Published 1 September 2019
1. What information does the College collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our website, products and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- A record of any correspondence you send to us through our website.
- Data that you provide in placing an order through the College Network, completing applications for entry into a Programme of Study at the College, application forms for accommodation, entry into Prize Draws and competitions and details of donations you make to the College;
Where you are required to enter your username and password to gain access to the College Network or a College Network Service, over and above the information referred to above, we may also collect information about external networks and resources you have visited, accessed or materials downloaded.
From time to time the College runs surveys about various aspects related to its Services, including but not limited to surveys about the student experience. These surveys are anonymous but in certain circumstances because of the other information we hold about Users who are also members of the College community a User may be identifiable.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) unless we specifically ask you for your consent for us to collect this data through our online forms. We do not collect any information about criminal convictions and offences.
2. Accessing your information
The General Data Protection Regulation (GDPR) gives individuals a right to access their personal information.
This means that individuals can exercise the right of access to see what information the College holds on them, thereby allowing individuals to be aware of what data is being processed and to verify the lawfulness of this processing.
If you wish to make a request for a copy of the data held about you by the College, please contact email@example.com. Please try to provide us with as much detail as possible as to what the data is you are seeking and your relationship with the College as this will assist us in processing your request more efficiently.
Requests will normally be free of charge, however, a ‘reasonable fee’ may be charged in certain circumstances. We will usually be required to respond to your request within one calendar month of receipt.
3. Your information rights
The General Data Protection Regulation (GDPR) provides individuals with a number of other rights aside from the right of access.
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
We must provide you with information including: the purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with. This is known as ‘privacy information’ and is set out in our privacy notices.
We must provide privacy information to you at the time we collect your personal data from you. Should we obtain personal data from other sources, we must provide you with privacy information within a reasonable period of obtaining the data and no later than one month.
Should you believe that we have not provided you with sufficient information about how we are going to process your data then you can ask us to show you the ‘privacy information’ or explain the legal basis we have used to process your data.
Right to rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Should you believe that the personal data we are processing about you is inaccurate you can submit a request for rectification.
There are certain circumstances when we can refuse a request for rectification.
Right to erasure
The GDPR introduces the right to erasure. This is also known as the ‘the right to be forgotten’.
This is not an absolute right and it will only apply in certain circumstances. The Information Commissioner’s Office have further information on the circumstances when data can be requested for erasure and it may be useful to read their guidance on right to erasure before submitting a request.
Right to restrict processing
You will also have a right to request the restriction or suppression of your personal data. As with the right to be forgotten, this is not an absolute right and will only apply in certain circumstances. You should refer to the Information Commissioner’s Office guidance on right to restrict processing for further information on this.
Should we restrict processing for an individual the College will be able to store the information but we will not be able to use it.
Right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right of portability only applies to information an individual has provided to the College.
You can find further information on this right to data portability on the Information Commissioner’s Office website.
Right to object
The GDPR gives you a right to object to the following:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
You must provide us with specific reasons in order to exercise this right to object to processing for research purposes.
You can find further information on this right to object on the Information Commissioner’s Office website.
4. How to submit a request
If you wish to exercise any of the above rights please email firstname.lastname@example.org in the first instance.
5. Report a data protection incident
The College holds the personal data of staff, students, alumni, and others who have an association with the College. If that data is lost, stolen, corrupted or released to unauthorised persons, the Data Protection Officer must be informed immediately. Please email email@example.com
6. Privacy notices
The College is required to inform people about the ways in which we use their personal information.
We need to tell you about the types of personal information we collect, the purposes we use it for, the legal reasons contained in the General Data Protection Regulation and Data Protection Act 2018 which allows us to use it in these ways, how long we retain the information for and how you can exercise your rights.
The following privacy notices provide this information for each of the groups of individuals identified. Please note that in addition to these notices you may on occasion be provided with additional privacy information where we need to tell you about something not covered by one of these notices.
Applicant Privacy Notice
Student Privacy Notice
Alumni, Donors, and Supporters Privacy Notice
Staff Privacy Notice
7. Online privacy
The College is committed to looking after any information that is made available to us when you visit our website or interact with us through other online channels, in accordance with data protection law. ‘Website’ in this instance refers to web pages under the kellogg.ox.ac.uk domain.
This notice outlines what categories of information we retain and how we use it. Personal data
You don’t have to create an account or provide us with any personal information to access the College website. However, we may ask for some personal details if you wish to access some of our services
The vast majority of the personal information we hold about you will be obtained via our websites’ forms or if you contact us by email.
Some of the personal data we store and process may include:
- biographical information consisting of your name, title, birth date, age and gender;
- your contact details including address, email address and phone number;
- information about your time at the College;
- your professional activities;
- current interests and preferences;
- records of communications sent to you by the College or received from you;
- attendance at College events.
We may also collect and store bank card details. The College is PCI DSS compliant. We do not store credit/debit card details after authorisation and till receipts are always masked.
When you provide us with your contact details you will be asked whether you wish to receive any further communications from us.
We will ensure that all personal data you supply is held in accordance with data protection law. We do not sell or otherwise transfer personal data to any third parties unless you have consented to this or this is permitted by law.
Visits to College website
This privacy notice applies to all College web pages within the Kellogg.ox.ac.uk domain. If the user leaves a College website and visits a website operated by a third party, The College cannot be held responsible for the protection and privacy of any information that users provide when visiting such third-party websites. Accordingly, users should exercise caution and review the privacy statement applicable to the website in question.
When you visit any of the College website the following information is received and stored by our web servers: anonymised details of your IP address, browser type and operating system; and the web pages you visited. This data is known as web server logs. We use this information strictly to analyse how the College websites are used by our visitors and we may archive this information in an anonymous form for historical records.
Our websites use ’cookies’ which are text files placed on your computer when you visit a site which help us understand how you use our websites. Cookies don’t collect personal data from your computer, only the data created by your browsing. Some cookies remain on your computer after you leave the website; these are called ‘persistent’ cookies. Others are deleted automatically when you close your browser and others simply expire. We use the following cookies on our websites:
We may collect non-person-identifying information relating to your use of our sites via Google Analytics technology. This may include: which pages you see; how long you stay; what you click on our pages; if you visit the website again; which country and city you are browsing from; etc. This data is collected for the purpose of monitoring and understanding the effectiveness of our websites. We also collect data relating to the demographics and interests of our users via Google Analytics and cookies set by Google advertising networks. This data is used in aggregated form to help improve the site and the College’s marketing efforts.
Visitors can disable the cookies at any time by updating their browser settings.
COOKIES DESCRIPTIONS TO COME FROM WEB DEVELOPERS WHEN SITE COMPLETE
We are keen to communicate our activities, institutional views, latest news and points of excellence with staff, stakeholders, students, alumni and supporters. We do this by providing information through a range of online and offline channels including publications, events, press releases, social media and email.
In order to do this we have a database that contains personal data collected by the College during the course of our relationship with our stakeholders, staff, students, and alumni. We aim to keep your data up to date and welcome any updates to your details or corrections to any inaccuracies you may wish to provide. In addition when you provide your personal data to a College Faculty, School or Department you will receive specific information from them informing you about the ways it will be used.
You have a right to request copies of the data held about you by the College. To do so, please contact the College Administrator If you no longer want us to use your data, or wish to amend the type of communications you receive, then you can opt out at any time via the unsubscribe link included in every email.
We value our relationship with you and we use your personal data to personalise our communications, improve our services and ensure we work efficiently and effectively.
Unless you have requested otherwise, your data is used and processed for a full range of communications and programmes involving academic and administrative operations. These include the following communications and marketing activities (by mail, email and telephone):
- Sending College publications;
- Promoting our services;
- Notifying you of upcoming events;
- Promoting discounts and opportunities.
Tools may be used to help us improve the effectiveness of our communications with you, including tracking whether the emails we send are opened and which links are clicked within a message.
Lastly, we use data to undertake analysis projects to ensure only effective and relevant communications are sent to you.
We utilise tools and resources to help us understand our stakeholders, staff, students, and alumni and gather information from publicly available resources (eg the electoral register, press, the charity register) to assess the capacity of these groups to support the College.
Public Twitter data
The College uses publicly available information, such as Twitter handles, URLs mentioned in tweets and hashtag usage, to target tweets promoting the College’s activities to Twitter users who have indicated an interest in topics relevant to our activities. This data is collected manually and through third-party analytics platforms that search for links and references on Twitter.
8. Changes to this notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
This notice was last updated 1 September 2019.