1. What is the purpose of this document?
The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).
Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified. It does not include data where your identity has been removed (anonymous data).
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure, deletion or retention.
3. Who is using your personal data?
The University of Oxford1 is the “data controller" for the information that we obtain from you or others as a result of your application for undergraduate study. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
Access to your data will be provided to the University’s staff, including those based in the University’s colleges2, who need to view it as part of their work in carrying out the purposes set out in Section 6. We also share it with the third parties described in section 8.
4. The types of data we hold about you
The information we hold about you may include the following:
- Personal details such as name, title, address, telephone number, email address, date of birth, sex and gender, marital status, and details of dependants;
- Education and employment information;
- Information about your use of our IT systems;
- Visa, passport and immigration information;
- Funding and financial support information.
We may also process the following "special categories" of more sensitive personal data:
- Information about your race or ethnicity, sexual orientation and religious beliefs;
- Information about your health, including any disability and/or medical condition;
- Information about criminal convictions and offences (if applicable to your course).
Special category data will not be used to assess your application and will only be used in accordance with section 7.
5. How did the University obtain your data
Most of the information we hold comes from your application, for example, via UCAS. We may also collect additional information directly from you and from third parties, including referees, former schools, colleges and universities, and government departments and agencies.
6. How the University uses your data
We process your data for the purpose of processing and assessing your application for study, and for purposes related to your application, such as assessing your eligibility for funding and your financial status. We set out below those circumstances where it is necessary for us to process your data. (These circumstances are not mutually exclusive; we may use the same information under more than one heading.)
6.1 Because we have a contractual obligation to consider your application
Information processed for this purpose includes the data listed in section 4 above.
We also need to process data under this heading where the University is working with a third party in order to offer you services, for example, those offered by the colleges or scholarship benefactors. See section 8 for a fuller list of examples of third party sharing.
6.2 Where we need to comply with a legal obligation
Information processed for this purpose includes, but is not limited to, information relating to the monitoring of equal opportunities. We are also required by law to provide data to various Government departments through the Higher Education Statistics Agency (HESA).
6.3 Where it is necessary to meet our legitimate interests
We also need to process your data in order to meet our legitimate interests or the legitimate interests of others. Examples include, but are not limited to, the following:
- inviting you to take part in applicant surveys or enabling third parties to conduct applicant surveys on our behalf;
- asking you to provide additional information on your application; and
- notifying you of changes to course information.
6.4 Where we have your consent
There may be situations where we ask for your consent to process your data e.g. where we ask you to volunteer information for a survey (you will always be able to opt out of receiving such communications).
If you fail to provide personal information under 6.1 or 6.2 above
If you fail to provide certain information when requested under the circumstances described in 6.1 and 6.2 above, we may not be able to meet our contractual obligation to consider your application or to comply with our other legal obligations.
Change of purpose
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
Please note that we may process your data without your knowledge or consent where this is required or permitted by law.
7. Special category data and criminal conviction data
Special category data and criminal conviction data require a higher level of protection. Listed below are examples of processing activities that we regularly undertake in respect of these types of data. In addition to the activities listed below, it may sometimes be necessary to process this sort of information for exceptional reasons, for example, because it is necessary to protect your vital interests or those of another person. We may also process your special category data to identify your eligibility for certain scholarships aimed to address underrepresentation.
We will process data you have volunteered about any disability in order to make any arrangements or adjustments required in relation to your application (e.g. to arrange access for interviews) and/or to monitor equal opportunities. We may share this data, for the same reasons, with the University’s colleges.
7.2 Criminal conduct
Data about criminal convictions or barring decisions will only be collected if you have applied for our Medicine courses, and where we are legally required to do so. If a course requires additional screening you will be advised before the screening takes place. Processing of this nature is necessary to meet our legal obligations and will be subject to suitable safeguards.
7.3 Racial or ethnic origin, sexual orientation and religious belief
Data about your racial and ethnic origin, religious belief or sexual orientation will only be processed where you have volunteered it and where we need to process it in order to meet our statutory obligations under equalities and other legislation. This processing is considered to meet a substantial public interest, and we will seek to anonymise the data as soon as practicable.
8. Data sharing with third parties
In order to perform our contractual and other legal responsibilities or purposes, we may, where relevant and necessary, need to share your information with the following types of organisation:
- The college you have applied to or have been allocated to;
- Your school, college and/or training organisation;
- Your referees;
- External organisations offering University-sponsored services including student surveys;
- The governmental departments or agencies responsible for immigration and student loans;
- If you have or are seeking a particular relationship with a third party, for example, because of an exchange scheme;
- Sponsors or benefactors of funding and financial support;
- Examination boards and awarding bodies;
- Testing services, including Cambridge Assessment Admissions Testing, Pearsons, etc.
Where information is shared with third parties, we will seek to share the minimum amount necessary.
All third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
9. Transfer of your data outside of the European Economic Area (EEA) 3
There may be occasions when we transfer your data outside the EEA, for example, to obtain a reference or to verify information in your application. Such transfers will only take place if one of the following applies:
- the country receiving the data is considered by the EU to provide an adequate level of data protection;
- the transfer has your consent;
- the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
- the transfer is governed by approved contractual clauses.
10. Retention Period
We will retain your data only for as long as we need it to meet our purposes, including any relating to legal, accounting, or reporting requirements. Details of the retention periods for different types of applicant and student data are available here.
11. Your rights
Under certain circumstances, by law you have the right to:
- Request access to your data (commonly known as a “subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate data we hold about you.
- Request erasure of your data. This enables you to ask us to delete or remove your data in certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- Object to processing of your data where we are relying on our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
- Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your data to another party.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. However, where you have consented to the processing (for example, where you have asked us to send you certain types of communication), you can withdraw your consent at any time, by emailing us at email@example.com. In this event, we will stop the processing as soon as we can. If you choose to withdraw consent it will not invalidate past processing and it may impact our ability to provide particular additional services to you. Further information on your rights is available from the Information Commissioner’s Office (ICO).
If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team at firstname.lastname@example.org. The same address can be used to contact the University’s Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you remain dissatisfied, you have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.
12. Keeping your data up-to-date
It is important that the data we hold about you is accurate and current. You can access, amend and delete your data yourself until the point at which you submit your application to the University. Please keep us informed of any changes after you submit your application.
1 The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford
2 College means any college or Permanent Private Hall
3 The EU plus Norway, Lichtenstein and Iceland