Student Personal Data

Privacy Notice

Student Personal Data: Privacy Notice

Introduction

Abertay University (the “University”/”we”) is committed to protecting the privacy and security of your personal data in accordance with the Data Protection Act 2018 (or any successor legislation) and (EU) 2016/679 the General Data Protection Regulation (“GDPR”) (and any other directly applicable EU regulation relating to privacy) (together “Data Protection Law”). This privacy policy (the “Policy”) sets out the personal information we hold about you, why we hold it, and how we use it. This Policy covers the key activities of the University in providing education and support to students (including prospective students), and applies to those students. If you choose to access other optional services, further information will then be provided to you that is specific to those services.

Data Controller

The University is the data controller of your personal data (as defined under the GDPR). This means that the University is responsible for deciding how your personal data is held and used. The University is required under Data Protection Law to notify you of the information contained in this Policy.


Further information is available from the University’s main Data Protection Policy, available at: https://www.abertay.ac.uk/legal/

Your personal data and where it comes from

Personal data or personal information means any information about an individual from which that person can be can be identified. The personal data the University processes about you, and the sources of it, are described below:

  • Personal data provided by you when applying to, and enrolling at, the University, including personal data from your school or college; employer; sponsor; referees; qualifications, skills, and personal statements. This may include application data received via a third party such as the Universities and Colleges Admissions Service (UCAS) or a student recruitment agency.
  • Your contact and next-of-kin details, including details provided to the University if you choose to live in University-provided accommodation.
  • Personal data built up about you during your studies e.g. marks and grades; progression decisions; your use of services such as IT support and student enquiries; disciplinary records; academic adjustments and mitigating circumstances; your use of learning technology; and learning analytics (please see below for details).
  • Financial information from you (including payment information held on University systems where appropriate), and from funding organisations such as Student Awards Agency for Scotland (SAAS), Student Loans Company (SLC), or other sponsors.
  • Personal data obtained from partner organisations, such as professional bodies, employers, workplaces, and other educational establishments for the purposes of
    sponsorship, support, external study, and for any placements, field trips, or exchanges, which may be part of your programme of study.
  • Immigration, residence, and visa-related information, where appropriate, obtained from you and from relevant authorities, or from your own country’s educational or other bodies.
  • Data provided by you at the point of graduation, and after that point, to enable the University to maintain contact with you as an alumnus.
  • Images, including a photograph for student identification purposes.

Sensitive personal data

There are certain types of more sensitive personal data (termed ‘special categories’ of
personal data under the GDPR) which require a higher level of protection. The University
may hold the following sensitive personal data:

  • personal details about you, to allow the University to meet its legal obligation to
    monitor equality and diversity, including details about your gender identity;
    ethnic/racial origin; religious belief; sexual orientation; age; and disability status.
  • Details of relevant criminal convictions.
  • Details of physical or mental health in order to provide support and make appropriate
    academic or other adjustments.

The University has appropriate safeguards in place which we are required by law to maintain
when processing such data. We may process such data in the following circumstances:

  • In limited circumstances, with your explicit consent.
  • Where we need to carry out our legal obligations.
  • Where it is needed in the public interest, such as for equal opportunities monitoring.

Less commonly, we may process this type of data where it is needed in relation to legal
claims or where it is needed to protect your interests (or someone else’s interests) and you
are not capable of giving your consent, or where you have made the information public.

Automated decision making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision making, unless the University has a lawful basis for doing so and we have notified you. The University does not currently use automated decision making.

 

Purposes and legal basis for processing your personal data

The University will only use your personal data when the law allows us to. Almost all of the University’s use of your personal data will be on the following grounds:

 

To fulfil the University’s contract with you, which is formed when you accept our offer of a place to study. This includes the University handling your application in order to prepare to enter into a contract. By entering into a contract with the University, you agree to the University processing your personal data for the following purposes:

  • Recruitment, application, admission and
  • Creating and maintaining up-to-date and accurate student records on the University’s student records system.
  • Communications, including email and other applications, for communicating and networking across the University
  • Support, including the provision of advice, welfare, and pastoral services; academic support, IT support, accommodation, and careers guidance, where you need or choose to access these
  • Educational, assessment, placement, work experience, and training, including providing you with mobile and desktop applications to help you to undertake and manage your studies and assessments, to record and reflect on your learning, and to interact with other students in your modules (e.g. personal learning platform and virtual learning environment). This includes using a plagiarism detection service, and video/lecture capture
  • Financial information, which may relate to tuition fees and other services provided by the University, or to studentships or scholarships awarded by the University. This will include bank details where these are provided by you in order to make or receive
  • Research student administration: applying for and administering research funding, (including monitoring the use of funds and ensuring compliance with terms and conditions of funding); securing necessary ethical reviews and regulatory approvals; making research theses available via institutional and other repositories.

To comply with our legal obligations, we will process your personal data for the following purposes:

  • To allow the University to comply with the requirements of the UK Government Home Office in relation to sponsorship of Tier 4 students, we will process passport, visa and other data as specified in the Home Office Tier 4 compliance guidance.
  • To provide statutory reports to education sector bodies, such as the Scottish Funding Council, the Student Loans Company, and the Higher Education Statistics Agency, which monitors and reports on UK higher education and trends. This may include sensitive personal data for the monitoring of equality and
  • To meet our obligations under the Equality Act 2010, we will process data, including sensitive personal data, in order to monitor equality and diversity and ensure that the University environment is supportive and
  • To enable Abertay Students’ Association (‘Abertay SA’) to fulfil its purpose of academic representation and running of Abertay SA elections (as required by the Education Act 1994).

 

Under legitimate interest we will process your data for the following purposes:

  • Learning analytics uses data about you, and your learning activities, to help us understand and improve educational processes, and to provide better support to you. This information can be used to assist you individually, supporting your engagement with your studies. It can also help to improve the educational experience more generally, using aggregated and anonymised data. The information used for learning analytics includes for example your name, student number, modules studied, grades achieved, and learning activities such as use of the library and online learning resources. The personal data is passed to educational partners for storage and analysis, and is stored in the ‘cloud’.
  • Management and administration relating to University property and the property of the University’s accommodation partners.
  • Ensuring that the University community remains safe and inclusive, including the management of behavioural or disciplinary issues (including use or misuse of University electronic and communication systems, and University social media guidance), and CCTV for security and prevention of

Under your consent, where the University will ask for your specific consent for processing as and when required, we will process your personal data for the following purposes:

  • To provide you with counselling and psychotherapy or support and advice for considering academic adjustments to take account of disability, health (including mental health), pregnancy or maternity, or mitigating circumstances. This may include sensitive personal data such as medical information, gender identity, ethnicity, disability, sexual orientation or religious belief. You are entirely free to choose not to provide this information, but if so the University will be unable to provide you with tailored support or adjustments. When you first use these services, further information will be provided to you, and the University will seek your consent
  • Alumni and development, including providing you with information, services, networking and career-enhancing opportunities, and for fund-raising, and marketing communications and
  • Photographs, video and audio recordings, lecture capture and online assessment video
  • To provide you with career development apps for support, advice and guidance. This may include personal data relating to your personal aptitudes, skills and
  • To support your studies, apps may be offered that use personal data, which you may choose to download and use.

 

Where the processing of personal data is based on consent, you have the right to withdraw consent at any time without prejudice to your status within the University.

Sharing your personal data with other bodies

The University may have to share your personal data with external bodies, including third
party service providers. We require third parties to respect the security of your data and to
treat it in accordance with the law. In particular:

  • Your name and term-time address will be released to the local authority Electoral
    Registration Office in accordance with the Representation of the People (Scotland)
    Regulations 2001.
  • Your name, contact details, academic school and degree programme will be shared
    with the Abertay Students’ Association (‘Abertay SA’) to enable it to fulfil its purpose
    of academic representation and running of Abertay SA elections (as required by the
    Education Act 1994).
  • With your consent, your name and term-time address will be released to the relevant
    local authority (Dundee City, Perth & Kinross, Angus or Fife) for the purpose of
    consideration for council tax exemption.
  • For international students, the University may provide confirmation of your dates of
    study and your academic award to your embassy to assist with the recognition of
    your academic award in your home country.
  • Personal data about your academic performance and other verified achievements will
    be disclosed to “Gradintelligence” to generate your Higher Education Achievement
    Report. This is the official record or transcript of your studies and achievements at
    the University.
  • If you are studying at the University on a Tier 4 student visa, the University is
    required to report to the UK Government Home Office if you fail to enrol, if you
    withdraw or complete your studies early, or if you fail to engage or maintain contact
    with the University. The University may also be required to provide the Home Office
    with other personal data about students.
  • If you have a sponsor or other external funder for your studies – which may include
    your employer if they are providing financial support or time off for you to study, or
    otherwise supporting your studies – the University will send personal data about your
    academic progress and your attendance to your sponsor.
  • The University is required to send some of the personal data we hold about you to
    the Higher Education Statistics Agency (HESA). HESA is the official source of data
    about UK universities, and it collects and analyses information about students and
    universities.

  • Your HESA information is used by public authorities for their statutory and/or public
    functions including funding, statistical, regulation and policy-making purposes. These
    purposes include statistical research and publication by HESA (which is anonymous).
    Some sensitive personal data is used by HESA for monitoring equality and diversity.
    To find out more about the types of information disclosed to HESA, what they use it
    for, and the justification for this work, please see the information which HESA has
    published at:
    https://www.hesa.ac.uk/about/regulation/data-protection/notices#student
  • Personal data will be shared with other bodies for placements, training, exchanges,
    and work experience which form part of our degree programme, and with
    professional bodies where appropriate. Where appropriate, this may include other
    countries in the European Economic Area, or other countries. Please contact your
    Programme Leader for more information.
  • Personal data will be shared with named agents/suppliers to enable them to provide
    services to the institution under contract. This includes the University’s research
    information system, third party funder application and grant management systems,
    car parking, debt collection agencies and the BACs and other payment systems for
    studentship and reimbursement of expenses.
  • Where payment is received, data will be shared with HM Revenue and Customs, as
    necessary for the assessment and collection of taxes and other duties.
  • The University will share personal data of students undertaking research, whose
    funding require that they collaborate with partner bodies, to administer the student’s
    relationship with the partner body.
  • Personal data will be exchanged with research bodies and funders in order to make
    application for research funding and to make any reports/updates that a funder or
    research body requires of the University in connection to research.
  • The University or its authorised agents or partners may contact you, using the details
    which you have provided, inviting you to participate in surveys which may be
    operated outside the University. This will apply only where the University has an
    obligation to administer a survey, or where it has been approved by the University.
    Examples of surveys include the National Student Survey (NSS); graduate
    employment destinations, or University-approved research surveys.
  • Personal data may, exceptionally, be disclosed to the police, to the Student Award
    Agency for Scotland or to other bodies with investigative powers, for the prevention
    and investigation of crime.
  • Personal data may, exceptionally, be disclosed to the emergency services or to a
    health professional in order to protect your vital interests or those of another
    individual, for example in an emergency where this is risk to a person or persons.
     Personal data may be disclosed to the Scottish Public Services Ombudsman
    (“SPSO”) in connection with any appeal or complaint which you may ask the SPSO
    to investigate.

Storing your personal data

The University has put in place appropriate security measures to prevent your personal data
from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, the University limits access to your personal data to those employees, agents,
contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.


Your personal data is stored securely and confidentially, mainly electronically on the
University’s systems, and occasionally on paper. Personal data may also be stored or used
externally in certain circumstances as described in this Policy.

Transfers outside the European Economic Area (“EEA”)

The University will only transfer your personal data to countries outside the EEA when
satisfied that both the party which handles the data and the country it is processing it in
provide adequate safeguards for personal privacy. To ensure that your personal data does
receive an adequate level of protection we have put in place the safeguards detailed in the
University’s main Data Protection Policy.
Examples of circumstances when your personal data may be transferred outside the EEA
include:

  • Participation in and management of collaborations with overseas educational
    institutions including student exchanges and partnership programmes.
  • Working with overseas student recruitment agencies.
  • Some of the systems and services the University uses store data in the ‘Cloud’, and
    this may include storage facilities based outside the EU.

Making sure your personal data is accurate and up-to-date

The University strives to ensure that all personal data remain current and accurate. If you
become aware of any incorrect personal data held by the University, you have the right to
request that this is rectified.


There are particularly some areas where the University relies upon you to inform it of any
changes to your personal data; for example, your contact and next-of-kin details. Any
changes to address details can be updated via the online student portal.

Retention of your personal data

The University will retain your personal data only as long as is necessary for the purposes
for which we collected it.


To determine the appropriate retention period for personal data, the University considers the
amount, nature and sensitivity of the personal data, the potential risk of harm from
unauthorised use or disclosure of your personal data, the purposes for which we process
your personal data and whether we can achieve those purposes through other means and
the applicable legal requirements.


Much of your personal data will be deleted six years after you have left the University,
leaving a core record to satisfy record-keeping requirements in the public interest, including,
at your request, providing replacement certificates or transcripts, or verification to potential
employers or education providers of your qualifications.

In some circumstances the University may anonymise your personal data so that it can no
longer be associated with you, in which case we may use such data without further notice to
you.

 

Your rights

Under certain circumstances, by law you have the right to:

  •  Request a copy of the personal data the University holds about you
  • Request correction of any data that is inaccurate.
  • Request erasure of personal data held by the University.
  • Object to the processing of your personal data.
  • Request that we restrict processing of your personal data.
  • Ask the University to put your data into a format to enable it to be transferred easily
    to a different organisation.

If you would like to exercise any of your rights above or if you have any questions, please
contact the University’s Data Protection Officer (“DPO”):
Data Protection Officer
Academic Registry
Abertay University
Kydd Building
Bell Street
Dundee DD1 1HG
Tel: 01382 308000 email: dataprotectionofficer@abertay.ac.uk
You will not have to pay a fee to exercise any of your rights. However, the University may
charge a reasonable fee if your request for access is clearly unfounded or excessive.
Alternatively, we may refuse to comply with the request in such circumstances.
You are also entitled to contact the Information Commissioner’s Office (the “ICO”)
(www.ico.org.uk) about any concerns about the way the University has handled your
personal data. The University would, however, appreciate the chance to deal with your
concerns before you approach the ICO so please contact us in the first instance.

Right to withdraw consent

If we have asked for your consent in order to process your personal data, you have the right
to withdraw this consent in whole or part at any time. To withdraw your consent please
contact the University’s DPO using the details above. The DPO will explain the
consequences of doing so in any particular case if you contact us to withdraw consent.

 

If you would like to exercise any of your rights above or if you have any questions, please
contact the University’s Data Protection Officer (“DPO”):


Data Protection Officer
Academic Registry
Abertay University
Kydd Building
Bell Street
Dundee DD1 1HG
Tel: 01382 308000 email: dataprotectionofficer@abertay.ac.uk


You will not have to pay a fee to exercise any of your rights. However, the University may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. You are also entitled to contact the Information Commissioner’s Office (the “ICO”) (www.ico.org.uk) about any concerns about the way the University has handled your personal data. The University would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this Policy

The University reserves the right to update this Policy at any time, and we will provide you
with a new policy when we make substantial updates. We may also notify you in other ways
from time to time about the processing of your personal data.