Student Personal Data

Privacy Notice

Student Personal Data: Privacy Notice


Abertay University (the “University”/”we”) is committed to protecting the privacy and security of your personal data in accordance with the Data Protection Act 2018 (or any successor legislation) and (EU) 2016/679 the General Data Protection Regulation (“GDPR”) (and any other directly applicable EU regulation relating to privacy) (together “Data Protection Law”). This privacy policy (the “Policy”) sets out the personal information we hold about you, why we hold it, and how we use it. This Policy covers the key activities of the University in providing education and support to students (including prospective students), and applies to those students. If you choose to access other optional services, further information will then be provided to you that is specific to those services.

Data Controller

The University is the data controller of your personal data (as defined under the GDPR). This means that the University is responsible for deciding how your personal data is held and used. The University is required under Data Protection Law to notify you of the information contained in this Policy.

Further information is available from the University’s main Data Protection Policy, available at:

Your personal data and where it comes from

Personal data or personal information means any information about an individual from which that person can be can be identified. The personal data the University processes about you, and the sources of it, are described below:

  • Personal data provided by you when applying to, and enrolling at, the University, including personal data from your school or college; employer; sponsor; referees; qualifications, skills, and personal statements. This may include application data received via a third party such as the Universities and Colleges Admissions Service (UCAS) or a student recruitment agency.
  • Your contact and next-of-kin details, including details provided to the University if you choose to live in University-provided accommodation.
  • Personal data built up about you during your studies e.g. marks and grades; progression decisions; your use of services such as IT support and student enquiries; disciplinary records; academic adjustments and mitigating circumstances; your use of learning technology; and learning analytics (please see below for details).
  • Financial information from you (including payment information held on University systems where appropriate), and from funding organisations such as Student Awards Agency for Scotland (SAAS), Student Loans Company (SLC), or other sponsors.
  • Personal data obtained from partner organisations, such as professional bodies, employers, workplaces, and other educational establishments for the purposes of
    sponsorship, support, external study, and for any placements, field trips, or exchanges, which may be part of your programme of study.
  • Immigration, residence, and visa-related information, where appropriate, obtained from you and from relevant authorities, or from your own country’s educational or other bodies.
  • Data provided by you at the point of graduation, and after that point, to enable the University to maintain contact with you as an alumnus.
  • Images, including a photograph for student identification purposes.

Sensitive personal data

The University may hold the following sensitive personal data (termed ‘special categories’ of personal data under the GDPR): 

  • personal details about you, to allow the University to meet its legal obligation to monitor equality and diversity, including details about your gender identity; ethnic/racial origin; religious belief; sexual orientation; age; and disability status.
  • Details of relevant criminal convictions.
  • Details of physical or mental health in order to provide support and make appropriate academic or other adjustments.
  • Individuals who apply for University accommodation will be required to provide to the University details of relevant criminal convictions. The University considers that its processing of this type of data is in its legitimate interest to provide safe accommodation for all students using University accommodation. Furthermore, the University considers the processing of this type of data to be necessary for the purposes of safeguarding children and of individuals at risk and for reasons of substantial public interest. The University considers its duty to ensure the safety of its students residing in University accommodation as being in the public interest. Criminal convictions data collected for these purposes shall not be further processed in a manner which is incompatible with these purposes. The University shall only collect such information on criminal convictions that is necessary to fulfil the purpose of ensuring safety for its students residing in University accommodation. The University will keep the information collected up-to-date and accurate. This information shall not be kept longer than is necessary for the purposes for which it is processed. Criminal conviction data shall be kept for the period in which the data subject resides in University accommodation. The University will use appropriate technical and organisational security measures in order to maintain the integrity and confidentiality of all criminal conviction data supplied to the University for these purposes.

Automated decision making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision making, unless the University has a lawful basis for doing so and we have notified you. The University does not currently use automated decision making.


Purposes and legal basis for processing your personal data

Almost all of the personal data the University holds is processed to support the University’s contract with you, which is formed when you accept our offer of a place to study.  This includes the University handling your application in order to enter into a contract, and then delivering that contract.


By entering into a contract with the University, you agree to the University processing your personal data for educational and administrative purposes.  This data is essential to enable the University to deliver and assess your programme of study and to provide a supportive student experience.  It also allows the University to meet its obligations to monitor diversity and equality, and to report on the student population overall.


Under the legal basis of contract, the University processes your personal data for the following purposes:

  • Recruitment, application, admission and enrolment purposes.
  • Creating and maintaining up-to-date and accurate student records on the University’s student records system.
  • Communications purposes, including email and other applications, for communicating and networking across the University community.
  • Support purposes, including the provision of advice, welfare, and pastoral services; academic support, IT support, accommodation, and careers guidance, where you need or choose to access these services. 
  • Educational, assessment, placement, work experience, and training purposes, including providing you with mobile and desktop applications to help you to undertake and manage your studies and assessments, to record and reflect on your learning, and to interact with other students in your modules (e.g. personal learning platform and virtual learning environment). This includes using a plagiarism detection service, and video/lecture capture software. 
  • Learning support purposes. Learning analytics uses data about you, and your learning activities, to help us understand and improve educational processes, and to provide better support to you.  This information can be used to assist you individually, supporting your engagement with your studies.  It can also help to improve the educational experience more generally, using aggregated and anonymised data.  The information used for learning analytics includes, for example, your name, student number, modules studied, grades achieved, and learning activities such as the use of the library and online learning resources.  The personal data is passed to educational partners for storage and analysis, and is stored in the ‘cloud’.
  • Financial purposes. Processing information, which may relate to tuition fees and other services provided by the University, or to studentships or scholarships awarded by the University.  This will include bank details where these are provided by you in order to make or receive payment.
  • Research student administration: applying for and administering research funding, (including monitoring the use of funds and ensuring compliance with terms and conditions of funding); securing necessary ethical reviews and regulatory approvals; making research theses available via institutional and other repositories.
  • Management and administration purposes relating to University property and the property of the University’s accommodation partners.
  • Ensuring that the University community remains safe and inclusive, including the management of behavioural or disciplinary issues (including the use or misuse of University electronic and communication systems, and University social media guidance), and CCTV for security and prevention of crime.

Under the legal basis of compliance with our legal obligations, we will process your personal data for the following purposes:

  • To allow the University to comply with the requirements of the UK Government Home Office in relation to sponsorship of Student Visa students, we will process passport, visa and other data as specified in the Home Office Student Visa compliance guidance.
  • To provide statutory reports to education sector bodies, such as the Scottish Funding Council, the Student Loans Company, and the Higher Education Statistics Agency, which monitors and reports on UK higher education and trends. This may include sensitive personal data for the monitoring of equality and diversity.
  • To meet our obligations under the Equality Act 2010, we will process data, including sensitive personal data, in order to monitor equality and diversity and ensure that the University environment is supportive and inclusive.

Under the legal basis of consent, where the University will ask for your specific consent for processing as and when required, we will process your personal data for the following purposes: 

  • For the purpose of providing you with counselling and psychotherapy or support and advice for considering academic adjustments to take account of disability, health (including mental health), pregnancy or maternity, or mitigating circumstances. This may include sensitive personal data such as medical information, gender identity, ethnicity, disability, sexual orientation or religious belief.  You are entirely free to choose not to provide this information, but if so the University will be unable to provide you with tailored support or adjustments.  When you first use these services, further information will be provided to you, and the University will seek your consent.
  • Alumni and development purposes, including providing you with information, services, networking and career-enhancing opportunities, and for fund-raising, and marketing communications and events.
  • Photographs, video and audio recordings.
  • For the purpose of providing you with career development apps for support, advice and guidance. This may include personal data relating to your personal aptitudes, skills and preferences.
  • For the purpose of supporting your studies, apps may be offered that use personal data, which you may choose to download and use.

Where the processing of personal data is based on consent, you have the right to withdraw consent at any time without prejudice to your status within the University.

Sharing your personal data with other bodies

The University is obliged to disclose personal data to some external bodies. The main bodies to which the University discloses student personal data are given below. 

  • Your name and term-time address will be released to the local authority Electoral Registration Office in accordance with the Representation of the People (Scotland) Regulations 2001.
  • Your name, contact details, academic school and degree programme will be shared with the Abertay Students’ Association (‘Abertay SA’) to enable it fulfil its purpose of academic representation and running of Abertay SA elections (as required by the Education Act 1994).
  • With your consent, your name and term-time address will be released to the relevant local authority (Dundee City, Perth & Kinross, Angus or Fife) for the purpose of consideration for council tax exemption.
  • For international students, the University may provide confirmation of your dates of study and your academic award to your embassy to assist with the recognition of your academic award in your home country.
  • Personal data about your academic performance and other verified achievements will be disclosed to ‘Gradintelligence’ to generate your Higher Education Achievement Report. This is the official record or transcript of your studies and achievements at Abertay University.
  • If you are studying at Abertay University on a Student Visa, the University is required to report to the UK Government Home Office if you fail to enrol, if you withdraw or complete your studies early, or if you fail to engage or maintain contact with the University. The University may also be required to provide the Home Office with other personal data about students. 
  • If you have a sponsor or other external funder for your studies – which may include your employer if they are providing financial support or time off for you to study, or otherwise supporting your studies – the University will send personal data about your academic progress and your attendance to your sponsor.
  • The University is required to send some of the personal data we hold about you to the Higher Education Statistics Agency (HESA). HESA is the official source of data about UK universities, and it collects and analyses information about students and universities. 

Your HESA information is used by public authorities for their statutory and/or public functions including funding, statistical, regulation and policy-making purposes. These purposes include statistical research and publication by HESA (which is anonymous).  Some sensitive personal data is used by HESA for monitoring equality and diversity.

To find out more about the types of information disclosed to HESA, what they use it for, and the justification for this work, please see the information on the HESA website published here:


  • Personal data will be shared with other bodies for placements, training, exchanges, and work experience which form part of our degree programme, and with professional bodies where appropriate. Where appropriate, this may include other countries in the European Economic Area or other countries.  Please contact your Programme Leader for more information.
  • Personal data will be shared with named agents/suppliers to enable them to provide services to the institution under contract. This includes the Abertay research information system, third party funder application and grant management systems, car parking, debt collection agencies and the BACs and other payment systems for studentship and reimbursement of expenses.   We also use a provider called Higher Ed Partners Limited (HEP).  HEP provides an Online Programme Management Solution for Abertay Online Programmes e.g. MBA, MSc courses and we may share some personal data with HEP in order to deliver the relevant programmes. 
  • Where payment is received, data will be shared with HM Revenue and Customs, as necessary for the assessment and collection of taxes and other duties.
  • The University will share personal data of students undertaking research, whose funding require that they collaborate with partner bodies, to administer the student’s relationship with the partner body.
  • Personal data will be exchanged with research bodies and funders in order to make an application for research funding and to make any reports/updates that a funder or research body requires of the University in connection to research.
  • The University or its authorised agents or partners may contact you, using the details which you have provided, inviting you to participate in surveys which may be operated outside the University.  This will apply only where the University has an obligation to administer a survey, or where it has been approved by the University.  Examples of surveys include the National Student Survey (NSS); graduate employment destinations, or University-approved research surveys. 
  • Personal data may, exceptionally, be disclosed to the police, to the Student Award Agency for Scotland or to other bodies with investigative powers, for the prevention and investigation of crime.
  • Personal data may, exceptionally, be disclosed to the emergency services or to a health professional in order to protect your vital interests or those of another individual, for example in an emergency where this is a risk to a person or persons.
  • Personal data may be disclosed to the Scottish Public Services Ombudsman (‘SPSO’) in connection with any appeal or complaint which you may ask the SPSO to investigate.

Storing your personal data

The University has put in place appropriate security measures to prevent your personal data
from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. 

In addition, the University limits access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Your personal data is stored securely and confidentially, mainly electronically on the University’s systems, and  occasionally on paper. Personal data may also be stored or used externally in certain circumstances as described in this Policy.

Transfers outside the European Economic Area (“EEA”)

The University will only transfer your personal data to countries outside the EEA when
satisfied that both the party which handles the data and the country it is processing it in
provide adequate safeguards for personal privacy. To ensure that your personal data does
receive an adequate level of protection we have put in place the safeguards detailed in the
University’s main Data Protection Policy.
Examples of circumstances when your personal data may be transferred outside the EEA

  • Participation in and management of collaborations with overseas educational
    institutions including student exchanges and partnership programmes.
  • Working with overseas student recruitment agencies.
  • Some of the systems and services the University uses store data in the ‘Cloud’, and
    this may include storage facilities based outside the EU.

Making sure your personal data is accurate and up-to-date

The University strives to ensure that all personal data remain current and accurate. If you
become aware of any incorrect personal data held by the University, you have the right to
request that this is rectified.

There are particularly some areas where the University relies upon you to inform it of any
changes to your personal data; for example, your contact and next-of-kin details. Any
changes to address details can be updated via the online student portal.

Retention of your personal data

The University will retain your personal data only as long as is necessary for the purposes
for which we collected it.

To determine the appropriate retention period for personal data, the University considers the
amount, nature and sensitivity of the personal data, the potential risk of harm from
unauthorised use or disclosure of your personal data, the purposes for which we process
your personal data and whether we can achieve those purposes through other means and
the applicable legal requirements.

Much of your personal data will be deleted six years after you have left the University,
leaving a core record to satisfy record-keeping requirements in the public interest, including,
at your request, providing replacement certificates or transcripts, or verification to potential
employers or education providers of your qualifications.

In some circumstances the University may anonymise your personal data so that it can no
longer be associated with you, in which case we may use such data without further notice to


Your rights

Under certain circumstances, by law you have the right to:

  •  Request a copy of the personal data the University holds about you
  • Request correction of any data that is inaccurate.
  • Request erasure of personal data held by the University.
  • Object to the processing of your personal data.
  • Request that we restrict processing of your personal data.
  • Ask the University to put your data into a format to enable it to be transferred easily
    to a different organisation.

If you would like to exercise any of your rights above or if you have any questions, please
contact the University’s Data Protection Officer (“DPO”):
Data Protection Officer
Academic Registry
Abertay University
Kydd Building
Bell Street
Dundee DD1 1HG
Tel: 01382 308000 email:
You will not have to pay a fee to exercise any of your rights. However, the University may
charge a reasonable fee if your request for access is clearly unfounded or excessive.
Alternatively, we may refuse to comply with the request in such circumstances.
You are also entitled to contact the Information Commissioner’s Office (the “ICO”)
( about any concerns about the way the University has handled your
personal data. The University would, however, appreciate the chance to deal with your
concerns before you approach the ICO so please contact us in the first instance.

Right to withdraw consent

If we have asked for your consent in order to process your personal data, you have the right
to withdraw this consent in whole or part at any time. To withdraw your consent please
contact the University’s DPO using the details above. The DPO will explain the
consequences of doing so in any particular case if you contact us to withdraw consent.


If you would like to exercise any of your rights above or if you have any questions, please
contact the University’s Data Protection Officer (“DPO”):

Data Protection Officer
Academic Registry
Abertay University
Kydd Building
Bell Street
Dundee DD1 1HG
Tel: 01382 308000 email:

You will not have to pay a fee to exercise any of your rights. However, the University may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. You are also entitled to contact the Information Commissioner’s Office (the “ICO”) ( about any concerns about the way the University has handled your personal data. The University would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this Policy

The University reserves the right to update this Policy at any time, and we will provide you
with a new policy when we make substantial updates. We may also notify you in other ways
from time to time about the processing of your personal data.

Updated 8/08/2019

Pause carousel

Play carousel