Published 1 September 2019
1. What is the purpose of this document?
Kellogg College, part of the University of Oxford, is committed to protecting the privacy and security of your personal information (‘personal data’).
Information about how we use the data of former students for alumni relations or fund raising purposes is covered in a separate document.
Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified, whether directly or indirectly. It does not include data where your identity has been removed (anonymous data).
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure, deletion or retention.
3.Who is using your personal data?
Kellogg College* is the “data controller” for the information that we hold about you as a student or former student. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
Access to your student record and other data will be provided to the academic and support staff who need to view it as part of their work in carrying out the purposes set out in Section 6. It will also be shared with the third parties described in Section 8.
* Kellogg College is a Society of the University of Oxford; The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford
4. The Types of data we hold about you
The information we hold about you may include the following:
- Personal details such as name, title, address, telephone number, email address, marital status, nationality, date of birth, sex and gender identity, ID Photograph, household income, parental status, details of dependants;
- Emergency contact information;
- National Insurance number (where you have voluntarily provided it);
- Education and employment information (including the school(s), sixth form college(s) and other colleges or universities you have attended and places where you have worked, the courses you have completed, dates of study and examination results);
- Other personal background information collected during the admissions process, e.g. whether you have been in care, your socio-economic classification and details of your parents’ occupation and education;
- Examination records (including records relating to assessments of your work, details of examinations taken, and your predicted and actual examination grades);
- Information captured in your student record including progression, achievement of milestones and progression reports;
- Visa, passport and immigration information;
- Fees and financial support record (including records relating to the fees paid, Student Loan Company transactions and financial support, scholarships, and sponsorship);
- Supervision, teaching, and tutorial activities; and training needs analysis and skills acquisition records;
- Placement and internship record or study at another institution as an established component of your course of studies, or career development opportunity;
- Information about your engagement with the Language Centre, Careers Support, University sport facilities and the Counselling Service;
- Information about your use of library facilities, including borrowing and fines;
- Information about your use of facilities and collections provided by the University’s museums and Botanic Garden;??
- Information about disciplinary actions (including academic misconduct), dispensations from regulations, and about any appeals and complaints raised;
- Attendance at University degree and award ceremonies; and
- Information about your use of our information and communications systems, including CCTV and building access information.
We may also process the following “special categories” of more sensitive personal data:
- Information about your race or ethnicity and religious beliefs;
- Information about your health, including any disability and/or medical condition;
- Information about criminal convictions and offences, including proceedings or allegations.
5. How did the University obtain your data?
We collect the vast majority of the information directly from you, through the application process and during on line registration. We may also collect additional information from third parties, including colleges, former schools and higher education institutions, and government departments and agencies. We will collect and generate additional information about you throughout the period of your study.
6. How the University uses your data
We process your data for a number of purposes connected with your studies, including, , pastoral and advisory support, funding and financial support, research related administration, discipline or the provision of facilities and services e.g. access to IT facilities, libraries, accommodation, meal and event bookings, etc. We set out below those circumstances where it is necessary for us to process your data. (These circumstances are not mutually exclusive; we may use the same information under more than one heading.)
Because we have a contract with you
We need to process your data in order to meet our obligations or exercise rights under our contract with you. Information processed for this purpose includes, but is not limited to, the data listed in section D. We also need to process your data under this heading where the University is working with a third party in order to offer you services, for example, those offered by the Oxford University Student Union, sponsors (such as research councils) or scholarship benefactors. See section H for further information on the sharing of data with third parties.
Where it is necessary to meet a task in the public interest
As indicated above, we need to process your data for the purpose of teaching and related activities, such as academic assessment and supervision. Teaching is a task that we perform in the public interest in order to fulfil our responsibility as a charity for promoting the advancement of learning. Information processed under this heading includes, but is not limited to, the data listed in section 4.
Where we need to comply with a legal obligation
Information processed for this purpose includes, but is not limited to, information relating to the monitoring of equal opportunities. We are also required by law to provide data to the Higher Education Statistics Agency (HESA).
Where it is necessary to meet our legitimate interests
We need to process your data in order to meet our legitimate interests relating to student administration, alumni relations or similar activities; or to meet the legitimate interests of others. Examples include, but are not limited to, the following:
- if you do not object, we share your contact details with the Oxford University Student Union. We do this to facilitate the operation of the student union as a representative body, which in turn helps the University to consult on student matters;
- we share the addresses of students living in private accommodation with Oxford City Council to enable the Council to exempt those students from Council Tax;
- we pass the email addresses of overseas students to the University’s Language Centre so that they can invite them to help with language teaching; and
- we pass your contact details to the University’s Alumni Office and Development Office so that they can contact you about their activities before you leave the University.
Where we have your consent
There may be situations where we ask for your consent to process your data e.g. where we ask you to volunteer information about yourself for a survey or where we ask for your permission to share sensitive information.
If you fail to provide personal information under section 6 above
If you fail to provide certain information when requested under the circumstances described in section 6 above, we may not be able to meet our contractual obligations to you or comply with our other legal obligations.
Change of purpose
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
Please note that we may process your data without your knowledge or consent, where this is required or permitted by law.
7. Special category data and criminal conviction data
Special category data and criminal conviction data require a higher level of protection. Listed below are examples of processing activities that we regularly undertake in respect of these types of data. In addition to the activities listed below, it may sometimes be necessary to process this sort of information for exceptional reasons, for example, because it is necessary to protect your vital interests or those of another person.
Health (Including disability)
We will process data about your health where it is necessary to make reasonable adjustments for disability and/or to monitor equal opportunities. Processing of this nature is necessary to meet contractual or other legal obligations. There may also be situations where we ask for your explicit consent to share information about your health.
Criminal conduct (including convictions, proceedings or allegations)
Data about criminal convictions or barring decisions will only be collected if you have applied for and been accepted onto certain courses, and where we are legally required to do so. If a course requires additional screening you will be advised before the screening takes place. Processing of this nature is necessary to meet our legal obligations and will be subject to suitable safeguards. We may also process data about criminal conduct for disciplinary purposes in order to exercise rights under our contract with you.
Racial or ethnic origin, sexual orientation, and religious belief
Data about your racial and ethnic origin, religious belief and sexual orientation will only be processed where you have volunteered it and where we need to process it in order to meet our statutory obligations under equality and/or other legislation. This processing is considered to meet a substantial public interest, and will be subject to suitable safeguards.
8. Data sharing with third parties
In order to perform our contractual and other legal responsibilities or purposes, we may, from time to time, need to share your information with the following types of organisation:
- Recognised Independent Centres*
- the Oxford University Student Union and wholly-owned subsidiary companies of the Oxford University Student Union;
- External organisations providing services to us, such as for teaching timetabling services;
- External organisations offering University-sponsored services including student surveys;
- Your funders and/or sponsors, including the Student Loan Company and research councils;
- If you have or are seeking a particular relationship with a third party, for example, other universities, schools, health care providers or providers of external training and placements;
- Employers or prospective employers and other educational institutions;
- The Higher Education Statistics Agency (HESA). Further information on how HESA uses this data is available from the HESA website;
- Any relevant professional statutory regulatory bodies, including the General Medical Council;
- Office for the Independent Adjudicator (OIA);
- Relevant public bodies, including but not limited to the UK Home Office; HM Revenue and Customs; and local authorities;
- The National Health Service or other medical practitioners (to support medical provision).
Where information is shared with third parties, we will seek to share the minimum amount necessary. For example, we may share only your student number and not your name (this is known as pseudonymisation).
All third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
* Recognised Independent Centres http://www.ox.ac.uk/about/rics
9. Transfers of your data outside of the European Economic Area (EEA)*
There may be occasions when we transfer your data outside the EEA, for example, if we communicate with you using a cloud based service provider that operates outside the EEA or for scholarships where selection takes place overseas, or returns to bodies overseas such as those offering international opportunities. Such transfers will only take place if one of the following applies:
- the country receiving the data is considered by the EU to provide an adequate level of data protection;
- the organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield;
- the transfer is governed by approved contractual clauses;
- the transfer has your consent;
- the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract;
- the transfer is necessary for the performance of a contract with another person, which is in your interests;
- the transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent;
- the transfer is necessary for the exercise of legal claims; or
- the transfer is necessary for important reasons of public interest.
We may display your University email address on our websites, which are accessible to internet users, including those in countries outside the EEA.
* The EU plus Norway, Iceland and Lichtenstein
10. Data security
We have put in place measures to protect the security of your information. Details of these measures are available from the University’s Information Security website.
Third parties that process data on our behalf will do so only on our instructions and where they have agreed to keep it secure.
11. Retention period
We will retain your data only for as long as we need it to meet our purposes, including any relating to legal, accounting, or reporting requirements.
Details of the retention periods for different types of student data are available here.
12. Your rights
Under certain circumstances, by law you have the right to:
- Request access to your data (commonly known as a “subject access request”). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- Request erasure of your data. This enables you to ask us to delete or remove your data under certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- Object to processing of your data where we are processing it meet our public interest tasks or legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
- Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your data to another party.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. However, where you have consented to the processing, you can withdraw your consent at any time by emailing the relevant department. In this event, we will stop the processing as soon as we can. If you choose to withdraw consent it will not invalidate past processing. Further information on your rights is available from the Information Commissioner’s Office (ICO).
If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, please contact the Kellogg Data Protection Officer (currently Gary Walker) at email@example.com or you may contact the University’s Information Compliance Team at firstname.lastname@example.org. The same email address may be used to contact the University’s Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you remain dissatisfied, you have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.
13. Keeping your data up-to-date
It is important that the data we hold about you is accurate and current. Please keep us informed of any changes that may be necessary during your time at the University.
Last updated 1 September 2019.