Student privacy policy

The information we hold about you may include, but is not limited to, the following:

• Personal details such as name, title, address, telephone number, email address, marital status, nationality, date of birth, legal sex and gender identity, ID Photograph, household income, parental status, details of dependants;
• Trusted contacts for emergencies (contact details you provide for a person, such as family member, friend or guardian, who can be contacted on your behalf in the event of a serious emergency);
• National Insurance number (where you have voluntarily provided it);
• Education and employment information, including the school(s), sixth form college(s) and other colleges or universities you have attended and places where you have worked, the courses you have completed, dates of study and examination results;
• Other personal and socio-economic background information collected during the admissions process, such as (but not limited to) whether you have been in care, have caring responsibilities, have a dependent child or children, your socio-economic classification, have any relevant criminal convictions, details of the occupation and education of your parents, stepparents or guardians, whether you have received financial support during your undergraduate degree, whether you have experienced homelessness or estrangement, and whether you are or have been a refugee, stateless person or an asylum applicant;
• Admissions records, including information such as your test and interview scores and admission decisions;
• Examination records, including records relating to assessments of your work, details of examinations taken, and your predicted and actual examination grades;
• Information captured in your student record including progression, achievement of milestones and progression reports;
• Visa, passport, and immigration information;
• Fees and financial support records (including records relating to the fees paid, Student Loans Company transactions and financial support, scholarships, and sponsorship);
• Supervision, teaching, and tutorial activities including engagement with online tools such as the VLE; and training needs analysis and skills acquisition records;
• Recordings of teaching and learning or research activities in which you were a participant;
• Placement and internship record or study at another institution as an established component of your course of studies, or career development opportunity;
• Your feedback on course provision, university services and the student experience, collected through surveys, focus groups and other activities;  
• Information about and arising from your engagement with University services including: the Language Centre, Careers Service, University sport facilities, Education Policy Support, the Proctors' Office and Student Welfare and Support Services;
• Information about your use of library facilities, including borrowing and fines;
• Information about your use of facilities and collections provided by the University’s museums and Botanic Garden;
• Information about your involvement in any University procedure and any underlying events/allegations giving rise to those procedures, including the disciplinary procedure (which includes academic and non-academic misconduct), the academic appeals, complaints, fitness to study, fitness to practise, fitness to teach and academic integrity procedures and applications for extensions, periods of suspension or dispensations from regulations;
• Information about any criminal convictions you may have or allegations of criminal behaviour which you disclose to us or which are brought to our attention by the police or third parties; 
• Attendance records at University degree and award ceremonies;
• Photographic data taken at events captured for the purpose of live streaming and future publicity materials;
• Information about your use of our information and communications systems, including your communication preferences and your website and system interaction (cookies and similar technologies); and
• Information gathered through CCTV and building access information.

As part of this, we may process the following "special categories" of more sensitive personal data:

• Information about your race or ethnicity, sexuality, and your religion and beliefs;
• Information about your health, including any disability and/or medical conditions;
• Information about criminal convictions and offences, including proceedings or allegations.

We collect the vast majority of the information directly from you, through the application process and during online registration. We may also collect additional information from third parties, including colleges, former schools and higher education institutions and their staff, and government departments and agencies, or information which is in the public domain. We will collect and generate additional information about you throughout the period of your study, as outlined in Section D.

We use your data for a number of purposes connected with your studies, including, but not limited, to the provision of: 

• teaching, academic assessment and supervision;
• welfare and pastoral support including ensuring the health and safety of students, staff and others; 
• funding and financial support; 
• support services (such as careers, language development, and sport);
• research related administration to support our equality responsibilities, quality assurance and planning processes; 
• the administration of University procedures, including in relation to discipline, complaints, appeals, academic integrity, fitness to practise, fitness to teach, fitness to study, applications for dispensations, extensions and/or suspension;
• supporting the provision of facilities and services, e.g. access to IT facilities, libraries, accommodation etc.; and
• understanding the educational and wider student experience, and evaluating the University’s projects and activities in relation to admissions, outreach, teaching and learning and the student experience.  

We set out below those circumstances where it is necessary for us to use your data. (These circumstances are not mutually exclusive; we may use the same information under more than one heading.)

F1. Because we have a contract with you

We need to process your data in order to meet our obligations or exercise rights under our contract with you. The terms of your contract with the University are available on our website. Information processed for this purpose includes, but is not limited to, the data listed in Section D.  We also need to process your data under this heading where the University is working with a third party in order to offer you services, for example, those offered by the Oxford University Student Union, sponsors (such as research councils) or scholarship benefactors. See Section H for further information on the sharing of data with third parties.

F2. Where it is necessary to meet a task in the public interest

As indicated above, we need to process your data for the purpose of teaching and related activities, such as academic assessment and supervision. This may include processing data within the Virtual Learning Environment Canvas (VLE). Information provided to regulatory bodies, including the General Medical Council and the OIA, is also provided for this purpose. Teaching and research are tasks that we perform in the public interest in order to fulfil our responsibility as a charity for promoting the advancement of learning. Information processed under this heading includes, but is not limited to, the data listed in Section D.

F3. Where we need to comply with a legal obligation

Information processed for this purpose includes, but is not limited to, information relating to the monitoring of equal opportunities and information provided to regulatory bodies including the General Medical Council and the OIA.  We are also required by law to provide data to the Higher Education Statistics Agency (HESA) which shares information with public authorities that are required to carry out their statutory and/or public functions.

During a pandemic, epidemic or local health emergency we may share limited information about you (e.g. your name and contact details) with the Colleges, Police, the UK Health Security Agency, the NHS, Oxfordshire County Council or Oxford City Council where necessary for the purposes of reducing the risk of infection, assisting such bodies, or complying with and preventing the breach of other connected legal requirements.

F4. Where it is necessary to meet our legitimate interests

We need to process your data in order to meet our legitimate interests relating to student administration, alumni relations, business continuity, or similar activities; or to meet the legitimate interests of others. Examples include, but are not limited to, the following:

• if you do not object, we share your contact details with the Oxford University Student Union. We do this to facilitate the operation of the student union as a representative body, which in turn helps the University to consult on student matters;
• we share the addresses of students living in private accommodation with Oxford City Council to enable the Council to exempt those students from Council Tax;
• we pass your home address to the University’s colleges to assist with their outreach projects;
• we use email addresses of overseas offer holders to invite them to make use of internationally based student societies to offer pre-arrival support;
• we may use email addresses to contact students to invite them to make use of opportunities related to their studies, and other university-related activities;
• we may use email addresses and nationality information to target specific communications to students likely to be affected by major incidents, e.g. natural disasters or conflicts in a specific country/region; 
• we use your phone and email address for system authentication and access;
• we pass your contact details to the University’s Alumni Office and Development Office so that they can contact you about their activities before you leave the University; and
• we use your data held within our student records systems for system testing, training and support purposes, allowing us to provide support to users across the University, and to maintain effective upkeep of our records systems.

F5. Where we have your consent

There may be situations where we ask for your consent to process your data, e.g. where we ask you to volunteer information about yourself for a survey or where we ask for your permission to share sensitive information. 

F6. Where it is necessary in order to protect your vital interests or the vital interests of another person

There may be circumstances in which it is necessary for us to process your data to protect an interest which is essential for your life or that of another person or where the processing serves important grounds of public interest and your vital interests - for example, humanitarian purposes or emergencies which may include monitoring epidemics and their spread or in situations where there is a risk of serious harm or death to yourself or others.

Your trusted contacts for emergencies may be used for this purpose. The decision to contact trusted contacts will be taken by senior officers (e.g. Senior Tutor, Head of House, Head of Department), and you will normally be informed. They will only contact your trusted contacts in limited circumstances, e.g. if you are at risk of serious harm including self-harm. The Guidance on Confidentiality in Student Health and Welfare document provides further details. 

If you fail to provide personal information under F1 or F3 above

If you fail to provide certain information when requested under the circumstances described in F1 and F3 above, we may not be able to meet our contractual obligations to you or comply with our other legal obligations.

Change of purpose

We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason, and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.

Please note that we may process your data without your knowledge or consent, where this is required or permitted by law.

Special category data and criminal conviction data require a higher level of protection. Listed below are examples of processing activities that we regularly undertake in respect of these types of data. In addition to the activities listed below, it may sometimes be necessary to process this sort of information for exceptional reasons, for example, because it is necessary to protect your vital interests (including in relation to health and safety) or those of another person or for safeguarding purposes. This may include sharing such data with third parties as identified in section H below. In some instances (for example responding to a request from police investigating an alleged criminal offence) this may be necessary even if data has been provided to the University in confidence.

G1. Health (Including disability)

We will process data about your health where it is necessary to make reasonable adjustments for disability and/or to monitor equal opportunities, for example to arrange reasonable adjustments for examinations or use of facilities such as libraries, laboratories or accommodation. Processing of this nature is necessary to meet contractual or other legal obligations. We may also process data about your health in accordance with the terms of our contract with you, to protect our legitimate interests and/or to comply with legal obligations where it is relevant to a particular University procedure, including the disciplinary, complaints appeals, fitness to study, fitness to practise or fitness to teach procedures or in relation to an application you have made for a suspension, extension or dispensation, or where the outcome of such a procedure is referred to a regulatory body, such as the OIA or the General Medical Council (where such referral may also be for the purpose of fulfilling a task in the public interest). There may be situations where we ask for your explicit consent to process or share information about your health, e.g. as part of monitoring the performance of the Astrophoria Foundation Year scheme. There may also be limited circumstances where your health and safety, or that of others, is at serious risk where your health data may need to be shared whether or not you have given consent (subject to data minimisation, limiting recipients of such data to those people or agencies able to assist (e.g. NHS or emergency services staff) or pseudonymisation where possible). Examples of these limited circumstances include: (a) Where you are at risk of causing serious harm to yourself or others (e.g. threats or attempts at suicide or violence to yourself or others) and (b) as a result of testing positive for a serious infectious illness where urgent health and safety measures must be taken.

G2. Criminal conduct (including convictions, proceedings or allegations)

Data about relevant criminal convictions, including whether or not you have such a conviction, is gathered during the process of applying for a course with us once you have been offered a place. Data about barring decisions will only be collected if you have applied for and been accepted onto certain courses, and where we are legally required to do so. Processing of this nature is carried out in order to protect our legitimate interests including to protect members of the University community from a foreseeable risk of harm. For certain courses this processing is also necessary to meet our legal obligations. Such processing will be subject to suitable safeguards. We may also process data about criminal conduct while you are on course in accordance with the terms of our contract with you, in order to comply with our legal obligations or to meet our legitimate interests. This includes protecting other individuals from a foreseeable risk of harm, when such information is brought to our attention by the police or a third party, or where you disclose it. It also includes where it arises in the context of a University procedure, including our disciplinary, fitness to practise, fitness to teach or fitness to study procedures; or where a complaint about the outcome of such a procedure is referred to a regulatory body, such as the OIA or the General Medical Council (where such referral may also be for the purpose of fulfilling a task in the public interest). Such processing will be subject to suitable safeguards.

G3. Racial or ethnic origin, sexual orientation, and religion and beliefs

Data about your racial and ethnic origin, religion and beliefs, and sexual orientation will only be processed where you have volunteered it, including in order to identify your eligibility for certain scholarships in accordance with our legitimate interests, and/or where we need to process it in order to meet our statutory obligations under equality and/or other legislation. We may also process data about your racial or ethnic origin, sexual orientation, and/or religious belief in accordance with the terms of our contract with you, to protect our legitimate interests and/or to comply with legal obligations where it is relevant to a particular University procedure, including the disciplinary, complaints or appeals procedures (for example, in relation to an allegation of racially motivated harassment) or where the outcome of such a procedure is referred to a regulatory body, such as the OIA (where such referral may also be for the purpose of fulfilling a task in the public interest). This processing is considered to meet a substantial public interest, and will be subject to suitable safeguards.  

In order to perform our contractual and other legal responsibilities or purposes, we may, from time to time, need to share your information with the following types of organisation:

• Colleges; Private Permanent Halls (PPH) if you are a member of a college. Information will be shared regularly between the university and college to protect and enhance your student experience;
• Societies;
• Collaborative Provisions (or partnerships), e.g. with other higher education institutions; 
• The Oxford University Student Union and wholly-owned subsidiary companies of the Oxford University Student Union;
• External organisations providing services to us, such as for teaching timetabling services and the VLE;
• External organisations offering University-sponsored services, including student surveys;
• Your funders and/or sponsors, including the Student Loans Company and research councils;
• If you have or are seeking a particular relationship with a third party, for example, other universities, schools, health care providers, your referees or others we contact in connection with verifying information provided in your application or providers of external training and placements;
• Employers or prospective employers and other educational institutions;
• The Higher Education Statistics Agency (HESA).  HESA uses your data to provide information on higher education and shares your data with public authorities to carry out statutory or public functions. Further information on how HESA uses this data is available from the HESA website;
• Any relevant professional statutory regulatory bodies, including the General Medical Council;
• The Office for the Independent Adjudicator (OIA);
• Relevant public bodies, including but not limited to the UK Home Office; HM Revenue and Customs; and local authorities;
• The University's appointed auditors, as required for the purposes of their audit; 
• The National Health Service or other medical practitioners (to support medical provision);
• Contractors engaged for health and safety purposes to advise on protection of your health, and/or that of others, during any pandemic, epidemic or local health emergency (e.g. contractors engaged in testing and tracing or in implementing consequential health and safety measures).

Where information is shared with third parties, we will seek to share the minimum amount necessary. For example, we may in appropriate cases share only your student number and not your name (this is known as pseudonymisation).

All third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

There may be occasions when we transfer your data overseas, for example, if we communicate with you using a cloud based service provider that operates outside the UK or for scholarships where selection takes place overseas, or returns to bodies overseas such as those offering international opportunities. Such transfers will only take place if one of the following applies:

• the country receiving the data is considered by the UK to provide an adequate level of data protection;
• the organisation receiving the data is covered by an arrangement recognised by the UK as providing an adequate standard of data protection;
• the transfer is governed by approved contractual clauses;
• the transfer has your consent;
• the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract;
• the transfer is necessary for the performance of a contract with another person, which is in your interests; 
• the transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent;
• the transfer is necessary for the exercise of legal claims; or
• the transfer is necessary for important reasons of public interest.

We may display your name, department and University email address on our websites, which are accessible to internet users, including those in countries overseas.

We have put in place measures to protect the security of your information. Details of these measures are available from the University’s Information Security website.

Third parties that process data on our behalf will do so only on our instructions and where they have agreed to keep it secure.

We will retain your data only for as long as we need it to meet our purposes, including any relating to legal, accounting, or reporting requirements.  

Details of the retention periods for different types of student data are available on the University compliance webpages.

Under certain circumstances, by law you have the right to:

• Request access to your data (commonly known as a “subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
• Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
• Request erasure of your data. This enables you to ask us to delete or remove your data under certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
• Object to processing of your data where we are processing it meet our public interest tasks or legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
• Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your data to another party.

Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop.  However, where you have consented to the processing, you can withdraw your consent at any time by emailing the relevant department. In this event, we will stop the processing as soon as we can.  If you choose to withdraw consent it will not invalidate past processing. Further information on your rights is available from the Information Commissioner’s Office (ICO).

If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team at data.protection@admin.ox.ac.uk. The same email address may be used to contact the University’s Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the UK GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

If you remain dissatisfied, you have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.

It is your responsibility to check and ensure that your personal data is kept up-to-date. This is important in enabling us to be certain that the data we hold about you is accurate and current.

We reserve the right to update this privacy policy at any time, and will seek to inform you of any substantial changes. We may also notify you in other ways from time to time about the processing of your personal data.