This privacy notice outlines what you can expect when Buckinghamshire New University collects your information, if you are or have been or are applying to become a student at the University or one of its partners. It includes information about how student data is used and where it is supplied by the University to the Higher Education Statistics Agency (HESA) and other external parties.

Buckinghamshire New University must collect and process data about our students and applicants in order to implement and manage education related services and processes, including student recruitment, admission, registration, teaching and learning, examination, graduation and other services such as accommodation, student support and careers.

The University holds and processes personal data and sensitive personal data about its current, past or prospective students and others who are defined as data subjects under the Data Protection Act.

Personal data is data relating to a living individual who can be identified from that data (e.g. name, address, telephone number and student number). It can also include expressions of opinions about an individual.

Sensitive Personal Data (or “special categories of data” as described under the GDPR) relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Personal data concerning disability is sensitive data.

We will collect and process personal data about you for the purposes described below.  The University recognises the significance of sensitive personal data and will only process such data if certain conditions are met.

We ask you to declare your ethnic origin and any disabilities at the time of your application and enrolment for a course. These fall within the definition of sensitive data. If you choose to provide such data, you give your consent for the University to use them, in an aggregated form, for statistical purposes.

When you register with us as a student, you can decide if you wish to share certain types of sensitive data with the University. These records will be kept in strict confidence and will not be released to third parties without your explicit consent.

The University processes student personal data in order to:

• Provide education and support services to our students;
• Administrate education services and associated financial matters;
• Enable the use of University facilities;
• Conduct equal opportunities monitoring;
• Produce degree certificates, transcripts and Higher Education Achievement Reports (HEAR) for students;
• Promote the institution and the services we offer;
• Deliver graduation ceremonies and related services;
• Publish the University magazine and alumni relations;
• Undertake research and fundraising;
• Manage our accounts and records;
• Provide commercial activities to our clients;
• Conduct attendance monitoring;
• Capture learning analytics for student satisfaction, retention and attainment; and
• Run lecture capture services.

The University will also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.

The University may monitor usage of its IT systems and access user information on its systems and networks that is normally private. Any institutional monitoring or access will comply with UK legislation and be justifiable, fair and proportionate.  Such activity will be conducted in line with the University’s policy on monitoring computer and network use.

Some sections of the University undertake processes using your personal data that include elements of profiling or automated decision-making. For example, the Marketing and Student Recruitment Directorate may use these processes to determine the type of communications sent to individuals and to facilitate student recruitment and admissions procedures.

The University will use your contact details to keep you informed of events relevant to your studies and in emergencies.

Personal data held by the University relating to students is mainly collected directly from the student or applicant during promotional events (e.g. open days), student registration, enrolment and general administration over the course of their registration (e.g. assessment results).

In some instances data will be obtained from a third party organisation involved in the services provided by the University, for example, UCAS, other institutions involved in joint programmes, agents involved in student recruitment or the Student Loans Company.

Your personal data will mainly be processed by the University’s support departments and academic schools. Access to personal data is carefully controlled and will be seen only by authorised members of staff.

The University may disclose certain personal data to external bodies as categorised below where we have a legitimate reason to use that data in connection with your time here at the University or where the University is under a legal requirement to do so. Information will be disclosed in accordance with the provisions and obligations of the Data Protection Act. Please note this is not an exhaustive list.

The University will not release data to any unauthorised third-party except where you ask us to. This means that we will not release data to banks, friends, relatives (including parents), etc., without your agreement. You should provide the University with written consent if you want us to release data on your behalf in these circumstances.

Sometimes to achieve the purposes for which we are processing your personal data, we may need to share your personal data with other organisations based within the European Union or outside of it in countries that have comparable levels of protection.

When it is necessary to share your data with organisations outside of the European Union, we will ensure that there are appropriate safeguards in place.

We will keep your personal data for only as long as is necessary for the purposes for which it was collected.  Information about students is retained and disposed of in accordance with the University’s records retention schedules, which are detailed in the Records Lifecycle Management Scheme. Some information may be archived for long term historical preservation. Data will be securely destroyed when no longer required.

Student personal data is collected and processed by the University as necessary for the performance of the contract under which the University provides services to students.

Some processing activities may also be carried out: under a legal obligation (for example, disclosing personal data to external parties under statutory powers); where it is necessary to protect the vital interests of the student or another party (for example, disclosures to external parties to ensure the safety and wellbeing of individuals); where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (for example, collecting or disclosing information in order to meet regulatory or statutory requirements); or where it is necessary for legitimate interests pursued by the University or a third party (the legitimate interests will relate to the efficient, lawful and proportionate delivery of services and will not be to the detriment of the interests or rights of individuals).

Where any of these legal conditions do not apply, the consent of an individual to process their personal data will be sought.

Under the new data privacy legislation you have the right to:

• Withdraw consent where that is the legal basis of our processing;
• Access your personal data that we process;
• Rectify inaccuracies in personal data that we hold about you;
• Be forgotten so that your details are removed from systems that we use to process your personal data;
• Restrict the processing in certain ways;
• Obtain a copy of your data in a commonly used electronic form; and
• Object to certain processing of your personal data by us.

If you wish to request a copy of the personal data held by the University about you or to correct any information we hold about you, contact the relevant department in the first instance.  If you have any further concerns about the accuracy of your personal data as held by the University or you want to submit a data subject request, contact the University’s Data Protection Officer.

Please see the Information Commissioner’s Office web site (https://ico.org.uk) for further information about your data privacy rights. You may also contact the Data Protection Officer for further information.

You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see https://ico.org.uk.

We will communicate with you by email, post, telephone and SMS. Please contact the relevant University department if you want to unsubscribe from these communications, change the method of communication that we use or are concerned about their content (e.g. unwanted marketing information).  Contact the Data Protection Officer, if you are unsuccessful in unsubscribing from our communications and/or remain concerned.

We use Cookies (that will collect your personal data) on our web pages. The Buckinghamshire New University website privacy statement explains how data may be gathered about users of the University’s website. The University’s privacy notices do not cover the links within the Buckinghamshire New University site which link to other external websites.

We regularly review the University’s privacy notices. We will communicate final changes to this notice to students via the most effective channels.

If you have any concerns with regards to the way your personal data is being processed or have a query with regard to this Notice, please contact our Data Protection Officer, Nicholas Roussel-Milner at dpofficer@bnu.ac.uk.

You also have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF. Tel: 0303 123 1113. https://ico.org.uk.