Skip to main content
Governance
Aerial View of Geography Campus 2018

Privacy Notice - Students

Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in several ways, one of which is the publication of privacy notices. This privacy notice provides a general description of the broad range of processing activity, in addition there are tailored privacy notices covering some specific processing activity.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance pages or contact:

Email: info.access@durham.ac.uk 

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact:

Andrew Ladd, email: info.access@durham.ac.uk 

Retention

The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

What we use your data for

You have the right to be provided with information about how and why we process your personal data. We will only process data where we have a lawful reason to do so. The University processes your data prior to, during and for a period after a programme of study under the basis of a contract with you.

Lawful Basis Purpose of Processing
Contract
  • Administration of your application to the University to determine any support requirements/arrangements to enable you to study at the University (using special category data where necessary) which can include the processing of criminal convictions data, DBS checking and health information.
  • Academic assessment and progression
  • Maintaining an academic record including qualifications
  • Providing access to services including counselling, careers advice, services for students with disabilities, IT, Library and other facilities
  • The University logs information about use of IT facilities for statistical purposes, to ensure effective systems operations and to ensure legal compliance relating to software usage. The University may also monitor electronic communications to ensure that they are being used in accordance with the University’s Policy and Regulations for the Use of University IT Facilities and, specifically, to prevent or detect crime.
  • Processing ID for security purposes
  • Administration of payments, such as fees
  • Providing reports to your sponsor (if any) including Student Loans Company or funding organisation
  • Providing facilities, such as the IT service and Library service
  • Administration of complaints, misconduct, disciplinary, appeals and other similar processes including voice recording of meetings where consent is given
  • Provision and administration of accommodation, catering and other services related to accommodating you
  • Contacting students electronically, such as by SMS text messaging, to forward high priority or emergency information
  • Sharing your personal data with organisations contracted to work on behalf of the University, which could include its insurers or legal consultants. In certain circumstances the University passes personal data of student debtors to an external debt collection agency if we have been unable to recover the debt by normal internal processes. The University may also disclose data to auditors undertaking investigations, selected individuals acting on behalf of the University such as alumni organising alumni events, external organisations undertaking market research or academic researchers provided no personal data is published.
  • Registration with Computing and Information Services (CIS) means that a student’s name and email address will appear in the University's Global email system. This is only available to users of the email system and is not publicly available. Students email addresses will be shared internally for learning purposes.
  • Where a student’s course of study at the University requires study, employment or a placement at another organisation it will be necessary for the University to transfer personal data to the external university or employer, whether this is within the UK or abroad. Students should be aware that some countries outside of the EEA have lower standards for the protection of personal data that those within the EEA however adequate safeguards will be put in place by the University in such instances.
  • The Business School will provide information to the following for the purpose of accreditation and membership of the professional bodies
    Chartered Institute of Logistics and Transport (CILT)
    Chartered Institute of Personnel and Development (CIPD)
    Chartered Institute of Management Accountants (CIMA)
    Chartered Institute of Marketing (CIM)
    Chartered Management Institute (CMI)
    Institute of Chartered Accountants in England and Wales (ICAEW)
    EQUIS
    Association of MBAs (AMBA)
    Association to Advance Collegiate Schools of Business (AACSB)
  • A digital image for reproduction on University campus card, which will be used for the purpose of identification and attached to electronic student records that can be viewed by University staff.
  • Direct mailing of or about (i) student benefits and opportunities offered by or through the University and (ii) University activities and events organised for students.
Public Task
  • Our basis in law is s124 of the Education Reform Act, which states that a higher education corporation has the power to provide higher education, to carry out research and do anything which appears to the corporation to be necessary to pursue its aims in this respect.
  • Research
  • Core details of each student are transferred to the University Archives and Special Collections for permanent preservation
  • Diversity Monitoring
Legal Obligation
  • The University processes your data where we need to comply with a legal obligation – where we are legally obliged to conduct an activity
  • The University will share your information with law enforcement agencies for the purpose of preventing and detecting crime, and may not be able to inform you of the sharing where this may compromise any investigation
  • The University will share data to the following and/or their nominees/successors: Office for Students (OfS); the Higher Education Statistics Agency (HESA); the Learning and Skills Council; the Quality Assurance Agency; the Department for Innovation, Universities and Skills; the European Audit Commission; local authorities; the Student Loans Company and Electoral Registration Officers.
  • Share student data with Council Tax Registration Officers and, where applicable, to the UK Visas and Immigration (UKVI)
  • Comply with obligations under the PREVENT strategy
  • Process information related to health for reasons of public health including the protection of the University community and the wider public (locally and nationally) from potential infection outbreaks.
  • Monitoring equal opportunities
  • Provide data about students on the Tier 4 Student Visa to the UK Visas and Immigration (UKVI) to fulfil our duties as an Approved Education Provider
Legitimate Interests
  • To improve the services we provide to you including organising events that may interest you
  • To provide information to you about goods or services we offer
  • To support marketing and brand related activity (which may include collecting some data about brand from social media and that might incidentally include personal data)
  • Photographing and recording events around the University including seminars for both training and marketing purposes
  • Fundraising and marketing (including postal appeals to friends and family of students)
  • Maintaining contact with alumni and past employees
  • The University will process a student’s personal data for the purpose of the prevention and detection of fraud, particularly plagiarism (this may involve disclosure to third parties e.g. in the use of plagiarism detection software). It may also process a student’s personal data during disciplinary procedures or academic appeals (this may involve disclosure to third parties e.g. to seek legal advice).
  • The Durham Students Union (DSU) is a separate legal entity from Durham University and therefore a separate data controller. The University shares student personal data with DSU for the Union to administer membership of DSU and its clubs and societies, to communicate with members, to hold elections of officers, to ensure the safety and security of members (including identification of individual members), to provide welfare services, to market services provided directly by DSU and to analyse DSU service provision and membership needs.
Consent
  • Where you have the choice to determine how your personal data will be used, we will ask you for consent. Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time.
  • In addition, we may provide you with a privacy notice in relation to specific uses of your data where this is appropriate. A privacy notice is a verbal or written statement that explains how we use personal data.
Vital Interests
  • Where the University believes it is necessary to protect the life of you or another person, we will use the vital interest’s lawful basis to process your personal data.  This may be to contact third parties, such as medical professionals or emergency contact, concerning the health of a student when it believes it is reasonable and/or in the best interests of the student to do so. The University will attempt to gain the prior consent from the student to do so but where consent cannot or will not be given it might act without consent.

Sensitive personal data

Some of the information we collect is sensitive personal data (also known as special categories of data). We process personal data that relates to your health (such as your medical information for example to help support you), and any criminal convictions and offences (for reasons of safeguarding). If we use sensitive personal data, we will usually do so on the legal basis that it is in the wider public interest (for example in relation to research), to establish, take or defend any legal action or, in some cases, that we have your permission (consent).

How we collect your data

Most of the personal information we process is provided to us directly by you. Often this will be actively provided by you for example by you filing in a form. In other situations, your data may be gathered with less active participation by you, for example we may record a Teams video call for business or research purposes, or capture device ID for technical reasons when connecting with the University network. You will be provided with notification of this.

We may also receive personal information indirectly:

  • For the purpose of student admissions and ongoing administration sources, include UCAS, funding bodies such as the Student Loans Company, US Loans, parents/guardians and schools/colleges.
  • For the purpose of support sources which include medical, health care professionals, psychologists, psychiatrists or those providing you with evidence of your disability or mental health.
  • For the purpose of conducting research data set sources which might include data in the public domain, including from the internet, data from domestic and international governmental bodies, including Department for Health, Department for Education, local authorities, other Universities. We may also use research data we collected ourselves for one project for another research project.

When we obtain personal data about you from third party sources, we will look to ensure that the third party can lawfully provide us with your personal data.

We may also share information with the same set of organisations for the purposes mentioned above.

Data handling

Where we are processing data using common cloud-based services or platforms (examples might include: Google, Skype, Teams or Zoom), it is possible a transfer of data outside of the EEA or UK may take place. In such cases appropriate protections will be in place (such as contractual arrangements designed to protect data).

We will also anonymise data, where it does not interfere with the reason for us handling the data, as soon as possible. For example: research participant data in large scale surveys will usually be anonymised as soon as possible after collection.

Research participant data will normally be anonymised if published however there will be some exceptions. Exceptions will be explained to participants where they apply for a particular project.

Anonymised data will be provided to UKRI relating to funding they provide.

Accessing your personal data

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access.

You can find out more about this right on the University’s Subject Access Requests webpage. Right to rectification If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data. Once we have determined what we are going to do, we will contact you to let you know.

Right to erasure

You can ask us to erase your personal data in any of the following circumstances:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • The personal data have to be erased for compliance with a legal obligation
  • The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites). Once we have determined whether we will erase the personal data, we will contact you to let you know.

Right to restriction of processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.
  • Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.

Making a complaint

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: +44 (0)303 123 1113

Website: Information Commissioner’s Office

(Updated January 2025)