Protection Act.
Personal data is data relating to a living individual who can be identified from that data (e.g. name, address, telephone number and student number). It can also include expressions of opinions about an individual.
Sensitive Personal Data (or “special categories of data” as described under the GDPR) relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Personal data concerning disability is sensitive data.
We will collect and process personal data about you for the purposes described below. The University recognises the significance of sensitive personal data and will only process such data if certain conditions are met.
We ask you to declare your ethnic origin and any disabilities at the time of your application and enrolment for a course. These fall within the definition of sensitive data. If you choose to provide such data, you give your consent for the University to use them, in an aggregated form, for statistical purposes.
When you register with us as a student, you can decide if you wish to share certain types of sensitive data with the University. These records will be kept in strict confidence and will not be released to third parties without your explicit consent.
The University processes student personal data in order to:
- Provide education and support services to our students;
- Administrate education services and associated financial matters;
- Enable the use of University facilities;
- Conduct equal opportunities monitoring;
- Produce degree certificates, transcripts and Higher Education Achievement Reports (HEAR) for students;
- Promote the institution and the services we offer;
- Deliver graduation ceremonies and related services;
- Publish the University magazine and alumni relations;
- Undertake research and fundraising;
- Manage our accounts and records;
- Provide commercial activities to our clients;
- Conduct attendance monitoring;
- Capture learning analytics for student satisfaction, retention and attainment; and
- Run lecture capture services.
The University will also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.
The University may monitor usage of its IT systems and access user information on its systems and networks that is normally private. Any institutional monitoring or access will comply with UK legislation and be justifiable, fair and proportionate. Such activity will be conducted in line with the University’s policy on monitoring computer and network use.
Some sections of the University undertake processes using your personal data that include elements of profiling or automated decision-making. For example, the Marketing and Student Recruitment Directorate may use these processes to determine the type of communications sent to individuals and to facilitate student recruitment and admissions procedures.
The University will use your contact details to keep you informed of events relevant to your studies and in emergencies.
Personal data held by the University relating to students is mainly collected directly from the student or applicant during promotional events (e.g. open days), student registration, enrolment and general administration over the course of their registration (e.g. assessment results).
In some instances data will be obtained from a third party organisation involved in the services provided by the University, for example, UCAS, other institutions involved in joint programmes, agents involved in student recruitment or the Student Loans Company.
Your personal data will mainly be processed by the University’s support departments and academic schools. Access to personal data is carefully controlled and will be seen only by authorised members of staff.
The University may disclose certain personal data to external bodies as categorised below where we have a legitimate reason to use that data in connection with your time here at the University or where the University is under a legal requirement to do so. Information will be disclosed in accordance with the provisions and obligations of the Data Protection Act. Please note this is not an exhaustive list.
Central and Local Government Departments
The University may disclose student personal data and sensitive personal data to external agencies that are part of central or local government to fulfil statutory or legal obligations related to, for example, immigration, council tax and electoral registration. For this reason the University may disclose personal data to the Office for Students (OfS), Higher Education Statistics Agency (HESA), UK Visa and Immigration (UKVI), the Student Loans Company, the Office of the Independent Adjudicator for Higher Education, Research Councils, Disclosure and Barring Service (DBS), and potentially other such organisations for defined purposes.
Police and Enforcement Agencies
The University may provide data on request to the police and other enforcement agencies in emergencies or where crime detection or prevention can be aided by its release, for example, responding to information requests from individual police forces or UKVI.
The University may be required to provide data to organisations like OfS, HESA, the University and Colleges Admissions Service (UCAS) or to other bodies acting on their behalf for regulatory, research and monitoring purposes. Examples of this include where the University is required to:
Higher Education Statistics Agency (HESA)
It is a statutory requirement for the University to send some of the information we hold about you to HESA every year. HESA is the official source of data about UK universities and higher education colleges www.hesa.ac.uk. Some of the data we send to HESA will be passed to other statutory bodies involved with the funding of education. Further information on how your Student Record may be used by HESA can be found at www.hesa.ac.uk/collection-notices.
The University will also provide data to the Student Loans Company. If necessary the University will also release data to parties involved in the recovery of debts to the University.
Bucks Students’ Union
The University will share your personal data (e.g. contact details, student number and course) and some sensitive personal data (e.g. ethnicity) with Bucks Students’ Union in order to help them to communicate effectively with you about elections, general membership, access to services etc.
Where students are enrolled on courses which are accredited by professional bodies, the University may pass some identifying data to the appropriate professional body in order for students to be registered with that professional body.
Where students are sponsored by, for example, their employer or embassy or the NHS, the University will provide details of attendance and attainment to the sponsor on request.
Third Party Software Suppliers
The University may release information to third party organisations that host University data (e.g. Blackboard for the provision of the Virtual Learning Environment and TurnitinUK for their anti-plagiarism software, which could involve some personal data being released to other HE institutions for comparison purposes). We share personal identifiable information with third party suppliers (e.g. Microsoft and Unit4) for licence compliance, audit and support purposes
The University will not release data to any unauthorised third-party except where you ask us to. This means that we will not release data to banks, friends, relatives (including parents), etc., without your agreement. You should provide the University with written consent if you want us to release data on your behalf in these circumstances.
Sometimes to achieve the purposes for which we are processing your personal data, we may need to share your personal data with other organisations based within the European Union or outside of it in countries that have comparable levels of protection.
When it is necessary to share your data with organisations outside of the European Union, we will ensure that there are appropriate safeguards in place.
We will keep your personal data for only as long as is necessary for the purposes for which it was collected. Information about students is retained and disposed of in accordance with the University’s records retention schedules, which are detailed in the Records Lifecycle Management Scheme. Some information may be archived for long term historical preservation. Data will be securely destroyed when no longer required.
Student personal data is collected and processed by the University as necessary for the performance of the contract under which the University provides services to students.
Some processing activities may also be carried out: under a legal obligation (for example, disclosing personal data to external parties under statutory powers); where it is necessary to protect the vital interests of the student or another party (for example, disclosures to external parties to ensure the safety and wellbeing of individuals); where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (for example, collecting or disclosing information in order to meet regulatory or statutory requirements); or where it is necessary for legitimate interests pursued by the University or a third party (the legitimate interests will relate to the efficient, lawful and proportionate delivery of services and will not be to the detriment of the interests or rights of individuals).
Where any of these legal conditions do not apply, the consent of an individual to process their personal data will be sought.
Under the new data privacy legislation you have the right to:
- Withdraw consent where that is the legal basis of our processing;
- Access your personal data that we process;
- Rectify inaccuracies in personal data that we hold about you;
- Be forgotten so that your details are removed from systems that we use to process your personal data;
- Restrict the processing in certain ways;
- Obtain a copy of your data in a commonly used electronic form; and
- Object to certain processing of your personal data by us.
If you wish to request a copy of the personal data held by the University about you or to correct any information we hold about you, contact the relevant department in the first instance. If you have any further concerns about the accuracy of your personal data as held by the University or you want to submit a data subject request, contact the University’s Data Protection Officer.
Please see the Information Commissioner’s Office web site (https://ico.org.uk) for further information about your data privacy rights. You may also contact the Data Protection Officer for further information.
You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see https://ico.org.uk.
We will communicate with you by email, post, telephone and SMS. Please contact the relevant University department if you want to unsubscribe from these communications, change the method of communication that we use or are concerned about their content (e.g. unwanted marketing information). Contact the Data Protection Officer, if you are unsuccessful in unsubscribing from our communications and/or remain concerned.
We regularly review the University’s privacy notices. We will communicate final changes to this notice to students via the most effective channels.
If you have any concerns with regards to the way your personal data is being processed or have a query with regard to this Notice, please contact our Data Protection Officer, Nicholas Roussel-Milner at firstname.lastname@example.org.
Our general postal address is:
Buckinghamshire New University,
Queen Alexandra Road,
High Wycombe, Buckinghamshire HP11 2JZ
Our telephone number is:
+44 (0)1494 522141
Our ICO data controller registration number:
You also have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF. Tel: 0303 123 1113. https://ico.org.uk.