The University of Exeter is the Data Controller for the personal information we process, unless otherwise stated, and is registered with the Information Commissioner’s Office (ICO).
If you have any questions about this Privacy Notice, please contact our Compliance, Governance and Risk team.
The University of Exeter
Compliance, Governance and Risk
St German's Road
Telephone: 01392 726842
The University’s Data Protection Officer can also be contacted via the above details.
In simple terms, personal data is information which identifies and relates to you, either on its own or in conjunction with other information held by the University. Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.
Data relating to criminal allegations, proceedings, offences, convictions or related security measures falls into the category of criminal offence data and is subject to separate safeguards.
We currently collect and process the following information:
- your full name
- your student number (if known)
- any student photograph held on file
- your home/ permanent and term time addresses and other contact details such as landline/mobile phone numbers and email addresses
- your date of birth
- your nationality
- the name of your current or most recent educational institution
- any disability or other medical information that has been provided to the University
- images gathered through CCTV recording
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- you have applied to study at the University and completed enrolment forms via the Universities and Colleges Admissions Service (UCAS);
- you have completed the University’s admissions processes and/or registered as a student of the University of Exeter;
- you have registered an Accommodation Account and/or completed an Application for Accommodation;
- you have made an enquiry or raised concerns by telephone, email, in person or via social media;
- you have used or interacted with University support services such as Finance, Wellbeing Services, Estate Patrol, Student Cases or the SID team.
We also receive personal information indirectly in the following scenarios:
- from images gathered through CCTV recording by the University’s Estate Patrol;
- from the Home Office or other third party in relation to your status as a home or international student;
- from third party sources in relation to your accommodation application, contract and/or subsequent residence in accommodation, such as Wellbeing Services and the Welfare team;
- from third party sources in relation to your funding, such as the Student Loans Company or your sponsor.
Where we have said that we obtain personal data about you from third party sources, we will look to ensure that the third party has lawful authority to provide us with this information.
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
- Your clear and freely-given consent
- We have a contractual obligation
- We have a legal obligation
- We have a vital interest
- We need it to perform a public task
- We have a legitimate interest
We use the information that you have given us in order to:
- Deal with your enquiries, and to make contact with you, when you request information from us;
- Train our staff so that we can provide you with the best service possible;
- Handle any complaints you may have so that we can improve our business;
- Confirm that you are a student;
- Allow you to register and use an Accommodation Account;
- Ensure any contract with you is drawn up correctly;
- Provide you with accommodation and catering services (where applicable);
- Determine whether any adjustments need to be made for you (e.g. if you are under 18);
- Provide you with access to University support services such Wellbeing Services, Welfare and Residence Life;
- Send you service messages and information about matters that affect you or your room during your stay;
- Be able to provide evidence to the local council that you are a student;
- Carry out any administration relating to your stay;
- Safeguard residents, staff and other third parties on our sites;
- Process and recover accommodation fees due;
- Prevent and detect criminal activity, fraud and misuse of or damage to our properties;
- Administer any complaints, investigations and disciplinary proceedings concerning student misconduct;
- Monitor our compliance with equalities legislation;
- Support our commitment to widening access to higher education, encouraging diversity amongst the student body and providing the appropriate support to achieve this;
- Protect your vital interests, or those of another party, in an emergency situation;
- Comply with our duty of care to our students. In this instance, the Wellbeing, Welfare and Residence Life teams may have cause to process both personal and sensitive personal data.
Where we have your explicit consent to do so, we will use the information you have given us to:
- Take account of, and provide additional support for, any disabilities, health issues or conditions;
- Contact you about events or activities which are held for our residents and that we think may be of interest to you;
- Invite you to participate in student focus groups and/or surveys;
- Invite you to be involved in our marketing activities, which may include using your image or creating videos, vlogs or social media content.
We may also need to share your personal data with certain third parties for specific reasons:
- To enable nominated accommodation providers (if used) to enter into a contract with you and subsequently provide you with services and facilities. This purpose may include processing sensitive personal data you choose to disclose regarding health conditions or disabilities relevant to your accommodation. We will advise you of the nominated povider at time of offer. Data may also be released to any of the owners contractors appointed in connection with the accommodation.
- To administer the accommodation contract and repayment of student debts, where internal recovery attempts have proved unsuccessful. We may use external agents of the University including (but not limited to) solicitors, debt recovery agents, tribunals and Courts.
- To deliver externally hosted IT services or products to the University. Such information will only be used to provide the contracted services, and in accordance with the terms of agreements with the University. Approved IT and infrastructure providers currently include CampusLife, Glide Student (Cablecom Networking Ltd), Occam Systems Ltd (part of Kinetic Solutions Ltd), PAD Group, Tribal and WPM.
- When, under highly exceptional circumstances, it is appropriate to contact the emergency services, close family or next of kin and provide them with your personal information to ensure your wellbeing.
- To assist the Home Office and other international and national governmental and regulatory bodies in connection with the assessment of a student’s immigration status.
- To assist the police or other regulatory bodies such as Benefits or Tax Inspectors, UK Visas & Immigrations and the Foreign and Commonwealth Office where pursuant to the investigation or disclosure of a potential crime or national security matter.
- As required by local authorities for council tax assessment purposes or electoral purposes and for processing of care leaver bursaries.
- To enable the Students’ Guild to provide you with membership and advice services.
- To assist the University’s insurers, external auditors and external regulators such as the Health and Safety Executive with their investigations in the event of accidents or incidents occurring within the institution. Disclosures of sensitive personal data in this context would only be made where explicit consent has been obtained, disclosure is in the substantial public interest, or where necessary for the establishment, exercise or defence or a legal claim.
Where we provide links to websites of other organisations, this Privacy Notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.
The University may process your personal data in ways which are in addition to those described above. This is explained in the University’s Data Protection Information for Students which is available at: http://www.exeter.ac.uk/privacy/students/.
Where data is shared within the UK, or the European Economic Area (EEA), the third party will be required to comply with and safeguard the data under the terms of the GDPR.
Wherever possible, we will not transfer your data outside of the European Economic Area (EEA). However, there are circumstances where this will be unavoidable. If we do need to transfer your personal data out of the EEA (known as a “restricted transfer”), we ensure a similar degree of protection is afforded to it. We will only make a restricted transfer of your personal information if it is covered by an EU Commission “adequacy decision”, appropriate safeguard, or one of the “exceptions” set out in Article 49 of the GDPR.
You can find more information about these safeguards on the ICO’s website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
The University is committed to safeguarding your privacy and personal data at all times and it is important we are able to demonstrate how we achieve this.
- In order to ensure your electronically-held data is being protected, Exeter IT-supported systems data is regularly backed up to three data centres which have a variety of access control measures.
- Supported IT systems also have technical security controls in place such as secure networks, firewalls, malware protections and full disk encryption on laptops. This is all underpinned by a robust Information Governance and Security policy and subsidiary policies.
- Appropriate levels of access to the accommodation management software and electronic files held on the secure shared network filespace are granted by a nominated Administrator.
- Paper records and documentation are filed in locked storage within access-controlled offices; while passes and key cards are required to gain access to our buildings.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
Generally speaking, we will retain your personal data for a maximum of 6 years after the end of your university studies. At the end of this period (which may be sooner if there is no need for us to keep such information for that long) then your personal data will be securely destroyed and/or deleted from our records.
Details of retention periods for different aspects of your personal data are available in our Records Retention Schedule which is available online at http://www.exeter.ac.uk/accommodation/legal/records/.
Under data protection law, you have rights including:
- The right of access – you have the right to ask us for copies of your personal information.
- The right to rectification – you have the right to ask us to update information you think is inaccurate or incomplete.
- The right to erasure – you have the right to ask us to erase your personal information in certain circumstances.
- The right to restriction of processing – you have the right to ask us to restrict the processing of your information in certain circumstances.
- The right to object to processing – you have the right to ask us to restrict the processing of your information in certain circumstances.
- The right to data portability – you have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
- Rights in relation to automated decision making and profiling – you have the right not to be subject to a decision based solely on automated processing, including profiling, that has a legal or similarly significant effect on you. At present, we do not carry out this type of personal information processing.
More detailed explanations about all of these rights are available from the Information Commissioners Office website at https://ico.org.uk/your-data-matters/
You are not required to pay any charge for exercising your rights or accessing your data. However we may charge a reasonable fee, or refuse your request, if your request is clearly unfounded, repetitive or excessive. If you make a request, we have one month to respond to you.
Please contact the University’s Data Protection Officer via firstname.lastname@example.org if you wish to make a request.
We aim to be transparent about the way we process your personal data but we understand that you may still have questions or concerns. If there is anything you are unclear about then in the first instance please contact our Compliance, Governance and Risk Team via email@example.com or 01392 726842.
If you remain dissatisfied with how we have used your data then you have the right to complain to the ICO. Further advice on how you can raise a concern with us or escalate a matter to the ICO is available via the ICO website: https://ico.org.uk/make-a-complaint/
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
This Privacy Notice was last updated on 23 January 2023.
Throughout your time in University or nominated partner accommodation we would like to keep you informed of special events which are being held at our Residences or in conjunction with the Residence Life team. We feel that these are an important way to enhance your experience at University. You will be asked whether you are happy to give your consent to receive these email communications as part of your accommodation application.
You can update your marketing preferences at any time by logging in to your accommodation account and going to "Account" and "My personal details".
Please note: We will also contact you via email at various key stages of the accommodation application process, and subsequently to advise you of operational matters relating to your residence such as planned maintenance, changes to residence reception opening times, forthcoming inspections etc. These are contractual rather than “marketing” communications and are therefore not subject to consent requirements.
At the University of Exeter we would like to be able to assist any student who has a health condition or disability in obtaining accommodation which is suitable for their needs. In order to do this, we may need to process a limited amount of your personal data specifically relating to health (a special category of personal data), so that we can check your eligibility for such accommodation and ensure your needs are met. This may be information which you have provided to the Residential Services departments directly, or it may be passed to us from a third party such as the University’s Wellbeing Services or Admissions if you have given them explicit consent to do so.
As part of our Accommodation Application process (or at any other time where you make contact with us outside of the application process) you will be asked whether you give your consent to us being able to use your personal data in support of your accommodation application.
If you agree to us using your personal data in this way, then this will allow us to take into account your health or medical requirements when allocating your accommodation, and to ensure that any equipment/facilities you may require in your room are ready prior to your arrival.
If you do not agree to us using your personal data in this way, then we will process your application for accommodation in the same way as we would for any other student without medical requirements. We will disregard any additional notes you have added to your application about any medical requirements.
You can change your mind at any time about consenting to the use of your health information by confirming in writing to ExeterAO@exeter.ac.uk and using the enquiry heading “Accommodation medical consent”.
Please note: there may be circumstances where the processing of such medical/health data is justified for social security/protection requirements, protecting your vital interests and/or for reasons of substantial public interest or where the information has been made public by you. When these justifications apply we will not need your express consent.