UAL and Short Courses Ltd collect or create personal data relating to students, staff, prospective students or staff, enquirers, contractors, alumni, donors and contacts in other organisations or companies.
The personal data we collect or create
Data we collect or create may include:
- Identity and contact details
- Data relating to academic or employment performance (including records of attendance, disciplinary records etc)
- Family details
- Complaints or enquiries made by or about you
- Records of counselling or other support requested or given
- Survey data
- Records of goods or services provided
- CCTV footage
- Scans of identity documents
- ID card access data
- Use of UAL IT systems
- Accident forms
- Financial details
- Employment references
- Records of employment
- Vetting checks
In limited circumstances, we also process sensitive classes of information that may include:
- Racial or ethnic origin
- Trade union membership
- Religious, political or other similar beliefs
- Physical or mental health details
- Sexual life
- Offences and alleged offences, criminal proceedings
What we do with your personal data (our legitimate interests as a data controller)
Among other things we process personal information to enable us to:
- Provide education and support services to our students and staff
- Advertise and promote the university and the services we offer
- Conduct surveys
- Manage alumni relations and fundraising
- Undertake research
- Manage our accounts
- Provide commercial activities to our clients.
We also process personal information within CCTV systems, card access data and logs of activity on our IT systems to monitor activity and for the purposes of security and the prevention and detection of crime.
Legal bases for processing
Under GDPR and the Data Protection Act 2018, we will process personal data under the following bases.
Core student and staff data; the personal data of anyone entering into a contractual relationship with UAL or Short Courses Limited
Legal basis under GDPR: 6(1)(b) necessary for the performance of a contract.
Purpose: To support applications and provide education and support to students; to support applications, employ, manage and support the work of staff; to provide accommodation and other commercial services governed by contract.
Legal basis under GDPR: 6(1)(f): legitimate interests.
Purpose: In the event of a complaint, enquiry or legal action relating to its performance, to determine and demonstrate for up to 6 years after the year the contract ends that the contract was either fulfilled or breached.
Personal data of governors and senior management
Legal basis under GDPR: 6(1)(e) in the exercise of official authority.
Purpose: To provide oversight of University activity and transparency to the public.
Personal data processed for other commercial activity, support services or as part of commercial transactions, including enquiry, alumni and third party contact details; personal data captured by CCTV or otherwise for security purposes
Legal basis under GDPR: 6(1)(f) legitimate interests.
Purpose: To provide additional services, to develop and maintain enquirer, alumni, commercial and donor relationships; to protect University assets.
Contact details and other personal data related to marketing
Legal basis under GDPR: Held under 6(1)(f) legitimate interests, but consent will be obtained for the marketing activity in accordance with PECR. We will use ‘soft opt-in’ for the promotion of related commercial services provided by UAL to existing or former students, staff or customers where they have been given the option to withdraw consent on each contact. We will obtain explicit consent for other direct marketing, including campaigning, fundraising or marketing contact on behalf of third parties or with people who are not existing or former students, staff or customers.
Purpose: To promote the activities of UAL and partner organisations, to raise awareness of opportunities and events of potential interest to applicants, students, staff, alumni and others.
Sensitive personal data
Legal basis under GDPR: 9(2)(a) explicit consent, (but if provided, shared with HESA for statistical purposes under basis 9(2)(j). Where consent would not be practical, safeguarding and counselling may rely on 9(2)(g) substantial public interest, as further defined by the Data Protection Act 2018.
Purpose: To adhere to statutory requirements to monitor and report on diversity, provide reasonable adjustments, provide counselling and support services, record sickness absence and accidents, safeguarding activities, counselling.
Who the information may be shared with
Academic results are regarded as public and will be posted on the UAL website upon graduation. At any time after, these will be shared with employers, other educational establishments and others on request.
We will share personal data with our subsidiaries and third parties who are engaged as data processors on our behalf, including course tutors or support staff working through their own company, IT service providers (e.g. JISC, Microsoft, AWS, Midland HR), facilities contractors, landlords etc.
Student contact details may be shared with the Students Union in order to facilitate membership, and also with Higher Education bodies such as HEFCE or the Office of Students, or their data processors, in order to conduct the National Student Survey. Student data will be shared with HESA for monitoring purposes, and UAL will also produce anonymised statistical data for reporting purposes in general which may be shared widely or published.
Any personal data may be shared with UK law enforcement or tax collection officials on request if they provide a court order or otherwise can demonstrate the specified information is necessary for the prevention or detection of crime of the collection of taxes. We will also share personal data with health professionals if necessary to protect the ‘vital interests’ of the data subject, and with others if necessary to safeguard children and adults at risk, or any other similar situation that meets the definition of ‘substantial public interest’ under the Data Protection Act 2018.
Unless otherwise specified in a relevant Privacy Notice or to comply with a specific legal obligation under the law of the United Kingdom, we will only share personal data with others with the explicit consent of the individual.
Personal data will not normally be transferred outside the EEA. Where this is necessary, it will be the consent of the individual or otherwise with appropriate safeguards as prescribed by GDPR. Full information will be provided in detailed Privacy Notices at the point of data collection or sharing.