Research Participants, Supporters and Visitors Privacy Notice
This Privacy Notice applies to all research participants, supporters and visitors to the University.
Definitions
‘Research Participant’ Individuals who have agreed to
participate in a research project through, for example, taking part in an
experiment or trial, completing a survey, being interviewed, or providing information
through other means for the purposes of research.
‘Supporters’ Individuals who support the University
in its aims and objectives through, for example, being a Governor of the
University, belonging to the College of Fellows, being an Alumnus of the
University, belonging to a society, group of association hosted by the
University.
‘Visitor’ Individuals who attend events
organised by the University either on or away from the University Campus, who
use the University’s facilities such as the Arena, Lakeside, or other sports
facilities, who visit or access University facilities for any other reason.
What is the purpose of this document?
The University of Worcester (“The University”) (“we”, “our” or “us”) is committed to
protecting the privacy and security of your personal information. The University is defined as the University of Worcester
and its subsidiary companies: UW Developments Ltd, UW Enterprises Ltd and UW
Worcester Wolves Ltd. This privacy notice describes how we collect and use
personal information about you during and after your working relationship
with us, in accordance with the General Data Protection Regulation (GDPR) and
the Data Protection Act 2018, together the data protection legislation. It applies to all research participants, supporters of the University, visitors to the University, users of University facilities and attendees at University organised events held at the University or other venues. It is important that you read this notice. |
The
University is a "data controller".
This means that we are responsible for deciding how we hold and use
personal information about you. We are
required under the data protection legislation to notify you of the information
contained in this Privacy Notice.
This
notice applies to all research participants, supporters of the University, visitors to the University, users of University facilities
and attendees at University events held away from the University campus
("you" or "your").
This notice does not form part of any contract of employment or other
contract to provide services. We will
update this notice at any time.
This notice should be read in conjunction with the Research Participant, Supporter and Visitor Record of Processing Activities
The
University has also published separate notices, which are applicable to other
groups and activities. This notices may
also apply to you, depending on your circumstances, and it is important that
you read this Privacy Notice together with other applicable Privacy Notices:
1. Employees, Workers and Contractors
Privacy Notice
2. Student and Applicant Privacy Notice (this includes graduates of the University)
3. Website Privacy Notice
(including how we monitor use of our website)
4. CCTV webpage (including information
about how we use CCTV)
5. IT Regulations (which includes
information about monitoring of network accounts - see Section 8)
This
notice explains what personal data the University holds about you, how we share
it, how long we keep it, and what your legal rights are in relation to it.
Contact Details
We
are the University of Worcester, Henwick Grove, Worcester WR2 6AJ
The
University has a Data Protection Officer, whose contact details are: Helen
Johnstone, Head of Information Assurance (infoassurance@worc.ac.uk)
If
you need to contact us about your data in the first instance please contact
your initial point of contact when you provided your data. For queries in relation to your various
rights and the data we hold about you please contact the University's Data
Protection Office.
We will comply with the data protection legislation. This
says that the personal information we hold about you must be: 1. Used lawfully, fairly and in a transparent way. 2. Collected only for valid purposes that we have clearly
explained to you and not used in any way that is incompatible with those
purposes. 3. Relevant to the purposes we have told you about and
limited only to those purposes. 4. Accurate and kept up to date. 5. Kept only as long as necessary for the purposes we have
told you about. 6. Kept securely. |
Personal data, or personal information, means any
information relating to you as a living individual from which you can be
identified. It does not include data where the identity has been removed
(anonymous data) There are "Special Categories" of more sensitive personal data which require a higher level of protection. |
The categories of personal information that we may collect, store, and use about you include (but are not limited to):
- The contact details that you provide to us, including names, titles, addresses, telephone numbers and personal email addresses;
- Personal details/data such as date of birth, gender, marital status etc;
- Family details such as next of kin and emergency contact information
- Lifestyle and social circumstances
- Your position, role, employer;
- Copies of passport, driving licence, visas and other immigration data;
- Details of any medical issues and/or disabilities that you have notified to us, including any consideration and decision on reasonable adjustments made as a result
- Equality monitoring data;
- Dietary requirements;
- Your financial details, including bank and building society account numbers, sort codes, BACS IDs, NI numbers;
- Attendance data including completion, accreditations and certifications;
- Visual images, personal appearance and behaviour/photographs, audio and video recording (including CCTV);
- Computing and email information including access to our network;
We may, depending
on the nature of your interaction with the University, also collect, store and
use the following ‘special categories’ of more sensitive personal information:
·
Information about your race, ethnicity
(including nationality), religious or philosophical beliefs, political opinions
and sexual orientation (Information about your trade union membership
·
Information about your health, including any
medical condition or disability and health and sickness records.
Further categories of data what we hold in relation to you are
set out in our Record of Processing Activity
The law requires that we provide you with information about the lawful basis on which we process your personal data, and for what purposes.
Most commonly for research participants we will process your data where this is necessary for the performance of a task carried out in the public interest (if the research is funded by a public body) or we will process your data where this is necessary for the purposes of the legitimate interests pursued by the University or by a third party (if the research is funded by a commercial entity).
Most commonly,
for visitors to the University and users of the University's facilities, we
will process your data on the basis of your consent.
We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else's vital interests.
In a small number of cases we may process your data on the following lawful grounds:
- Where it is necessary to perform the contract we have entered into with you;
- Where it is necessary for the performance of a task in the public interest;
- Where it is necessary to comply with a legal obligation;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override these interests.
How we apply further protection in the
case of "Special Categories" of personal data.
"Special
Categories" of particularly sensitive personal data require higher levels
of protection. We need to have further justification for collecting, storing
and using this type of personal data.
The Special Categories of personal data consist of data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership.
They also consist of the processing of:
- genetic data
- biometric data for the purpose of uniquely identifying someone;
- data concerning health;
- data concerning someone's sex life or sexual orientation.
We may process Special Categories of personal data in the following circumstances:
- With your explicit written consent;
- Where it is necessary in the substantial public interest, in particular:
-
necessary for the purposes of the prevention or detection of an unlawful act
and must be carried out without your
consent so as not to prejudice those purposes; or
- for equal opportunities monitoring;
- Where it is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law.
Less commonly, we may
process this type of data where it is needed in relation to legal claims or
where it is needed to protect your interests (or someone else's interests) and
you are not capable of giving your consent, or where you have already made the data public.
Criminal Convictions and allegations of
criminal activity
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for "Special Categories" referred to above.
We have
prepared a Record of Processing Activities setting out the processing activities that we
undertake, the source of the data, the reasons why we process it, how long we
keep it and the lawful basis we rely on.
Details about the relevant processing activity will be included on the specific Privacy Notice relevant to your interaction with the University.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not, and will not, sell your data to third parties. We may have to share your data with third parties,
including third-party service providers and partner organisations (as
detailed below) We require third parties to respect the security of your
data and to treat it in accordance with the law. |
Which third party service providers
process my personal information?
"Third
parties" include third party service providers (including contractors and
designated agencies) and other entities within the University Group.
Examples of
bodies to whom we are required by law to disclose certain data include, but are
not limited to:
Organisation |
Why? |
The Office for Students
(OfS) (formerly HEFCE) |
Data Submitted as part
of the University's registration process (in relation to the governing body) |
Examples of
bodies to whom we may voluntarily disclose data, in appropriate circumstances,
include but are not limited to:
Organisation |
Why? |
Other legal entities
within the "University Group" |
We will share your
personal information with other entities in the University Group as part of our regular
reporting activities on company performance, in the context of business reorganisation or the University Group restructuring exercise, for system maintenance support and hosting of data. |
Agencies with
responsibilities for the prevention and detection of crime, apprehension and
prosecution of offenders or collection of a tax or duty |
For the prevention,
detection or investigation of crime, for the location and/or apprehension of
offenders, for the protection of the public, and/or support national
interest. |
The University's Alumni
Association |
In order to facilitate
your membership of the Alumni Association. |
Third party service
providers |
To facilitate activities
of the University including activities that are carried out by third party
service providers and partner organisations. Any transfer will be subject to
an appropriate formal agreement between the University and the third party
service provider. |
Where
information is shared with third parties, we will seek to share the minimum
amount of information necessary to fulfill the purpose.
How secure is my
information with third party service providers and other entities in the
University Group?
All
our third party service providers and other entities in the University Group
are required to take appropriate security measures to protect your personal
information in line with our policies. We do not allow third party service
providers to use your personal data for their own purposes. We only permit them
to process your personal data for specified purposes (as written in the
contract between us) and in accordance with our instructions.
We have put in place measures to protect the security of
your information. Details of these measures are available upon request. Third parties will only process your personal information
on our instructions and where they have agreed to treat the information
confidentially and to keep it secure. |
We
have put in place appropriate security measures to prevent your personal
information from being accidentally lost, used or accessed in an unauthorised
way, altered or disclosed. In addition, we limit access to your personal
information to those employees, agents, contractors or other third parties who
have a business requirements to know.
They will only process your personal information on our instructions and
they are subject to a duty of confidentiality.
Details of these measures may be obtained from the Data Protection
Officer [Helen Johnstone, Head of Information Assurance email:
infoassurance@worc.ac.uk].
We
have put in place procedures to deal with any suspected data security breach
and will notify you and any applicable regulator of a suspected breach where we
are legally required to do so.
Sharing your data
outside the European Union
The
law provides various further safeguards where data is transferred outside of
the EU.
When
you are resident outside the EU in a country where there is no "adequacy
decision" (a country outside the EU that ensures adequate level of data
protection due to its domestic laws or international commitments) by the
European Commission, and an alternative safeguard is not available, we may
still transfer data to you which is necessary for performance of any contract
with you.
We
intend to transfer the following information about you to the following
countries:
Country |
Recipient |
Type of Data |
USA |
Various
IT service providers |
Electronic
contact details to allow access to University IT provision, ticket purpose
etc |
In
the case of the USA the providers used by the University are part of the EU
Privacy Shield Framework which means the Commission has decided that it has an
adequate level of protection for personal data for the time being.
How long we keep your data
We
will only retain your personal information for as long as necessary to fulfil
the purposes we collected it for, including for the purposes of satisfying any
legal, accounting, or reporting requirements.
Details of retention periods for different aspects of your personal
information are available in our Records and Document Retention Schedule.
To
determine the appropriate retention period for personal data, we consider the
amount, nature and sensitivity of the personal data, the potential risk of harm
from unauthorised use or disclosure of your personal data, the purposes for
which we process your personal data and whether we can achieve those purposes
through other means, and the applicable legal requirement.
Retention
periods may increase as a result of legislative changes e.g. an increase in
limitation periods for legal claims would mean that the University is require
to retain certain categories of personal data for longer. Any such changes will be reflected in updated
versions of Records and Document Retention Schedule which is reviewed on a
three year basis.
In
some circumstances we may anonymise your personal information so that it can no
longer be associated with you, in which case we may use such information
without further notice to you. We may
keep anonymised statistical data indefinitely.
Your duty to inform us of
changes
It
is important that the personal information we hold about you is accurate and
current. Please keep us informed if your personal information changes during
your relationship with the University.
Your rights in connection
with personal information
Where
we are processing your personal information on the basis of your consent, you
always have the right to withdraw that consent.
Under
certain circumstances, by law you have the right to:
• Request access to
your personal information (commonly known as a "data subject access
request"). This enables you to receive a copy of the personal information
we hold about you and to check that we are lawfully processing it.
• Request correction
of the personal information that we hold about you. This enables you to ask
us to correct any incomplete or inaccurate information we hold about you.
• Request erasure of
your personal information. This enables you to ask us to delete or remove
personal information where there is no good reason for us continuing to process
it. You also have the right to ask us to delete or remove your personal
information where you have exercised your right to object to processing (see
below).
• Object to
processing of your personal information where we are processing your
information on the basis of our legitimate interest (or that of a third party)
and there is something about your particular situation which makes you want to
object to processing on this ground. You also have the right to object where we
are processing your personal information for direct marketing purposes. The
lawful basis for any particular processing activity we carry out is set out in
our detailed table of processing activities.
• Request the
restriction of processing of your personal information. This enables you to
ask us to suspend the processing of personal information about you, for example
if you want us to establish its accuracy or the reason for processing it.
• Suspend processing
of your personal information, for example if you want us to establish the
accuracy of the data we are processing.
• Object to any
direct marketing (for example, email marketing or phone calls) by us, and
to require us to stop such marketing.
• Object to any
automated decision-making about you which produces legal effects or
otherwise significantly affects you.
• Request
the transfer of your personal information to another party.
Please
be aware that these rights are subject to certain conditions and exceptions as
set out in the data protection legislation.
If
you want to review, verify, correct or request erasure of your personal
information, object to the processing of your personal data, or request that we
transfer a copy of your personal information to another party, please contact
the Data Protection Officer [Helen Johnstone, Head of Information Assurance
email: infoassurance@worc.ac.uk] in writing and they will explain any conditions that may
apply.
Further
guidance on your rights is available from the Information Commissioner’s Office
(https://.ico.org.uk/).
You may also wish to contact the University’s Data Protection Officer
[Helen Johnstone, Head of Information Assurance email:
inforassurance@worc.ac.uk] if you are considering how or whether to exercise
your rights.
You
have the right to complain to the UK’s supervisory office for data protection,
the Information Commissioner’s Office if you believe that your data has been
processed unlawfully.
No fee usually required
You will not have to pay a fee to access your personal information (or
to exercise any of the other rights). However, we may charge a reasonable fee
if your request for access is clearly unfounded or excessive. Alternatively, we
may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm
your identity and ensure your right to access the information (or to exercise
any of your other rights). This is another appropriate security measure to ensure
that personal information is not disclosed to any person who has no right to
receive it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact Information Assurance (infoassurance@worc.ac.uk). Once we have received notification that you have withdrawn your consent, we will no longer process your information
We may need to update this notice from time to time, for example if the law or regulatory requirements change, if technology changes or to make the University’s operations and procedures more efficient. If the change is material, we will give you not less than two months’ notice of the change so that you can exercise your rights, if appropriate, before the change comes into effect. An updated Privacy Notice will be published on the University webpages.
Contact Details
Information Governance
Edward Elgar Building
University of Worcester
Henwick Grove
Worcester WR2 6AJ
Email: infoassurance@worc.ac.uk
Tel: 01905 543032/ 01905 855014