The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).
Information about how we use the data of former students for alumni relations or fund raising purposes is covered in a separate document. In addition, each college will have its own privacy notice.
 ‘College’ means any college or Permanent Private Hall
Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified, whether directly or indirectly. It does not include data where your identity has been removed (anonymous data).
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure, deletion or retention.
The University of Oxford is the “data controller" for the information that we hold about you as a student or former student. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
Access to your student record and other data will be provided to the academic and support staff, including those based in your college, who need to view it as part of their work in carrying out the purposes set out in Section F. It will also be shared with the third parties described in Section H.
 The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford
The information we hold about you may include, but is not limited to, the following:
As part of this, we may process the following "special categories" of more sensitive personal data:
We collect the vast majority of the information directly from you, through the application process and during on line registration. We may also collect additional information from third parties, including colleges, former schools and higher education institutions, and government departments and agencies, or information which is in the public domain. We will collect and generate additional information about you throughout the period of your study.
We process your data for a number of purposes connected with your studies, including, but not limited, to the provision of:
We set out below those circumstances where it is necessary for us to process your data. (These circumstances are not mutually exclusive; we may use the same information under more than one heading.)
1. Because we have a contract with you
We need to process your data in order to meet our obligations or exercise rights under our contract with you. Information processed for this purpose includes, but is not limited to, the data listed in section D. We also need to process your data under this heading where the University is working with a third party in order to offer you services, for example, those offered by the Oxford University Student Union, sponsors (such as research councils) or scholarship benefactors. See section H for further information on the sharing of data with third parties.
2. Where it is necessary to meet a task in the public interest
As indicated above, we need to process your data for the purpose of teaching and related activities, such as academic assessment and supervision. Information provided to regulatory bodies, including the General Medical Council and the OIA, is also provided for this purpose. Teaching is a task that we perform in the public interest in order to fulfil our responsibility as a charity for promoting the advancement of learning. Information processed under this heading includes, but is not limited to, the data listed in section D.
3. Where we need to comply with a legal obligation
Information processed for this purpose includes, but is not limited to, information relating to the monitoring of equal opportunities and information provided to regulatory bodies including the General Medical Council and the OIA. We are also required by law to provide data to the Higher Education Statistics Agency (HESA) which shares information with public authorities that are required to carry out their statutory and/or public functions.
In addition, in circumstances of a pandemic (including Covid-19), epidemic or local health emergency we may share limited information about students (e.g. names and addresses living at particular properties and other contact details) with the Colleges, Police, Public Health England, the NHS, Oxfordshire County Council or Oxford City Council where required or necessary for the purposes of reducing the risk of infection or assisting such bodies with enforcement of statutory regulations or other legal requirements connected to preservation of public health, reducing the risk of infection, and preventing or deterring activities which breach such regulations or legal requirements.
4. Where it is necessary to meet our legitimate interests
We need to process your data in order to meet our legitimate interests relating to student administration, alumni relations, business continuity or similar activities; or to meet the legitimate interests of others. Examples include, but are not limited to, the following:
5. Where we have your consent
There may be situations where we ask for your consent to process your data e.g. where we ask you to volunteer information about yourself for a survey or where we ask for your permission to share sensitive information.
6. Where it is necessary in order to protect your vital interests or the vital interests of another person
There may be circumstances in which it is necessary for us to process your data to protect an interest which is essential for your life or that of another person or where the processing serves important grounds of public interest and your vital interests for example, humanitarian purposes which may include monitoring epidemics and their spread or in situations of humanitarian emergencies where there is a risk of serious harm or death to yourself or others.
If you fail to provide personal information under F1 or F3 above
If you fail to provide certain information when requested under the circumstances described in F1 and F3 above, we may not be able to meet our contractual obligations to you or comply with our other legal obligations.
Change of purpose
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
Please note that we may process your data without your knowledge or consent, where this is required or permitted by law.
Special category data and criminal conviction data require a higher level of protection. Listed below are examples of processing activities that we regularly undertake in respect of these types of data. In addition to the activities listed below, it may sometimes be necessary to process this sort of information for exceptional reasons, for example, because it is necessary to protect your vital interests (including in relation to health and safety) or those of another person or for safeguarding purposes.
(a) Health (Including disability)
We will process data about your health where it is necessary to make reasonable adjustments for disability and/or to monitor equal opportunities. Processing of this nature is necessary to meet contractual or other legal obligations. We may also process data about your health to in accordance with the terms of our contract with you, to protect our legitimate interests and/or to comply with legal obligations where it is relevant to a particular University procedure, including the disciplinary, complaints appeals, fitness to study, fitness to practise or fitness to teach procedures or in relation to an application you have made for a suspension, extension or dispensation, or where the outcome of such a procedure is referred to a regulatory body, such as the OIA or the General Medical Council (where such referral may also be for the purpose of fulfilling a task in the public interest). There may be situations where we ask for your explicit consent to share information about your health. There may also be limited circumstances where your health and safety, or that of others, is at serious risk where your health data may need to be shared whether or not you have given consent (subject to data minimisation, limiting recipients of such data to those people or agencies able to assist (e.g. NHS or emergency services staff) or pseudonimisation of your data where possible), Examples of these limited circumstances include: (a) Where you are at risk of causing serious harm to yourself or others (e.g. threats or attempts at suicide or violence to yourself or others) and (b) as a result of testing positive for Covid-19 (or any other serious infectious illness) where track and trace or other urgent health and safety measures must be taken.
(b) Criminal conduct (including convictions, proceedings or allegations)
Data about certain unspent criminal convictions, including whether or not you have such a conviction, is gathered during the process of applying for a course with us once you have been offered a place. Data about barring decisions will only be collected if you have applied for and been accepted onto certain courses, and where we are legally required to do so. Processing of this nature is carried out in order to protect our legitimate interests including to protect members of the University community from a foreseeable risk of harm. For certain courses this processing is also necessary to meet our legal obligations. Such processing will be subject to suitable safeguards. We may also process data about criminal conduct while you are on course in accordance with the terms of our contract with you, in order to comply with our legal obligations or to meet our legitimate interests, including protecting other individuals from a foreseeable risk of harm, under our disciplinary, fitness to practise, fitness to teach or fitness to study purposes or where a complaint about the outcome of such a procedure is referred to a regulatory body, such as the OIA or the General Medical Council (where such referral may also be for the purpose of fulfilling a task in the public interest). Such processing will be subject to suitable safeguards.
(c) Racial or ethnic origin, sexual orientation, and religious belief
Data about your racial and ethnic origin, religious belief and sexual orientation will only be processed where you have volunteered it, including in order to identify your eligibility for certain scholarships in accordance with our legitimate interests, and/or where we need to process it in order to meet our statutory obligations under equality and/or other legislation. We may also process data about your racial or ethnic origin, sexual origin and/or religious belief in accordance with the terms of our contract with you, to protect our legitimate interests and/or to comply with legal obligations where it is relevant to a particular University procedure, including the disciplinary, complaints or appeals procedures (for example, in relation to an allegation of racially motivated harassment) or where the outcome of such a procedure is referred to a regulatory body, such as the OIA (where such referral may also be for the purpose of fulfilling a task in the public interest). This processing is considered to meet a substantial public interest, and will be subject to suitable safeguards.
In order to perform our contractual and other legal responsibilities or purposes, we may, from time to time, need to share your information with the following types of organisation:
Where information is shared with third parties, we will seek to share the minimum amount necessary. For example, we may in appropriate cases share only your student number and not your name (this is known as pseudonymisation).
All third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
 For more information on Recognised Independent Centres visit http://www.ox.ac.uk/about/rics
There may be occasions when we transfer your data overseas, for example, if we communicate with you using a cloud based service provider that operates outside the EEA or for scholarships where selection takes place overseas, or returns to bodies overseas such as those offering international opportunities. Such transfers will only take place if one of the following applies:
We may display your University email address on our websites, which are accessible to internet users, including those in countries overseas.
We have put in place measures to protect the security of your information. Details of these measures are available from the University’s Information Security website.
Third parties that process data on our behalf will do so only on our instructions and where they have agreed to keep it secure.
We will retain your data only for as long as we need it to meet our purposes, including any relating to legal, accounting, or reporting requirements.
Details of the retention periods for different types of student data are available here.
Under certain circumstances, by law you have the right to:
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. However, where you have consented to the processing, you can withdraw your consent at any time by emailing the relevant department. In this event, we will stop the processing as soon as we can. If you choose to withdraw consent it will not invalidate past processing. Further information on your rights is available from the Information Commissioner’s Office (ICO).
If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team at firstname.lastname@example.org. The same email address may be used to contact the University’s Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you remain dissatisfied, you have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.
It is your responsibility to check and ensure that your personal data is kept up-to-date. This is important in enabling us to be certain that the data we hold about you is accurate and current.
Data Protection Enquiries
Tel: (01865 2)70285