In simple terms, personal data is information which identifies and relates to you, either on its own or in conjunction with other information held by the University. Sensitive personal data (or special categories of personal data, as it will be known under new EU legislation which comes into force on 25 May 2018) is personal data which falls within one of these categories:
- ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- biometrics (where used for the purpose of uniquely identifying a natural person);
- sex life or sexual orientation;
Data relating to criminal allegations, proceedings, offences, convictions or related security measures falls into the category of criminal offence data and is subject to separate safeguards.
There are specific reasons why we collect and process your personal data; these are known as lawful bases. From 25 May 2018 the new EU General Data Protection Regulations (or GDPR for short) will come into force and we shall process your personal data in accordance with these regulations. GDPR is new law and it has not yet been applied to circumstances such as Universities and students so we may change our views on the lawful bases for processing, as legal views also change.
We may process your personal data because it is necessary for the performance of an accommodation contract with you, or because you are asking us to take specific steps before entering into a contract. We need to be able to fulfil our contractual obligations to you, and in this respect, we use your personal data for the following:
- Provision of University accommodation and catering services (if applicable). This purpose may include processing sensitive personal data you disclose regarding health conditions or disabilities relevant to your accommodation if you have given your explicit consent for us to do so.
- With your explicit consent we may use details of your religious beliefs in order to support an application to live in University accommodation which enables students to adhere to a kosher lifestyle.
- Processing safeguarding concerns to ensure the safety and wellbeing of our students.
- Processing and recovery of accommodation fees.
- Provision of support services to students such as Wellbeing Services and Residence Life. This may also include the receipt of personal data which has been disclosed to us by the Student Health Centre or Admissions where you have given them your explicit consent to do so.
- Administration of the University’s CCTV system in accordance with the University’s code of practice.
We may also process your personal data because it is necessary for the performance of our tasks carried out in the public interest (as set out in our Institutional Governance pages available at https://www.exeter.ac.uk/about/organisation/governance/). In this respect, we may use your personal data for the following:
- Administration of complaints, investigations and disciplinary proceedings concerning student misconduct. As providers of higher education, investigating complaints concerning misconduct is necessary to maintain the integrity of the University’s assessment process, our academic standards, our reputation and the welfare of our students and staff
We may also process your personal data to ensure compliance with our legal obligations. In this respect, we may use your personal data for the following:
- To monitor our compliance with equalities legislation, along with the legitimate purpose of seeking to widen access to higher education, encourage diversity amongst the student body and provide appropriate support.
We may also process your personal data where:
- It will help us to protect your vital interests, or those of another party. This would be in extreme circumstances where there is an emergency situation such as illness or serious injury.
- You have given us permission (consent) to send you information relating to events or activities which may be of interest.
To comply with our duty of care to our students, the Residence Life Team may process both personal and sensitive personal data.
In addition to the purposes referred to above, we may share your personal data with certain third parties for specific processing reasons.
We may pass your details to third parties because it is necessary for the performance of our accommodation contract or the accommodation provider’s contract with you. In this respect, we/they may use your personal data for the following:
- To enable nominated accommodation providers (owners) who have been contracted by the University to provide you with services and facilities. This purpose may include processing sensitive personal data you disclose regarding health conditions or disabilities relevant to your accommodation. Data may also be released to any of the owners contractors appointed in connection with the accommodation. At present our nominated providers are: UPP (UPP Group Ltd), Unite Students (Unite Group), We are Homes For Students (Homes for Students Ltd), Campus Living Villages (CLV), Host (Victoria Hall Management Ltd).
- In emergency situations such as illness or serious injury we may pass your information to the emergency services, close family or next of kin.
- To administer the accommodation contract and repayment of student debts, where internal recovery attempts have proved unsuccessful. We may use external agents of the University including (but not limited to) solicitors, debt recovery agents, tribunals and Courts.
- To deliver externally hosted IT services or products to the University. Such information will only be used to provide the contracted services, and in accordance with the terms of agreements with the University. Approved IT and infrastructure providers currently include Studentcom, OCCAM Systems Ltd, PAD Group and WPM.
So that we can perform our tasks carried out in the public interest we may need to pass your personal details to:
- The Home Office and other international and national governmental and regulatory bodies in connection with the assessment of a student’s immigration status. This may also be a legal obligation.
- The police or other regulatory bodies such as Benefits or Tax Inspectors, UK Visas & Immigrations and the Foreign and Commonwealth Office where pursuant to the investigation or disclosure of a potential crime or national security matters
- Local authorities for council tax assessment purposes or electoral purposes and for processing of care leaver bursaries
- The University’s Student Finance department to administer student fees and confirm enrolment on course and payments.
There may also be a legitimate reason for us to pass your personal details to third parties such as:
- The Students’ Guild to enable the provision of membership and advice services.
- The University’s insurers in respect of accidents or incidents occurring within the institution, and external auditors and external regulators such as the Health and Safety Executive. Disclosures of sensitive personal data in this context would only be made where explicit consent has been obtained, disclosure is in the substantial public interest, or where necessary for the establishment, exercise or defence or a legal claim.
The University may process your personal data in ways which are in addition to those described above. This is explained in the University’s Data Protection Information for Students which is available at www.exeter.ac.uk/dataprotection/students
The type of personal data and sensitive personal data we may process about you includes:
- your full name;
- your student number (if known);
- any student photograph held on file;
- your home/ permanent and term time addresses and other contact details such as landline/mobile phone numbers and email addresses;
- your date of birth;
- your nationality;
- your religion;
- the name of your current or most recent educational institution;
- any disability or other medical information that has been provided to the University;
- images gathered through CCTV recording.
We will collect your information in the following ways:
- from you when you complete the University’s admissions processes and register as a student;
- from you when you register an Accommodation Account;
- from you when you complete an Application for Accommodation;
- from you when you communicate with us by telephone, email, in person or via social media, for example in order to make enquiries or raise concerns;
- when you apply to study at the University and complete enrolment forms via the Universities and Colleges Admissions Service (UCAS);
- when you use or interact with University support services such as Finance, Wellbeing Services, Estate Patrol, Student Cases or the SID team;
- from images gathered through CCTV recording;
- from the Home Office or other third party in relation to your status as a home or international student;
- from third party sources in relation to your accommodation application, contract and/or subsequent residence in accommodation;
- from third party sources in relation to your funding, such as the Student Loans Company or your sponsor.
Where we have said that we obtain personal data about you from third party sources, we will look to ensure that the third party has lawful authority to provide us with this information.
As a “Data Subject” you have a number of rights under the Data Protection Act. These apply until 24 May 2018 and give you the right to:
- access the personal data the University holds about you;
- object to processing of information which may cause, or is causing damage or distress;
- prevent processing for direct marketing;
- object to decisions being taken by automated means;
- (in certain circumstances) have inaccurate personal data rectified, blocked, erased or destroyed;
- claim compensation for damages caused by a breach of the Act.
Once GDPR is introduced on 25 May 2018 these rights will be expanded to provide for the following:
- The right to be informed – we will explain how we collect and use your personal data in a clear and plain language
- The right of access – you will be able to request a copy of your personal data and other information around how we process it
- The right to rectification – you can tell us to update any information about you which is inaccurate or incomplete
- The right to erasure – some people may refer to this as the ‘right to be forgotten’, but you can only ask to have your personal data erased and prevent processing in specific circumstances. For example, if you provided your personal data in order to form an accommodation contract but you are no longer bound by that contract, then you can request that it is deleted. But if we have told you that we need your personal data to comply with a legal obligation, then we may refuse your request.
- The right to restrict processing – in certain circumstances you can block or restrict us from processing your data. If we are restricted then we are allowed to store your personal data, but not process it again.
- The right to data portability – this allows you to obtain and reuse your personal data for your own purposes but only applies when processing has been carried out by automated means.
- The right to object – where we have said that we are processing your data based on legitimate interests or in the performance of a task in the public interest, or for direct marketing, you have a right to object to your personal data being used. However, if we can demonstrate that we have legitimate grounds for the processing which override your individual interests, or that the processing is necessary for the establishment, exercise or defence of legal claims, then we can decline your request.
- Rights in relation to automated decision making and profiling – at present, all our decisions involve a human. If this situation were to change and we started to use automated decision-making processes, then you would have the right to ask us to not base any decisions which significantly affected you solely on automated processing.
More detailed explanations about all of these rights are available from the Information Commissioners Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you wanted to exercise any of the above rights please contact the University’s Data Protection Officer via email@example.com
You can request a copy of the information we hold about you; this is known as a “Subject Access Request” (SAR). The University currently charges £10 and has 40 calendar days from receipt of payment to process a SAR. In accordance with the GDPR, we will stop charging the £10 fee by 25 May 2018. All SARs must be made in writing to the University’s Records Manager and you can find details as to how to do this on the University’s webpage: http://www.exeter.ac.uk/dataprotection/access/
The primary reason for us collecting and processing your personal data is so that we can provide you with accommodation whilst you are studying at the University. If you do not want us to process your personal data then we will be unable to offer accommodation to you as we will be unable to form a contract.
Under the new legislation, you do have the right to object to us processing your personal data if we have said we are doing it:
- based on legitimate interests
- for the performance of a task in the public interest
- for research and statistical purposes
Where we have said that we are processing your personal data for one of the purposes mentioned above, then you are entitled to object to the processing of any personal data relating to your own specific situation (and not on behalf of someone else) and we will stop processing.
However, if we (as the data controller) can demonstrate that our compelling legitimate grounds for the processing override your own interests, fundamental rights or freedoms, then we shall be able to continue processing your data. We will also be able to continue if the processing is for the establishment, exercise or defence of legal claims.
Where we are processing your personal data for statistical reporting purposes and we are doing this for the performance of a public interest task, then we are not required to comply with an objection to the processing.
If you choose to stop us processing your data then it may mean that we are no longer able to put you in touch with certain support and advisory services offered by the University. In this instance we would let you know what the consequences were, so that you could make an informed decision.
Where data is shared within the UK, or the European Union (EU), the third party will be required to comply with and safeguard the data under the terms of the DPA and appropriate EU regulations (prior to 25 May 2018) or the GDPR (from 25 May 2018).
Your personal information will only be transferred to countries outside of the EU (“third countries”) or international organisations, where the European Commission has decided that an adequate level of data protection can be offered, or where adequate safeguards, such as the EU-US Privacy Shield, are in place.
We will only retain your personal data as long as is necessary for the purposes described above. We may still need to hold your personal data for a period of time to satisfy statutory/legal obligations and/or to meet administrative requirements. Data will be securely destroyed when no longer required.
Generally speaking, we will retain your personal data for 6 years after the end of your accommodation contract, but if there is no need for us to keep such information for that long then we will delete it sooner. If you create an accommodation account but decide not to proceed, or you start an application for accommodation which is not then submitted, we will retain your information for a maximum of 3 months beyond the end of the academic year you were applying for.
You can view more details in our Records Retention Schedule which is available online at http://www.exeter.ac.uk/accommodation/legal/records/ but we also work in line with the guidance provided in the University’s Record Management Policy and Retention ScheduleRetention Schedule.
We take a range of measures to protect your information, including:
- Limiting access to our buildings by passes and key cards
- Using secure access e.g. firewalls and encryption to secure file servers
- Granting appropriate levels of access to the accommodation management software for individual members of staff
- Filing paper documents in locked storage
The University is registered as a Data Controller with the Information Commissioner's Office (ICO), the independent authority which oversees compliance with the DPA. The University's registration number is Z5785872 and sets out, in very general terms, the full range of purposes for which we use student, staff and all other personal information. You can view our registration here.
The University’s Data Protection Officer is Rhiannon Platt, Information Governance Manager, who can be contacted by emailing firstname.lastname@example.org
We aim to be transparent about the way we process your personal data but we understand that you may still have questions or concerns. If there is anything you are unclear about then please contact our Data Protection Officer via email@example.com who shall be happy to help.
If you remain dissatisfied then you have the right to complain to the ICO. Further advice on how you can raise a concern with us or escalate a matter to the ICO is available via the ICO website: https://ico.org.uk/for-the-public/raising-concerns/
We are likely to make changes to this Privacy Notice. Until 24 May 2018 we shall process your personal data in accordance with the Data Protection Act 1998 (or DPA for short). From 25 May 2018 the new EU General Data Protection Regulations (or GDPR for short) will come into force and we shall process your personal data in accordance with these regulations. We shall inform you of any changes to this Notice through an appropriate medium of communication; this is most likely to be by email to your registered email address. We will also ensure that the most up to date version is available online at http://www.exeter.ac.uk/accommodation/legal/dataprotection/
This Notice complies with requirements under both DPA and GDPR. If you want to find out more about the changes in legislation you can visit the ICO website https://ico.org.uk/
This Privacy Notice was last reviewed on 13 June 2018.
Throughout your time in University or nominated partner accommodation we would like keep you informed of special events which are being held at our Residences or in conjunction with the Residence Life team. We feel that these are an important way to enhance your experience at University. You will be asked whether you are happy to give your consent to receive these email communications as part of your accommodation application.
From time to time we run student focus groups and surveys to get your feedback on the experience you are having while living in University accommodation. You will be asked whether you are happy to give your consent to being included in a database of potential respondents as part of your accommodation application.
We also like to include current students in our marketing activities, which may include updating the images within our brochures, on our website, or making videos, vlogs and social media content. If you are interested in participating in these activities then you will be asked to give your consent to be included in a database of potential participants as part of your accommodation application.
Please note: Depending on the activity/student demographic required, you may or may not receive an invitation to participate. Even if you do receive an invite then you do not have to agree to participate.
Any marketing emails you receive from us will have a link to enable you to unsubscribe from that mailing list at any time. Please be aware that you may continue to receive some communications whilst we update our systems with your request.
If you have changed your mind from the preferences you originally gave us, then you can start receiving these emails by confirming in writing to firstname.lastname@example.org and using the enquiry heading “Accommodation Marketing Emails”.
Please note: We will also contact you via email at various key stages of the accommodation application process, and subsequently to advise you of operational matters relating to your residence such as planned maintenance, changes to residence reception opening times, forthcoming inspections etc. These are contractual rather than “marketing” communications and are therefore not subject to consent requirements.
The University of Exeter will endeavour to provide accommodation for students who wish to live in a kosher environment to support their Jewish faith. Any student requesting to live in this accommodation will be expected to adopt the appropriate lifestyle. Unfortunately we cannot guarantee being able to offer this environment if the demand does not equate to the minimum number of residents in the flat/house available. In this instance, you may find that other students (who were not requesting a kosher environment) are also allocated to the flat/house to live alongside you, and they may adopt a non-kosher lifestyle.
If you wish to apply for kosher accommodation, we will require a letter of recommendation from your Rabbi, which you should send separately by email to email@example.com. Please use the subject heading “Kosher Accommodation – attention Accommodation Office”.
We will only gather and process information on your religious preferences if you are applying for kosher accommodation, in order to meet these specific needs. By you providing this information we are able to verify that you are eligible to live in this type of accommodation.
You have the right to withdraw your consent at any time by emailing: firstname.lastname@example.org but this will mean that we are no longer able to continue to process your request to live in kosher accommodation. This does not affect your ability to apply for accommodation in general.
At the University of Exeter we would like to be able to assist any student who has a health condition or disability in obtaining accommodation which is suitable for their needs. In order to do this, we may need to process a limited amount of your personal data specifically relating to health (a special category of personal data), so that we can check your eligibility for such accommodation and ensure your needs are met. This may be information which you have provided to the Residential Services departments directly, or it may be passed to us from a third party such as the University’s Wellbeing Services or Admissions if you have given them explicit consent to do so.
As part of our Accommodation Application process (or at any other time where you make contact with us outside of the application process) you will be asked whether you give your consent to us being able to use your personal health data in support of your accommodation application.
If you agree to us using your personal data in this way, then this will allow us to take into account your health or medical requirements when allocating your accommodation, and to ensure that any equipment/facilities you may require in your room are ready prior to your arrival.
If you do not agree to us using your personal data in this way, then we will process your application for accommodation in the same way as we would for any other student without medical requirements. We will disregard any additional notes you have added to your application about any medical requirements.
You can change your mind at any time about consenting to the use of your health information by confirming in writing to email@example.com and using the enquiry heading “Accommodation medical consent”.
Please note: there may be circumstances where the processing of such medical/health data is justified for social security/protection requirements, protecting your vital interests and/or for reasons of substantial public interest or where the information has been made public by you. When these justifications apply we will not need your express consent.