Student Life Privacy Notice

Student Life include information, advice and guidance services as well as therapeutic support such as counselling, and practical assistance such as non-medical help (NMH).

The service areas include:

• Reception support and information
• General information, advice and guidance about courses, events, policies, procedures, services and facilities
• Finance advice and guidance
• Pastoral support and peer mentoring
• International exchange programmes
• International pastoral support, advice and guidance
• Disability and wellbeing services  
• Non-Medical Help (NMH), for example specialist mental health mentoring or note-taking
• Learning Difficulties diagnostic assessment
• Counselling
• Safeguarding
• Liaison with employers and external agencies

The University processes personal data in accordance with our obligations under the UK General Data Protection Regulations (‘GDPR’). This notice is written to comply with requirements under GDPR (as they are known). We will review and update this notice annually and publish any revisions via the website.

We will normally collect or process personal sensitive information only (i) where we need the personal information to perform a contract with you, or (ii) where the processing is in our legitimate interests and not overridden by your rights or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect and process personal information. It is recognised that some of the grounds outlined here will overlap and Student Life could rely on multiple grounds to justify its lawful processing.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as the possible consequences if you do not provide your information).

Data sharing

Staff within the University

Student Life staff may inform relevant staff as appropriate (e.g. your Tutor / Personal Tutor and/or Course Administrator), that you are accessing services without giving further details of your circumstances. This is to help coordinate with your programme of study and to enhance your overall University experience, but you can ask that this information is not shared.

There may be instances where it could benefit you to share more detailed information with appropriate staff within the University. If this is thought to be necessary, we would discuss with you what was felt appropriate to share and seek your agreement in advance. Information would only ever be shared with legitimate reason and on justifiable grounds.

Staff routinely work with external professionals, such as local NHS healthcare providers and the police. The same general principles of sharing information apply; students will be asked in advance to provide their agreement for us to discuss their situation with external professionals.

External Third Parties

The UK General Data Protection Regulation (GDPR) and University policy prohibit disclosure of an individual’s information to a third party, unless there is a legal basis to do so. This means that staff members cannot give information about a student currently studying at the University to a third party. This includes parents, other family members and friends, for example.

If a parent, guardian or carer makes contact with any University staff member to enquire about you, staff will not be able to divulge any details concerning you or your engagement at the university, such as your academic progress, wellbeing or attendance, for example. For this reason, we encourage parents and students to keep in regular contact with each other.

In general, students are expected to act on their own behalf when dealing with offices and departments within the University, and when requesting services. Parents, guardians or other individuals will not normally be allowed to make requests, or otherwise act on behalf of the student.

An exception is made through our ‘opt in’ scheme. We ask students to opt-in and give consent for us to contact a designated, trusted individual in situations where we have serious or grave concerns about your wellbeing or mental health.

The UK General Data Protection Regulation does permit the University to disclose information in certain exceptional circumstances; these are usually life or death situations. The University’s ‘opt-in’ scheme enables you to identify and give consent for the University to inform either an ‘emergency’ or ‘wellbeing’ contact when there are serious concerns about your wellbeing. If you are presenting as at grave risk, the routine need to obtain consent before disclosing data may be waived and we will contact your Wellbeing Contact with some caveats:

1. You have provided Wellbeing Contact details, these are assigned by you and are your responsibility to keep up to date;
2. If you are experiencing difficulty but are not at immediate or grave risk, and you or University staff identify that input from the Wellbeing Contact could be helpful; we will seek your permission to make contact. If you agree, the Wellbeing Contact will be contacted, usually with you present.

If you are believed to be in grave danger, missing and/or unresponsive or are believed to lack capacity; we are able to use the Wellbeing Contact even if you are unable to give permission. The decision to contact a Wellbeing Contact will be taken by two managers and will be based on the agreement that communication with the nominated contact is necessary in order to protect yours or others vital interests. These circumstances are very rare, but when they occur the most common causes of this necessary communication are where a student has been reported missing and is believed to be at risk or where a student is unresponsive and has been taken by emergency transportation to hospital.

Information about the opt-in scheme can be found on our website – Student wellbeing and communication with families.

Data Sharing with third party organisations

Student Life use some third-party services to assist in the delivery of services to you to fulfil our educational mission. We carefully select third parties to work with and undertake due diligence to check that they will process your data for the specified purposes and we expect that they treat it in accordance with UK GDPR and the law.  Examples of third-party services we enlist include:

• Blackbullion - Financial literacy platform and funding tool (Privacy Notice)
• SilverCloud -  Online Cognitive Behavioural Therapy (CBT) Well-being Programmes (Privacy Notice)
• QS Dyslexia Tests - Quickscreen screening tool (Privacy Notice)
• Department of Health and Social Care (DHSC) - LFD Collect, home test kit collection centre (Privacy Notice)

We have no control over, and are not responsible for, the privacy policies and practices of other third parties.  As such, when using these services, you will be prompted to agree to their Privacy Policy and to give consent to share your information. The University will act as a Data Controller for the personal data third-party services share with us.

Signposting to other websites and/or services

Whilst we endeavour to ensure the content and relevance of external websites is correct, we cannot be held responsible for the privacy policies of other sites. Please do not assume that external websites follow our Privacy Notice.

Exemptions to GDPR obligations when data sharing

On rare occasions, we may need to share your data without your knowledge or consent, for other reasons that are exempt from the GDPR’s transparency obligations. We will always endeavour to balance respect for your individual rights and proportionate measures to safeguard:

• Public and/or national security;
• Prevention investigation, detection or prosecution of criminal offences;
• Breaches of ethics in regulated professions; and
• Protection of the vital interests, rights and freedoms of others, for example.

You have the right to privacy of personal and sensitive data. Access to all user data within the University whether on paper, computer files or other storage, is strictly controlled. All staff within Student Life regard personal data as confidential and will only access the data on a need to know basis as required in order to provide a professional service.

Within Student Life access to data is restricted on the basis of an individual member of staff's roles and responsibilities. Ordinarily staff will only be able to access the data within the team(s) they work in and only the data that is necessary for them to fulfil their role effectively.

Information will be treated confidentially, except where there is a legal basis for sharing information.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.  In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a student we will retain or securely destroy your personal information in accordance with our Data Retention Schedule.