This site uses cookies

Source: https://compliance.admin.ox.ac.uk/undergraduate-outreach-privacy-policy Parent: https://compliance.admin.ox.ac.uk/modern-slavery

Undergraduate outreach privacy policy

How the University collects and uses your personal data

Expand All

A. WHAT IS THE PURPOSE OF THIS DOCUMENT?

The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).

This privacy policy describes how we collect and use your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and related UK data protection legislation.

It applies to all individuals who have engaged with the University of Oxford including prospective undergraduates, their families, educators, community members, and organisations. It is important that you read this policy, together with any other privacy policy we may provide on specific occasions when we are collecting or processing information about you, so that you are aware of how and why we are using the information. We may update this policy at any time.

Information about how we use the data of applicants, current students and former students are covered by separate documents. In addition, each college[1] will have its own privacy notice which can be found on their websites.

[1] ‘College’ means any college or Permanent Private Hall

B. GLOSSARY

Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you, and from which you can be identified, whether directly or indirectly. It does not include data where your identity has been removed (anonymous data).

Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure, deletion or retention.

C. WHO IS USING YOUR PERSONAL DATA?

The University of Oxford[2] is the “data controller" for the information that we hold about you. This means that we decide how to use it and are responsible for looking after it in accordance with the UK GDPR.

Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes set out in Section F. Access will also be provided to any third parties that we use to help organise and evaluate events. It will also be shared with the third parties described in Section H. Where we share your data with a third party, we will seek to share the minimum amount necessary for the agreed purpose.

[2] The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford

D. THE TYPES OF DATA WE HOLD ABOUT YOU

The information we hold about you may include, but is not limited to, the following:

• Personal details such as name, address, telephone number, email address, date of birth, legal sex and gender identity;
• Education information, including your school(s), sixth form college(s), or universities, courses you have completed, and results;
• Other personal and socio-economic background information, such as (but not limited to): whether you have been in care, have caring responsibilities, have any dependents, your socio-economic classification, details of the occupation and education of your parents, stepparents or guardians, whether you have received financial support during your studies (such as free school meals), whether you have experienced estrangement; and whether you are or have been a refugee, stateless person or an asylum applicant;
• Your feedback on your experience, collected through surveys, focus groups and other activities;
• Dietary needs, medical or religious considerations;
• Information about your use of our information and communications systems, including your communication preferences and your website and system interaction (cookies and similar technologies);
• Photographic data or recordings from events, teaching and learning, outreach activities, trainings or research activities;
• Information gathered through CCTV and building access information;
• Trusted contacts for emergencies (contact details you provide for a person, such as a family member, friend or guardian, who can be contacted on your behalf in the event of a serious emergency).

As part of this, we may process the following "special categories" of more sensitive personal data:

• Information about your race or ethnicity, sexuality, and your religion and beliefs;
• Information about your health, including any disability and/or medical conditions.

E. HOW THE UNIVERSITY OBTAINED YOUR DATA

We obtained this data when you enquired about events/activities organised by the University (including its Departments and Faculties[3]) and/or the Colleges. Information about your ethnicity is a special category of more sensitive personal data and will only be held when necessary.

We collect the vast majority of the information directly from you.

We may also use information about you that we collect from third parties, including the Office for Students (OfS -www.officeforstudents.org.uk), the Higher Education Statistics Agency (HESA - www.hesa.ac.uk), the University and Colleges Admissions Service (UCAS - www.ucas.com), the Department for Education (DfE - www.education.gov.uk), Skills Funding Agency (SFA – www.skillsfundingagency.bis.gov.uk) and ACORN (www.acorn.caci.co.uk). This information may contain statistics about the area in which you live, for example, how many people from your area go on to higher education. Data from these sources will also allow us to track your own educational journey from school to higher education, for example, which university you end up at and what type of degree you obtain.\ We may also collect additional information from third parties, including colleges, former schools and higher education institutions and their staff, and government departments and agencies, or information which is in the public domain.

[3] Departments and Faculties deliver particular study subject areas.

F. HOW THE UNIVERSITY USES YOUR DATA

We use your data for a number of purposes connected with your studies, including, but not limited, to the provision of:

• outreach activities, including registering and determining eligibility;
• monitoring and evaluating the effectiveness of our sessions, outreach programmes, admissions and the student experience;
• producing statistics, including event application and participation numbers, and participant outcomes;
• tracking future outcomes of event participants, including applications to the University and other Higher Education Institutions;
• welfare and pastoral support including ensuring the health and safety of students, staff and others;
• financial support; and
• research related administration to support our equality responsibilities, quality assurance and planning processes.

If you have supplied personal information for the purpose of an outreach activity organised by the University of Oxford (“the University”) and/ or its Colleges, we may add some of your data to the Higher Education Access Tracker database (HEAT www.heat.ac.uk), which we use to record information about our outreach activities and those who take part in them.  HEAT is a shared database used by a variety of organisations to identify which activities are most helpful in preparing students for higher education and progressing to employment. Users include the University, its colleges, student organisations, educational charities and relevant public bodies (e.g. UCAS). The data added to HEAT comprises your personal details (name, gender, date of birth, postcode and school) and the events or activities in which you have engaged with. You can read further details about how your data on HEAT is used here: https://heat.ac.uk/privacy-notice/

We set out below those circumstances where it is necessary for us to use your data. (These circumstances are not mutually exclusive; we may use the same information under more than one heading.)\

F1. Where it is necessary to meet a task in the public interest

We will use your data to process your application and/or register you as a participant in an outreach event or activity.

Using your data is necessary for tasks that we carry out in the public interest (promoting and widening access to Higher Education) and to meet our legitimate interests in promoting applications to the University from under-represented groups.

Information processed under this heading includes, but is not limited to, the data listed in Section D.\

F2. Where we need to comply with a legal obligation

Information processed for this purpose includes, but is not limited to, information relating to the monitoring of equal opportunities and information provided to regulatory bodies including the Office for Students.

F3. Where it is necessary to meet our legitimate interests

We need to process your data in order to meet our legitimate interests in promoting applications to the university. Examples include, but are not limited to, the following:

• in order to meet our legitimate interests in safeguarding and welfare of participants and any associated staff and facilitating the efficient operation of our activities.
• we may use email addresses to send information about outreach opportunities, and other university-related activities that may be of interest to you;

F4. Where we have your consent

There may be situations where we ask for your consent to process your data, e.g. where we ask you to volunteer information about yourself for a survey or where we ask for your permission to share sensitive information. We will also seek your consent:

• when providing a Release Form to utilise any audio-visual content in our own materials;
• to send university marketing information that may be of interest to you;
• to meet any requirements (accommodation, dietary, religious practices).

We only process your data for this purpose when you have given us your consent to do so.

Change of purpose

We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason, and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.

Please note that we may process your data without your knowledge or consent, where this is required or permitted by law.

G. SPECIAL CATEGORY DATA

Special category data require a higher level of protection. Listed below are examples of processing activities that we regularly undertake in respect of these types of data.  In addition to the activities listed below, it may sometimes be necessary to process this sort of information for exceptional reasons, for example, because it is necessary to protect your vital interests (including in relation to health and safety) or those of another person or for safeguarding purposes.

G1. Health (Including disability)

We will process data about your health where it is necessary to make reasonable adjustments for disability and/or to monitor equal opportunities.  Processing of this nature is necessary to meet contractual or other legal obligations. We may also process data about your health in accordance with the terms of our contract with you, to protect our legitimate interests and/or to comply with legal obligations There may be limited circumstances where your health and safety, or that of others, is at serious risk where your health data may need to be shared whether or not you have given consent (subject to data minimisation, limiting recipients of such data to those people or agencies able to assist (e.g. NHS or emergency services staff) or pseudonymisation of your data where possible). Examples of these limited circumstances include: (a) Where you are at risk of causing serious harm to yourself or others (e.g. threats or attempts at suicide or violence to yourself or others) and (b) as a result of testing positive for a serious infectious illness where urgent health and safety measures must be taken.

G2. Racial or ethnic origin, sexual orientation, and religion and beliefs

Data about your racial and ethnic origin, religion and beliefs, and sexual orientation will only be processed when necessary, including in order to identify your eligibility for certain opportunities in accordance with your consent, and/or where we need to process it in order to meet our statutory obligations under equality and/or other legislation. We may also process data about your racial or ethnic origin, sexual orientation, and/or religious belief in accordance with our public task in increasing equality of educational opportunities. This processing is considered to meet a substantial public interest, and will be subject to suitable safeguards.

H. DATA SHARING WITH THIRD PARTIES

In order to perform our contractual and other legal responsibilities or purposes, we may, from time to time, need to share your information with the following types of organisation:

• Colleges, University Faculties and Departments;
• Collaborative Provisions (or partnerships), e.g. with other higher education institutions or community groups;
• External organisations offering University-sponsored services, including student surveys;
• your referees or others we contact in connection with verifying information;
• other educational institutions or entities;
• The Higher Education Access Tracker (HEAT) and its users to help determine whether our activities are helping participants move on from school into Higher Education and employment.
• The Higher Education Statistics Agency (HESA).  HESA uses your data to provide information on higher education and shares your data with public authorities to carry out statutory or public functions. Further information on how HESA uses this data is available from the HESA website;
• Contractors engaged for health and safety purposes to advise on protection of your health, and/or that of others, during any pandemic (including Covid-19), epidemic or local health emergency (e.g. contractors engaged in testing and tracing or in implementing consequential health and safety measures.)

Where information is shared with third parties, we will seek to share the minimum amount necessary. For example, we may in appropriate cases share only your student number and not your name (this is known as pseudonymisation).

All third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

I. TRANSFERS OF YOUR DATA OVERSEAS

There may be occasions when we transfer your data overseas, for example, if we communicate with you using a cloud-based service provider that operates outside the UK. Such transfers will only take place if one of the following applies:

• the country receiving the data is considered by the UK to provide an adequate level of data protection;
• the organisation receiving the data is covered by an arrangement recognised by the UK as providing an adequate standard of data protection;
• the transfer is governed by approved contractual clauses;
• the transfer has your consent;
• the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract;
• the transfer is necessary for the performance of a contract with another person, which is in your interests;
• the transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent;
• the transfer is necessary for the exercise of legal claims; or
• the transfer is necessary for important reasons of public interest.

J. DATA SECURITY

We have put in place measures to protect the security of your information. Details of these measures are available from the University’s Information Security website.

Third parties that process data on our behalf will do so only on our instructions and where they have agreed to keep it secure.

K. RETENTION PERIOD

We will retain your data only for as long as we need it to meet our purposes, including any relating to legal, accounting, or reporting requirements.

• All contacts without an associated enquiry record from the last two years will be deleted.
• Data required for administrating interventions is kept for five years.
• Local system data will be retained for five years.

In order to conduct long-term evaluation, tracking and research about access to Higher Education, we will retain some of your key personal information:

• Students with permission to track and a complete record will be retained for 15 years from when their HE ready year indicates they are able to enter HE.

Consent forms and teacher contacts are kept permanently and deleted on request.

After these periods, any personal information will be removed from our records, but we may continue to retain and process your information in an anonymised form.

L. YOUR RIGHTS

Under certain circumstances, by law you have the right to:

• Request access to your data (commonly known as a “subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
• Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
• Request erasure of your data. This enables you to ask us to delete or remove your data under certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
• Object to processing of your data where we are processing it meet our public interest tasks or legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
• Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your data to another party.

Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop.  However, where you have consented to the processing, you can withdraw your consent at any time by emailing the relevant department. In this event, we will stop the processing as soon as we can.  If you choose to withdraw consent it will not invalidate past processing. Further information on your rights is available from the Information Commissioner’s Office (ICO).

If you want to exercise any of the rights described above, or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team at data.protection@admin.ox.ac.uk.  The same email address may be used to contact the University’s Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

If you remain dissatisfied, you have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.\

M. KEEPING YOUR DATA UP-TO-DATE

We may check with you that your personal data is up-to-date. This is important in enabling us to be certain that the data we hold about you is accurate and current.

N. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update this privacy policy at any time, and will publish the current version on the website. The active policy at the time of collection will be applied to your data.

We have provided a PDF version of this policy for those who would like to download a copy and store it offline.

Please note - If you download the PDF version please only do so when required, rather than keeping copies printed out or stored locally. We update the policy as necessary meaning a downloaded version of the policy will be out of date.

Contact us

Data Protection Enquiries\ Email: data.protection@admin.ox.ac.uk