Your privacy, your rights – data protection at DMU
This page tells you how DMU uses personal information and how you can expect us to use your information if:
- you study with us
- you work for us
- you partner with us
- you do business with us, or
- you are a member of the public who uses our facilities or services
We process personal information needed to deliver our official functions of education and academic research. We also process personal information about members of the public who use our facilities or services. You can find out more about the personal information we process in each area by clicking on the links below:
We never share personal data with third parties for commercial purposes.
You can find out more about how we protect your privacy by selecting any of the below topics. If you have any queries, please get in touch at dataprotection@dmu.ac.uk
Covid 19
Please note that where specifically advised to by a health care professional, DMU will process data to identify persons who may have been in close proximity to individuals who have tested positive for coronavirus. This processing will be undertaken solely for the purposes of notifying those individuals of this fact. The identity of the individual with a positive test will not be shared with them. Our lawful basis for this processing is Public Task under Article 6 and Public Health under Article 9.
Education
What personal information we collect and hold about students and why, who we may share it with and the lawful basis for general processing
Prospective Students
We may collect the following personal information:
- Your name and contact details, which may include IP addresses.
- Details of attendance at university open days and records of communication/correspondence.
Why do we collect this information?
We collect this information to send you our prospectus and supplementary information related to your enquiry. It may be shared with UCAS. This comes under the lawful basis "Public Task".
Students who apply for a place
We may collect the following personal information:
- Your contact details (name, address, phone number(s), email)
- Date of Birth
- Gender
- Ethnicity
- Religion
- Relevant health or disability information
- Next of kin
- Details of your previous education and qualifications
- Financial information
- ID/Passport
- Visa or immigration information if you are a non-UK citizen. This may also include information around criminal offences.
Why do we collect this information?
We collect this information for verification checks, service planning, and equalities monitoring. If you are not a UK citizen, we need confirmation of your immigration status. For regulated courses, DBS clearance is required.
Who may we share this information with?
It may be shared with the following organisations:
- UCAS
- Student union (DSU)
- Student Loan Company (SLC)
- Work placement employer(s) regulatory bodies
- Educational Partners
- Sponsors
- Agents
This comes under the lawful basis "Public Task". Where special category data is involved: explicit consent processing is necessary for reasons of substantial public interest
Enrolled/current students
In addition to the data collected as a prospective student and/or student who applied for a place, we hold information about:
- Your course
- Classes and attendance
- Exam results
- Placements
- Accommodation
- Information relating to academic offences including disciplinaries and investigations
- We may also process health information about you, for example in relation to mitigating circumstances or where adjustments are required.
- You will be given a student number which our staff will use to identify you.
- Your personal data may also be captured on video and/or audio during the recording of lectures and other more general pedagogic purposes.
Why do we collect this information?
We collect this information for educational purposes, student support, extracurricular activities, work placements, volunteering, accreditation and registration purposes, and sponsor requirement.
Who may we share this information with?
Your information may be shared with the same organisations as above, plus:
- By law DMU must provide information, including special category data, to the Higher Education Statistics Agency (HESA). Read HESA’s collection notices.
- DMU must also provide some data relating to research students to UK Research and Innovation (UKRI) in relation to our Research Excellence Framework (REF) submission. Read the UKRI’s Privacy Notice.
- Accreditation/registration bodies
- Sponsors (official funding bodies)
- Sponsors (overseas)
- Sponsors (employer)
This comes under the lawful basis "Public Task", "Legal Obligation", and "Legitimate Interests". Where special category data is involved: explicit consent processing is necessary for reasons of substantial public interest.
Students who have graduated from DMU (alumni)
We may collect the following personal information:
- Your degree details
- Your next employment, education, or training
- Your contact details/historic pattern of engagement
Why do we collect this information?
We collect this information to provide a reference for you if you ask us to. By law, DMU must provide information to the certain bodies, for example the Higher Education Statistics Agency (HESA). We may also use this information for marketing information, including details about alumni events and fundraising.
Who may we share this information with?
It may be shared with the following organisations:
- Employers, other educational institutions
- HESA (in addition other formal bodies such as HMRC, UKVI, UKRI, the police etc.)
This comes under the lawful basis "Public Task", "Legal Obligation", "Legitimate Interests", and "Consent". Where special category data is involved: explicit consent processing is necessary for reasons of substantial public interest.
The table below shows what personal information we process for staff recruitment, for our current and past staff, what the information is used for, who we may share it with, and the lawful basis for general processing
Staff |
What personal information we collect |
Why we collect it |
Who may we share it with |
Lawful basis |
Prospective staff |
Contact details, education, qualifications and work history, address, contact details, date of birth, ethnicity, religion, health, disability. ID/passport, visa or immigration information if you are a non-UK citizen. This may also include information around criminal offences. |
Application and recruitment purposes, equalities monitoring |
Previous employers |
Public Task
Where special category data is involved:
explicit consent
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
processing is necessary for reasons of substantial public interest
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee
|
Current staff |
As above, job title, hours and pay, training undertaken whilst at DMU, holiday information. Financial information (bank details) tax and NI information, deductions required and the reason. Appraisal data. We may also process health information about you, for example in relation to sickness absence or where adjustments are required |
Performance and development, payroll and budget, occupational health for audit and financial purposes. Where legitimately requested by official bodies. |
Future/prospective employers
Accreditation Bodies /Apprenticeship Partners (including tendering process)
External Partners for the purposes of sector benchmarking
HMRC, UKVI, UKRI, Auditors, Police etc.
Mortgage lenders upon request
Occupational health provider
Office for Students
DMU must also provide some data relating to staff to UK Research and Innovation (UKRI) in relation to our Research Excellence Framework (REF) submission. Read UKRI’s Privacy Notice.
|
Consent
Public Task
Consent
Public Task
Where Special Category Data is involved: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee or processing is necessary for reasons of substantial public interest
|
Health condition and disabilities |
Occupational health, workplace assessment |
Third party occupational health providers |
Public Task and Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee |
Past staff |
Above information from the staff record. |
For reference purposes, evidence for financial purposes. Where legitimately requested by official bodies |
Employers
HMRC, UKVI, UKRI, Auditors, Police etc.
|
Public Task
Legal Obligation
|
The table below shows what personal information we may collect and use for research purposes and the lawful basis for general processing
Public |
What information we collect |
Purpose |
Who we may share it with |
Lawful basis (general processing) |
Volunteers for research |
Your contact details and other information, depending on the nature and purpose of the research. |
Interventional research, i.e. when you are involved and have agreed to take part in the research. |
Collaborative institutions; i.e. other universities, the NHS etc. |
Public Task
Where Special Category Data is involved: processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
|
General public |
Dependent upon nature and purpose of the research (data is de- identified). |
Observational research, for example, for statistical processing |
Collaborative institutions; i.e. other universities, the NHS etc. |
Public Task |
The table below shows what personal information we collect about people who use or hire our facilities or services
Service |
What personal information we process |
Who we may share it with |
Lawful basis |
CCTV |
Video footage of individuals on campus |
The police, courts and similar formal bodies |
Legitimate Interests |
Library |
Contact details and borrowing information, financial information |
The police, courts and similar formal bodies |
Legitimate Interests |
Leisure Centre |
Contact details, date of birth, financial information, medical information |
The police, courts and similar formal bodies |
Legitimate Interests
Where special category data is involved:
explicit consent
|
Venue hire |
Contact details, financial information |
The police, courts and similar formal bodies |
Contract |
Business/external organisations |
Contact details, educational information |
The police, courts and similar formal bodies |
Contract or Legitimate Interests |
Attendees at events |
Contact details, medical information |
The police, courts and similar formal bodies including the NHS for manual Test and Trace purposes |
Legitimate Interests
Where special category data is involved:
explicit consent
|
The main laws are the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). We also adhere to the duty of confidence and the Human Rights Act (Article 8).
For electronic communications, including email and cookies, we comply with the Privacy and Electronic Communications Regulations (PECR).
The GDPR defines some types of information as special category data because it is more sensitive. We must have an additional lawful basis to process special category data.
For educational purposes:
The lawful basis we rely on is ‘substantial public interest on the basis of union or member state law’.
For academic research:
All our research is done in the public interest, therefore, where our research involves special category data, we will rely on one of the public interest lawful bases to process special category data, in addition to the lawful basis of ‘public task’ for general processing.
For some courses, we need to know about criminal offences (including spent convictions) because the course includes a placement working directly with children or vulnerable adults. We will comply with Schedule 1 of the Data Protection Act 2018 and the Rehabilitation of Offenders Act (Exceptions) Order 1975.
For employment and course purposes, we may need to know about criminal offences (including spent convictions). Any such processing will comply with Schedule 1 of the Data Protection Act 2018 and the Rehabilitation of Offenders Act (Exceptions) Order 1975.
The GDPR gives you rights over how your personal information is used:
- The right to be informed - we must tell you how we process your personal information.
- The right of access - you can ask to see what personal information we hold about you. This is called a Subject Access Request (SAR).
- The right of rectification - where information about you is inaccurate, you can ask us to correct it.
- The right to erasure – in some circumstances, or where DMU has no compelling reason to retain your personal information, you can request deletion of that information.
- The right to restrict processing – in some circumstances, you can ask us to restrict the processing of your personal data. This right, where it applies, also allows you to ask us to retain your personal information but not to use it.
- The right to data portability – in some circumstances, you can request a copy of the personal data you have provided to us in a machine-readable form, so you can transfer it to another organisation for a similar purpose.
- Right to object – where there is no legal obligation for DMU to process your data, you can object to us processing your personal information.
- Rights in relation to automated decisions and profiling - where computers make decisions about you, including automated profiling, you have a right to challenge the decision or ask for a human to check an automated decision.
To discuss any of these rights, please contact dataprotection@dmu.ac.uk and let us know how we can help.
DMU is the data controller. This means that we determine the purpose of the processing and are responsible for the adequate protection of personal information.
All our staff are appropriately trained and understand their responsibilities for protecting personal data.
When we purchase services or support from a third party, or outsource a service or function to a third party, we remain the data controller, and our suppliers and service providers must adhere to our contract terms and conditions, which include data protection and information security requirements.
You can make a Subject Access Request (SAR) to find out what information DMU holds about you. We will respond to your request within one calendar month.
To make a SAR, please email us at dataprotection@dmu.ac.uk.
There is not normally a fee for a SAR, but where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the actions requested; or (b) refuse to act on the request.
To help us locate your information, please include with your request your name (and any other names you have been known by, if relevant), the period for which the information relates (the calendar year(s), or academic year(s) for students), your date of birth, your address at the time, and your DMU identification number (if relevant), and a comprehensive list of what personal data you want to access, based on what you need, it is helpful if you can identify individuals or business areas you believe may hold the specified data.
Before we can disclose any information to you, we will need to see evidence of your identity. We ask for photo ID if possible. Please include either a copy of your passport (showing your photo, name, date of birth and signature), or a copy of your driving licence (UK or EEA photo card driving licence).
If you do not have either of the above, please send us a copy of your original birth certificate.
If you don’t have any of the above documents, please send us two documents from the below list. These must be addressed to you and cannot both be bank statements or from the same utility company.
- Utility bill
- Council tax bill
- Bank statement
- Old style driving licence
- Official notification letter from either the DWP or HMRC
You can ask someone else to make a SAR on your behalf. We will need to see evidence that the person making the request is entitled to act on your behalf and they will also need to provide us with evidence of your identity.
Please note we will not retain copies of your identification documents.
If you have any concerns or wish to complain about a data protection issue, please contact our Data Protection Officer at DPO@dmu.ac.uk
If you are dissatisfied with the way DMU has handled your complaint, you have a right to complain to the Information Commissioner’s Office at ICO.org.uk
We use information posted publicly on social media so we can make information available where it may be relevant or of interest. We never attempt to access private social media accounts.
If you raise a query or a complaint through DMU’s social media, we’ll of course have a record of your user name. We will only use this to resolve your query or complaint and to improve your user experience with the university.
Please let us know about any data protection or information security incident as soon as possible, by writing to us at dataprotection@DMU.ac.uk
Please include:
- your contact details
- the nature of incident
- the date and time of incident
- how the incident was discovered
- the type of information (and number of records if known)
- the circumstances of the incident
Read our Data Protection Policy.
Under section 61 of the Data Protection Act 2018, and Article 30 of the General Data Protection Regulation, each (data) controller must maintain a record of all categories of processing activities for which the controller is responsible. This is generally referred to as the ‘Records of Processing Activities’ (ROPA).
An extract from the University’s ROPA is available on our website. This details the categories of individuals and the personal data, the purpose of processing, details of any joint controllers (if applicable), to whom data is transferred, and the lawful bases for processing.
GDPR Records of Processing Activities
Lawful bases for processing (ICO)
Special category data (ICO)
Criminal offence data (ICO)
Guide to PECR (ICO)