Student privacy notice

  • Student Personal Data

    Oxford Brookes University is the Data Controller of any personal data that you provide or we obtain with regard to your studies.  This means that we will make decisions on how your data is used and for what reasons.

    This purpose of this privacy notice is twofold:

    1. To be transparent about the information we collect and store about you and its use.
    2. To comply with our obligations under UK data protection and privacy law.

    While as comprehensive as possible this notice may not answer all your queries or concerns, if you require further information please contact the University's Information Management Team on 01865 485420 or email info.sec@brookes.ac.uk.

  • The majority of the personal data we hold about you is directly related to the administration of your studies with Oxford Brookes, this includes your use of associated services such as IT, libraries and other facilities.

    Oxford Brookes will also use your personal data for management purposes and working to improve the student experience as well as complying with our legal obligations, for instance Oxford Brookes is required by law to provide limited personal data to external bodies such as Higher Education Statistics Agency (HESA) and the Office for Students (OFS, previously known as the Higher Education Funding Council for England or ‘HEFCE’).

    Oxford Brookes will need to know if you have a disability, special need or medical condition so that we know if you require additional support or special facilities. We also record information on ethnic origin and other protected characteristics to monitor equal opportunities.

    Below we provide more detail on the different purposes your personal data is used for and any third parties this data is shared with.

    UK Data Protection law requires us to determine a relevant legal basis for each data processing activity we undertake with your personal data, one example of a data processing activity we undertake is the sharing of personal data with statutory bodies such as HESA described above.

    These ‘lawful bases for processing’ are defined by UK data protection law and include:

    1. Consent - under certain circumstances, such as participating in third party surveys, we will only process your personal data with your explicit consent. Explicit consent requires you to make a positive, affirmative action and be fully informed as to what you are consenting to.

    1. Necessary for the provision of a contract - much of the personal information Oxford Brookes processes is necessary to meet its commitments to you, for example processing related to teaching and assessment.

    1. Necessary to fulfil a legal obligation - we must process your personal data when required to do so under UK law, for instance sharing information with statutory bodies like HESA and OfS or when making reasonable adjustments required by the Equality Act 2010

    1. Necessary to protect the vital interest of you or another person - under extreme circumstances we share your personal data with third parties to protect your interests or those of another person, for example providing medical or emergency contact information to emergency services personnel.

    1. Processing is necessary for the performance of a public task - Oxford Brookes is a higher education institute that will sometimes process your personal data in the public interest.

    1. Processing is necessary for fulfilling the legitimate interests of Oxford Brookes University - Oxford Brookes has a right to pursue its own organisational interests and can process your personal data in pursuit of these providing it does not override your fundamental right to privacy. For instance, Oxford Brookes’ uses Google services for email and productivity applications which means your personal data may be stored on their servers. Oxford Brookes feels that using a third party to provide these services is in our interests but takes appropriate actions to ensure your privacy is respected.

    In situations where the personal data is defined as sensitive or special category data (for example ethnicity, criminal conviction information and health or medical data) we must select one of the following lawful bases in order to process it:

    1. Explicit consent (see above).

    2. Processing is necessary for reasons of substantial public interest - for example the need to ask for criminal conviction data when applying to or studying courses with fitness to practice requirements.

    3. Processing is necessary to establish a legal claim or administer justice - we may be required to release third parties to authorised agencies.

    4. For research and statistical purposes - sensitive personal data about you may be used for research purposes without your explicit consent providing sufficient safeguards are in place.

    In the ‘How are you using my data and who is it shared with” section below we provide details of the different processing activities undertaken by Oxford Brookes together with their associated lawful basis.

    Most of the personal data we process will have been collected directly from you; either at enrolment or as and when you use University services such as IT, libraries or sports centres.

    We may also receive personal data from third parties such as UCAS, associate colleges or the Student Loans Company. Where we receive such information we always ensure that the party supplying it can lawfully share it with us.

    If you applied to Oxford Brookes though UCAS we receive the following data from them:

    • Name

    • Address

    • Educational Qualifications and Experience

    • Employment History

    • Contact Details

    • Unique Learner Reference Number

    • Passport & Visa Details (for non-EU residents)

    • Nationality

    • Residency Status

    • Fee Payment Details

    • Disability & Special Needs

    • Care Leaver Status

    • Parental Data, including Contact Details, Qualifications and Occupational Background

    • Personal References

     

    Most personal data processed by Oxford Brookes is directly related to the administration of your studies, this includes your use of associated services such as IT, libraries and other facilities. While many processing activities are conducted within Oxford Brookes we use a number of third party providers to support our day to day activities, from IT providers to our security contractors. A full list of third parties that we may share your personal data with.

    The table below lists the main purposes for which we will process your personal data together with the associated lawful basis for processing.

    Purpose - Teaching & Research Lawful Basis for Processing
    Recruitment and admission of students Necessary for the provision of a contract
    Provisioning teaching and associated academic services including examinations Necessary for the provision of a contract
    Facilitating accreditation with professional & industrial bodies Necessary for the provision of a contract
    Managing and administrating students educational contracts Necessary for the provision of a contract
    Recording and managing student conduct (including disciplinary procedures) Necessary for the provision of a contract
    Maintaining student records Necessary for the provision of a contract
    Management and administration of student finance (including bursaries and scholarships) Necessary for the provision of a contract
    Graduation (including award, classification and images published in the graduation media) Necessary for the provision of a contract
    Delivering plagiarism checking and academic validation services Necessary for the provision of a contract
    Data sharing with third parties necessary for provision of the purposes listed above Processing is necessary for fulfilling the legitimate interest of Oxford Brookes
    Purpose - Other Lawful Basis for Processing
    Providing services necessary for the student experience (Including Library, IT and communication services) Necessary for the provision of a contract
    Providing support and maintenance services (including IT, estates and accommodation)   Necessary for the provision of a contract

    Providing student support services including:

     - Disability and learning support services

     - Careers and employment advice and services

     - Health and wellbeing services

     - Brookes Medical centre

    Necessary for the provision of a contract


    Additional information will be processed with your consent

    Information sharing with Brookes Union Processing is necessary for fulfilling the legitimate interest of Oxford Brookes
    Monitoring equal opportunities Necessary to fulfil a legal obligation
    Safeguarding and promoting welfare of students Necessary for the provision of a contract
    Managing student accommodation Necessary for the provision of a contract
    Social media interactions You consent to providing it to us
    Management of car parking & CCTV systems Processing is necessary for fulfilling the legitimate interest of Brookes
    Performing research and statistical analysis Processing is necessary for fulfilling the legitimate interest of Oxford Brookes
    Performing audits (for regulatory and legal obligations) Necessary to fulfil a legal obligation
    Providing safety and operational information Necessary to fulfil a legal obligation
    Promoting our services (e.g. summer schools, student exchanges, or other events happening on and off campus) You consent to providing it to us
    Providing careers and placement advice and services Necessary for the provision of a contract
    Preventing and detecting crime Necessary to fulfil a legal obligation
    Dealing with grievances and disciplinary actions Necessary for the provision of a contract
    Dealing with complaints and enquiries Necessary for the provision of a contract
    Alumni activities Processing is necessary for fulfilling the legitimate interest of Oxford Brookes
    Alumni fundraising You consent to providing it to us
    Service improvement via feedback and surveys Where personal data is not anonymised, Oxford Brookes will seek consent
    Administration of insurance and legal claims Necessary to fulfil a legal obligation
    Assessment of Council Tax   Necessary to fulfil a legal obligation
    Data sharing with third parties necessary for provision of the purposes listed above Processing is necessary for fulfilling the legitimate interest of Oxford Brookes

    Where not explicit above, Oxford Brookes may also share your date with the following third parties:

    • The Higher Education Statistics Agency (HESA) - necessary to fulfil a legal obligation.

    • The Office for Students (OFS), previously known as the Higher Education Funding Council for England (HEFCE) - necessary to fulfil a legal obligation.

    • Education & Skills Funding Agency - necessary to fulfil a legal obligation.

    • Other relevant training & development agencies - necessary to fulfil a legal obligation.

    • Police and other law enforcement agencies - necessary to fulfil a legal obligation.

    • Officers of the Court - necessary to fulfil a legal obligation.

    • Prospective employers for confirmation of qualification and provision of references - necessary to fulfil a public task.

    • Home Universities (incoming exchange students only) - necessary for the provision of a contract.

    • Mitie (our security contractors) - processing is necessary for fulfilling the legitimate interest of Oxford Brookes.

    • United Kingdom Visas & Immigration (a government agency) - necessary for fulfilling our legal duties as a sponsor of international students.

    •  

    Yes, in some instances your personal data will be shared with third parties outside of the EEA, for example North America and Australia. Oxford Brookes will only transfer your personal data outside of the EEA when one of the following conditions have been met:

    1. You have given us explicit consent for the transfer.

    2. The country has adequate data protection laws (this is determined by the Information Commissioner’s Office, not us).

    3. There are adequate safeguards in place, for example international data sharing frameworks or we have sufficiently robust contracts in place with the international third party.

    • You have the right to be informed - via privacy notices such as these and other communications relating to data protection and privacy.

    • You have the right of access to your data - if you would like copies of the personal data Oxford Brookes stores please contact the IT Services Information Management team (contact details below).

    • You have the right to correct data if it is wrong - please contact the Information Management team if you believe your personal data is incorrect or out of date.

    • You have the right to ask for your data to be deleted - please contact the Information Management team if you believe you have a reason related to your personal situation for us to delete personal data we hold.

    • You have the right to restrict use of the data we hold - in certain circumstances you can request that processing of your personal data is restricted pending review.

    • You have the right to data portability - where possible Oxford Brookes will facilitate the digital transfer of data between compatible systems. 

    The right to object to Oxford Brookes University using your data - please contact the Information Management team if you believe your personal data is being used unlawfully or you have reason particular to your personal situation why we should not be processing it.

    Yes, in many cases we will not be able to meet our commitments to you if we do not collect and store your personal data. 

    In a situation where your explicit consent is required we will make clear the specific consequence of not providing your data.

    No, Oxford Brookes does not currently undertake any automated decision making or profiling using your personal data that falls within the scope of UK law.

    Oxford Brookes will only retain personal data for as long as necessary to:

    1. Fulfil the purpose for which the data was collected or obtained.

    2. Fulfil our own obligations under UK Law.

    Your personal data will be securely deleted once either of these conditions no longer apply. For more information on retention periods (the exact length of time Brookes retains each category of personal information) please refer to the University record retention schedule or contact the Information Management team.

    While this privacy notice is as comprehensive as possible we acknowledge that there are many University services and functions you may or may not engage with during your time as an Oxford Brookes’ student. As such you may see additional privacy notices when you are asked to provide personal data for specific purposes, for example engaging with certain University Wellbeing services or becoming a Brookes Sport member.

    Please contact the IT Services Information Management team.

    Postal Address: Information Management Team, IT Services, Room 2.12, Gibbs Building, Headington Campus, Headington, Oxford, OX3 0BP

    Email:  info.sec@brookes.ac.uk

    Tel: 01865 485420 (office hours are 0900 to 1700, Monday to Friday)

    In certain circumstances we may refer your query or concern to the University Data Protection Officer (DPO), a semi-independent role at Brookes required by UK Law. If you would prefer to contact the DPO directly please email DPO@brookes.ac.uk.

    The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. While we recommend that you raise any concerns or queries with us first you have the rights to complain to the ICO directly if you believe Oxford Brookes is using your personal data unlawfully.

    Please visit www.ico.org.uk for information on how to make a complaint or would like independent and impartial guidance on data protection and privacy.