Go to the Students section
Go to the Staff section
Go to the Alumni section
Go to the Study here section
Go to the International section
Go to the About section
Go to the Research section
Go to the Business and Employers section
Go to the Support us section
Oxford Brookes University (the University) is the Data Controller of any personal data that you provide or we obtain with regard to your studies. This means that we will make decisions on how your data is used and for what reasons.
The purpose of this privacy notice is to:
The University publishes additional privacy notices applicable to other groups, facilities and activities. Subject to your circumstances, other notices may also apply to you so please read this privacy notice in conjunction with other applicable privacy notices that may be accessed via the University website.
The majority of the personal data we hold about you is directly related to the administration of your studies with the University. This includes your use of associated services such as IT, libraries and other facilities.
The University will also use your personal data for management purposes and working to improve the student experience as well as complying with our legal obligations, for instance the University is required by law to provide limited personal data to external bodies such as Higher Education Statistics Agency (HESA) and the Office for Students (OfS, previously known as the Higher Education Funding Council for England or ‘HEFCE’).
The University will need to know if you have a disability, special need or medical condition so that we know if you require additional support or special facilities. We also record information on ethnic origin and other protected characteristics to monitor equal opportunities.
Below we provide more detail on the different purposes your personal data is used for and any third parties this data is shared with.
UK data protection law requires us to determine a relevant legal basis for each data processing activity we undertake with your personal data, one example of a data processing activity we undertake is the sharing of personal data with statutory bodies such as HESA described above.
The lawful grounds that apply to the processing of data undertaken by the University include:
In situations where the personal data is defined as sensitive or special category data (for example ethnicity, criminal conviction information and health or medical data) we must select one of the following lawful bases in order to process it:
In the “How are you using my data and who is it shared with” section below we provide details of the different processing activities undertaken by Oxford Brookes together with their associated lawful bases.
Most of the personal data we process will have been collected directly from you; either at enrolment or as and when you use University services such as IT, libraries or sports centres.
We may also receive personal data from third parties such as UCAS, associate colleges or the Student Loans Company. Where we receive such information we always ensure that the party supplying it can lawfully share it with us.
If you applied to Oxford Brookes though UCAS we receive the following data from them:
Most personal data processed by Oxford Brookes is directly related to the administration of your studies, this includes your use of associated services such as IT, libraries and other facilities. Whilst many processing activities are conducted within Oxford Brookes we use a number of third party providers to support our day to day activities, from IT providers to our security contractors. A full list of third parties that we may share your personal data can be found at: Student Privacy Notice - addendum.
The table below lists the main purposes for which we will process your personal data together with the associated lawful basis for processing.
Providing student support services including:
- Disability and learning support services
- Careers and employment advice and services
- Health and wellbeing services
- Brookes Medical centre
Necessary for the provision of a contract
Additional information will be processed with your consent
Where not explicit above, Oxford Brookes may also share your data with the following third parties:
Yes, in some instances your personal data will be shared with third parties outside of the UK, for example the EEA, North America and Australia. Oxford Brookes will only transfer your personal data outside of the UK when one of the following conditions have been met:
You have the following rights under UK data protection law:
Your rights will depend on the legal ground used to process your data.
Please see the ICO website for further information on the above rights.
Yes, in many cases we will not be able to meet our commitments to you if we do not collect and store your personal data.
In a situation where your explicit consent is required we will make clear the specific consequence of not providing your data.
Oxford Brookes will only retain personal data for as long as necessary to:
Your personal data will be securely deleted once either of these conditions no longer apply. For more information on retention periods (the exact length of time Oxford Brookes retains each category of personal information) please refer to the University record retention schedule.
Please contact the IT Services Information Security Management team
In certain circumstances we may refer your query or concern to the University Data Protection Officer (DPO), a semi-independent role at Brookes required by UK law. If you would prefer to contact the DPO directly please email email@example.com.
The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. While we recommend that you raise any concerns or queries with us first you have the right to complain to the ICO directly if you believe Brookes is using your personal data unlawfully.
Please visit www.ico.org.uk for information on how to make a complaint or would like independent and impartial guidance on data protection and privacy.