Privacy Notice and Cookie Policy
We comply with the EU's General Data Protection Regulation (GDPR) and The Data Protection Act 2018 from 25 May 2018.
Introduction
The University of Winchester values your privacy and recognises its need to process the personal information we hold about you in a fair and lawful manner.
This notice informs you about how and why your personal data will be used. It provides you with specific information that must be supplied to meet all current data protection legislation.
To ensure it complies with legislation the University has appointed a Senior Information Risk Owner (SIRO) – this role is assigned to the Chief Operating Officer. The SIRO has oversight of the Data Protection Officer and the Information Compliance Officer who ensure that the details of this notice are upheld. If you have questions about any part of this notice, in the first instance please contact DPO@winchester.ac.uk.
As a Data Controller the University is registered with the Information Commissioner’s Office, the data regulator for the UK. The University’s registration number is: Z7593866.
Definitions
“Data” refers to the information that we hold about you from which, either on its own or in combination with other information, you can be identified. This can include names, contact details, photographs, identification numbers, online identifiers and expressions of opinion about you or indications as to our intentions about you.
"Processing" means the University doing anything with your data, such as collecting, recording or holding the data, as well as disclosing, destroying or using the data in any way.
“Data Controller” means that the University is the main decision maker when it comes to what data it holds about you and how it is used.
Data Protection Principles
As a Data Controller the University complies with data protection legislation and its principles. This means that your data will always be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes which have been clearly explained to you and not used in any way that is incompatible with those purposes.
- Used in a way that is relevant to the purposes we have told you about and limited in usage only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Data Collection
Depending on your relationship with the University we will collect and process various categories of personal data about you. We have divided these into the categories below.
IF YOU ARE A STUDENT, APPLICANT OR ALUMNI
Please note that the examples given are not an exhaustive list and other data will apply to each category.
Biographical Data - name, preferred name, previous name, marital status, title, age, domicile, date of birth and gender
Contact Data – home address, email address, telephone number, term time address
Emergency contact data - emergency contacts, trusted individual details, GP information
Photographic proof of identity – passport, driving licence and where necessary visa information
Records of engagement – communication preferences, enquires, applications, attendance, enrolment,
Academic data – student ID number, academic history, assessments, academic progression and awards
Graduation data – confirmation of attendance, guest information, special requirements
CCTV images and video recordings – video submissions outside of academic purposes
Financial data – details of payments made to and from you including bank account, payment details, purchases of products and services, student fees, university funding, bursaries, alumni donations
Technical data – IP address, login data, other unique device identifiers, use of and access to university systems. For more information about this data please refer to the ICT Acceptable Use Policy.
Demographic data – information relating to characteristics including age, sex, ethnicity, income, place of residence, socio-economic information, equality data
Feedback data – survey responses, written or recorded testimonials relating to university activities and services
Criminal conviction data – when necessary, DBS checks, personal declarations
Other Information – any other information which you choose to provide during your engagement with university services
IF YOU ARE A MEMBER OF STAFF, APPLICANT OR FORMER COLLEAGUE
Please note that the examples given are not an exhaustive list and other data will apply to each category.
Biographical Data - Name, preferred name, previous name, marital status, title, age, domicile, date of birth, gender, marital status, dependants, National insurance number
Contact Data – home address, email address, telephone number
Emergency contact data - emergency contacts, GP information
Photographic proof of identity – passport, driving licence and where necessary Visa information
Recruitment data – academic history, qualifications, application, references, right to work documentation
Employment records – annual leave, start date, location of employment, job title, contract, training records, professional memberships, work history, performance information, disciplinary and grievance information.
Visual media – photographs, CCTV images, video recordings
Financial data – bank account details, payroll records, tax status, salary, pension, benefits
Technical data – IP address, login data, other unique device identifiers, use of and access to university systems. For more information about this data please refer to the ICT Acceptable Use Policy.
Demographic data – information relating to characteristics including age, sex, ethnicity, income, place of residence, socio-economic information, equality data
Feedback data – survey responses, written or recorded testimonials relating to university activities and services
Criminal conviction data – when necessary, DBS checks, personal declarations
Other Information – any other information you choose to provide during your engagement with university services
IF YOU ARE A VISITOR TO THE UNIVERSITY
Please note that the examples given are not an exhaustive list and other data will apply to each category.
Biographical Data - Name, preferred name, title
Contact Data – home address, email address, telephone number
Emergency contact data - emergency contacts
Records of engagement – communication preferences, enquires, communications with university staff
Site visit data – car registration number, reason for visit, organisation or employer, conference or event data
Widening Participation data – school details, outreach event, workshop participation and demographic data including age, sex, ethnicity, income, place of residence, socio-economic information, equality data
CCTV images
Financial data – details of payments made to and from you including bank account, payment details, purchases of products and services
Technical data – IP address, login data, use of and access to university systems such as guest Wi-Fi. For more information about this data please refer to the ICT Acceptable Use Policy.
Feedback data – survey responses, written or recorded testimonials relating to university activities and services, complaints and grievances
Other Information – any other information you choose to provide during your engagement with the university
SPECIAL CATEGORY DATA
The University may also process special category data about you. This is personal data which is regarded as more sensitive. It will only collect this where it is necessary and is usually provided by yourself. Under UK GDPR special category data is personal data which reveals:
- Racial or ethnic origin
- Political, religious or philosophical beliefs
- data concerning health, including any medical conditions and/or disability
- Genetic data
- Biometric data for the purposes of uniquely identifying an individual
- Gender identification, sexual life and sexual orientation
- Criminal convictions
How Will Your Data Be Collected?
We collect information directly from you during our contact with you, or from third parties which you have directed us to, for instance, any referees cited in support of an application.
How We Use Your Personal Data
We will only use your personal data in accordance with the law. We will use your personal data in the following circumstances:
- Where we need to perform a contract that we are about to enter into or have entered into with you.
- To perform tasks carried out in the public interest as a provider of education and research.
- Where it is necessary to support the University’s legitimate interests or those of a third party.
- Where the University is required to comply with legal or regulatory obligations.
- To protect the vital interests of you or another person.
- Under specific circumstances, where we receive your consent.
Processing For Specific Purposes
- We will only process your data for the specific purpose or purposes that we tell you about, or if specifically permitted by the Data Protection Legislation, and will only process your data to the extent necessary for that specific purpose or purposes.
- Where we need to process your special category data it is usually done with your explicit consent or to carry out one or more special purposes if it is necessary: for the establishment, exercise or defence of legal claims; when it is needed to protect your or another person’s vital interests and you are not capable of giving your consent, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Special Category Data
The University may also process special category data about you. This is personal data which is regarded as more sensitive. It will only collect this where it is necessary and is usually provided by yourself. Under UK GDPR special category data is personal data which reveals:
- Racial or ethnic origin
- Political, religious or philosophical beliefs
- Data concerning health, including any medical conditions and/or disability
- Genetic data
- Biometric data for the purposes of uniquely identifying an individual
- Gender identification, sexual life and sexual orientation
- Criminal convictions
How Will Your Data Be Collected?
We collect information directly from you during our contact with you, or from third parties which you have directed us to, for instance, any referees cited in support of an application.
How We Use Your Personal Data
We will only use your personal data in accordance with the law. We will use your personal data in the following circumstances:
- Where we need to perform a contract that we are about to enter into or have entered into with you.
- To perform tasks carried out in the public interest as a provider of education and research.
- Where it is necessary to support the University’s legitimate interests or those of a third party.
- Where the University is required to comply with legal or regulatory obligations.
- To protect the vital interests of you or another person.
- Under specific circumstances, where we receive your consent.
Processing For Specific Purposes
We will only process your data for the specific purpose or purposes that we tell you about, or if specifically permitted by the Data Protection Legislation, and will only process your data to the extent necessary for that specific purpose or purposes.
Where we need to process your special category data it is usually done with your explicit consent or to carry out one or more special purposes if it is necessary: for the establishment, exercise or defence of legal claims; when it is needed to protect your, or another person’s, vital interests and you are not capable of giving your consent; or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
IF YOU ARE A STUDENT, APPLICANT OR ALUMNI
Please note that any examples given are not an exhaustive list and other activities may apply to each purpose.
- Administering enquiries, and converting applications
- Marketing to potential students
- Pre-enrolment activities and requirements
- To meet UKVI requirements and obligations
- Enrolment
- Welcome Week activities
- Provision of University Services - including Catering, Library, IT, Housing, and Careers
- Provision of University Support Services – including wellbeing services such as counselling, mentoring, safeguarding, crisis support and intervention
- Academic Provisions – including attendance monitoring, assessments, awards, work placements
- Widening Participation and equal opportunity monitoring and reporting
- Finance – including paying tuition and housing fees
- Internal and external reporting – including reporting to the Office for Students, HESA
- Estate and Accommodation Management
- Compliance with University Policies
- To monitor your use of our information and communication systems to ensure compliance with our IT policies
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- Complying with Health and Safety and other legal obligations such as complying with court orders and the prevention of fraud
- Disclosure and Barring Service checks and disclosures where required
- Where necessary, gathering of evidence for possible grievances, Fitness to Practice investigations or disciplinary processes
- Where necessary, to support third parties such as the Student Union and placement providers
- Graduation administration
- Alumni engagement activities – including Career support and fundraising activities
- To meet any legal requirements the University is subject to under UK and international law
IF YOU ARE A MEMBER OF STAFF, APPLICANT OR FORMER COLLEAGUE
Please note that any examples given are not an exhaustive list and other activities may apply to each purpose.
Making a decision about your recruitment
Determining your employment terms
To carry out right to work checks
Ensuring that you are paid correctly, including deducting tax and National Insurance contributions.
Providing multiple benefit packages to you as an employee’
Liaising with your pension provider.
Administering the contract we have entered into with you.
To conduct data analytics studies to review and better understand employee retention and attrition rates.
Equal opportunities monitoring.
Business management and planning, including accounting and auditing.
To prevent fraud.
To monitor your use of our information and communication systems to ensure compliance with our IT policies. This is not routinely done.
To ensure network and information security, including the prevention of unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
Conducting performance reviews, managing performance and determining performance requirements.
Making decisions about salary reviews and compensation.
Assessing qualifications for a particular job or task, including decisions about promotions.
Making decisions about your training and development requirements.
Dealing with customers and other third parties to whom your identity and background information is important. For example, if you are to work on their premises or because of a proposed merger, acquisition or joint venture.
Complying with health and safety obligations.
Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work.
Managing sickness absence.
Ascertaining your fitness to work.
Complying with court orders.
Making decisions about your continued employment or engagement.
Gathering evidence for possible grievance or disciplinary hearings.
Making arrangements for the termination of our working relationship, mutual or otherwise.
To meet any legal requirements the University is subject to under UK and international law
IF YOU ARE A VISITOR TO THE UNIVERSITY
Please note that any examples given are not an exhaustive list and other activities may apply to each purpose.
- Provision of University services – including guest Wi-Fi access
- Event administration and management
- Health and Safety obligations
- Estate Management
- Graduation administration
- Financial purposes – paying of invoices
- Placement administration
- Apprenticeship administration
- University governance
- External engagement and partnerships
- Other legal obligations
- Community engagement
- Widening participation activities and reporting – including all school and college activities
- To meet any legal requirements the University is subject to under UK and international law
- Generally, we do not rely on consent as a lawful basis for processing your personal data. Where you have provided your consent, you have the right to withdraw it at any time, and you will be advised on how to do that at the point of collection.
- When we use your data for statistical and research purposes, this data will usually be anonymised so that you cannot be identified. If that is not possible, we use your personal data on the basis that this is necessary: in the public interest; for scientific or historical research or statistical purposes, or for the purposes of the University’s legitimate business interests.
- Where any personal data has been collected about you as part of any automated decision-making system, for example Automatic Numberplate Recognition, there will be a facility in place for you to challenge the decision.
What If You Do Not Provide Your Personal Data?
- The University only processes personal information which is necessary to support its services. If you choose to not provide this data when requested, or if you do not allow us to process your personal data collected through other means, we may not be able to successfully fulfil your request or deliver services to you. For example, if you are a student this could limit our ability to provide certain optional support services to you. If you are a member of staff, it could delay any salary payments due to you or prevent your employment from starting.
Who Has Access to Your Personal Data?
- Your information will be shared internally within the University for the purposes described in the section “How we use your personal data”.
- To support services provided to you the University may be required to share your personal data with third parties. These would include the Winchester Students’ Union, or placement providers, suppliers of software systems, and any other organisations that we are required to collaborate with. Agreements will be put in place with all third-party recipients to ensure that any personal data shared will be held in accordance with the requirements of the Data Protection Legislation. This would include the appropriate security measures to protect your personal data. We only permit third-party data recipients to process your personal data for specific purposes.
- Exceptionally, we may disclose your data to a third party if required to do so: to protect or defend the University’s rights, interests, or property, or those of third parties; act in urgent circumstances to protect the personal safety of university constituents, or the public; or protect against legal liability.
- The University will not sell the data it collects from you to any third-party.
Accuracy
- It is important that the personal information that we hold about you is accurate and up to date. Please notify us at if your personal details change, or if the data that we hold about you is inaccurate.
- If you are a student, you can update some of your personal data through ‘My Record’
- If you are a member of staff, you can update your personal details through ‘iHR’
Holding And Retaining Your Data
- We will only retain your personal data for as long as it is necessary to fulfil the purposes which we have collected it for. This will include satisfying any legal, accounting, insurance, or reporting requirements. Details of retention periods for different aspects of your personal data are recorded in the relevant department’s Information Asset Registers. After the retention periods expire, your personal data will be destroyed securely in accordance with our record retention schedule. More information can be found on this in the University’s Data Retention and Deletion Policy.
How Will Your Data Be Secured?
- The University employs appropriate technical and security measures to protect all personal data. This includes controls which limits access to personal data to appropriate employees and secure sharing with third parties.
- The University has procedures in place to deal with any suspected data security breach and will notify you and any applicable regulators if there is a breach in accordance with our legal obligations.
Direct Marketing
- Under the lawful basis of exercising our legitimate interests, we may contact you to promote University activities and courses. This will be done according to your preferences, by email, post, SMS, telephone or paid-for advertising. If at any stage you wish to change how we communicate with you, please contact us. You will be advised on how to do that at the point of contact.
- We will amend our records with your updated communication preferences. If we are unable to fulfil some or all of your request, we will inform you if this is the case.
- All direct marketing communication is offered in line with the UK Privacy and Electronic Communications Regulation.
Third-Party Links
- The University’s website may include links to third-party sites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their data collection and use. If you leave our website via these links, we encourage you to read their privacy notice to ensure you are confident with how they will use your data.
Your Rights
- As an individual under data protection law, you have a number of rights. You can:
- Access and obtain a copy of your data on request (Access)
- Request to change incorrect or incomplete data about yourself (Rectification)
- Request erasure (Deletion)
- Request us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing (Objection)
- Ask us to restrict or stop processing data for a period, for example if the data is inaccurate (Restrict)
- Request the transfer of your personal data to another party (Portability)
- Request human intervention or raise a challenge where an automated decision has been made using your personal data (Automated Decisions)
These rights do not apply in all circumstances, for more information about this please refer to the ICO guidance here. To enquire about, or to exercise, any of these rights, please contact DPO@winchester.ac.uk
Complaint Procedure
You have the right to lodge a complaint with the UK Data Protection Authority, the Information Commissioners Office. The ICO will ask you to address your complaint to the University in the first instance. To submit a complaint about the use of your personal information please email DPO@winchester.ac.uk
If you are unhappy with the University’s response, a complaint can be made to the ICO via their website here: Make a complaint | ICO
Cookie policy
Our Cookies Policy explains what cookies are, how we use cookies, how third-parties we may partner with may use cookies on the Service, your choices regarding cookies and further information about cookies.
What are cookies?
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.
How the University of Winchester uses cookies
The university webservers collect anonymous information, like the IP address of your computer, the browser software used, the operating system, access times and pages visited. This information is used to monitor usage and to assess the effectiveness of the university website.
In some sections of the university website anonymous data such as browser type or IP address may be used to customise web page content. This information is used in an anonymous form to ensure appropriate and effective delivery of content.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. You should be aware that this may prevent you from taking full advantage of our website. If you are unsure how to do this, use your favourite search engine to look this up using the term 'declining cookies' with your browser name, or contact your local IT support for advice.
Google Analytics
Google Analytics use traffic log cookies to gain information about the use that is made of pages on our website. We use the information from cookies to generate reports on the usage of our website which are used for evaluation and analysis. The purpose is to improve our website by tailoring it to the needs of users. In all cases, no data specific to any identifiable user is retained.
As a user you can opt out of this process of collecting traffic log data. To do so please visit Opt out of Google Analytics Information.
What are your choices regarding cookies?
If you'd like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser.
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.