Student privacy notice

Student Personal Data

Oxford Brookes University (the University) is the Data Controller of any personal data that you provide or we obtain with regard to your studies. This means that we will make decisions on how your data is used and for what reasons.

The purpose of this privacy notice is to:

be transparent about the information we collect and store about you and its use
comply with our obligations under UK data protection and privacy law.

The University publishes additional privacy notices applicable to other groups, facilities and activities. Subject to your circumstances, other notices may also apply to you so please read this privacy notice in conjunction with other applicable privacy notices that may be accessed via the University website.

Why do we need your data?

The majority of the personal data we hold about you is directly related to the administration of your studies with the University. This includes your use of associated services such as IT, libraries and other facilities.

The University will also use your personal data for management purposes and working to improve the student experience as well as complying with our legal obligations, for instance the University is required by law to provide limited personal data to external bodies such as Higher Education Statistics Agency (HESA) and the Office for Students (OfS, previously known as the Higher Education Funding Council for England or ‘HEFCE’).

The University will need to know if you have a disability, special need or medical condition so that we know if you require additional support or special facilities. We also record information on ethnic origin and other protected characteristics to monitor equal opportunities.

Below we provide more detail on the different purposes your personal data is used for and any third parties this data is shared with.

Lawful processing

UK data protection law requires us to determine a relevant legal basis for each data processing activity we undertake with your personal data, one example of a data processing activity we undertake is the sharing of personal data with statutory bodies such as HESA described above.

The lawful grounds that apply to the processing of data undertaken by the University include:

Consent - under certain circumstances, such as participating in third party surveys, we will only process your personal data with your explicit consent. Explicit consent requires you to make a positive, affirmative action and be fully informed as to what you are consenting to.
Necessary for the provision of a contract - much of the personal information Oxford Brookes processes is necessary to meet its commitments to you, for example processing related to teaching and assessment.
Necessary to fulfil a legal obligation - we must process your personal data when required to do so under UK law, for instance sharing information with statutory bodies like HESA and OfS or when making reasonable adjustments required by the Equality Act 2010.
Necessary to protect the vital interest of you or another person - under extreme circumstances we share your personal data with third parties to protect your interests or those of another person, for example providing medical or emergency contact information to emergency services personnel.
Processing is necessary for the performance of a public task - Oxford Brookes University is a higher education institute that will sometimes process your personal data in the public interest.
Processing is necessary for fulfilling the legitimate interests of Oxford Brookes University - Oxford Brookes has a right to pursue its own organisational interests and can process your personal data in pursuit of these providing it does not override your fundamental right to privacy. For instance, Oxford Brookes uses Google services for email and productivity applications which means your personal data may be stored on their servers. Oxford Brookes feels that using a third party to provide these services is in our interests but takes appropriate actions to ensure your privacy is respected.

In situations where the personal data is defined as sensitive or special category data (for example ethnicity, criminal conviction information and health or medical data) we must select one of the following lawful bases in order to process it:

Explicit consent (see above).
Processing is necessary for reasons of substantial public interest - for example the need to ask for criminal conviction data when applying to or studying courses with fitness to practice requirements.
Processing is necessary to establish a legal claim or administer justice - we may be required to release third parties to authorised agencies.
For research and statistical purposes - sensitive personal data about you may be used for research purposes without your explicit consent providing sufficient safeguards are in place.

In the “How are you using my data and who is it shared with” section below we provide details of the different processing activities undertaken by Oxford Brookes together with their associated lawful bases.

Where did you get my personal data from?

Most of the personal data we process will have been collected directly from you; either at enrolment or as and when you use University services such as IT, libraries or sports centres.

We may also receive personal data from third parties such as UCAS, associate colleges or the Student Loans Company. Where we receive such information we always ensure that the party supplying it can lawfully share it with us.

If you applied to Oxford Brookes though UCAS we receive the following data from them:

name,
residency status,
address,
educational qualifications and experience,
employment history,
fee payment details,
contact details,
disability & special needs,
unique learner reference number,
care leaver status
passport & visa eetails (for non-EU residents),
parental data, including contact details, qualifications and occupational background,
nationality,
personal references.

How are you using my data and who is it shared with?

Most personal data processed by Oxford Brookes is directly related to the administration of your studies, this includes your use of associated services such as IT, libraries and other facilities. Whilst many processing activities are conducted within Oxford Brookes we use a number of third party providers to support our day to day activities, from IT providers to our security contractors. A full list of third parties that we may share your personal data can be found in the Student Privacy Notice - addendum below.

The table below lists the main purposes for which we will process your personal data together with the associated lawful basis for processing.

Purpose - Teaching and Research	Lawful Basis for Processing
Recruitment and admission of students	Necessary for the provision of a contract
Widening access to University to other students. You may be invited to participate in research to encourage widening participation, or generally.	Necessary to fulfil the performance of a public task
Provisioning teaching and associated academic services including examinations	Necessary for the provision of a contract
Video recording and transmission of lectures	Necessary for the provision of a contract
Facilitating accreditation with professional & industrial bodies	Necessary for the provision of a contract
Managing and administrating students educational contracts	Necessary for the provision of a contract
Recording and managing student conduct (including disciplinary procedures, exam or course moderation)	Necessary for the provision of a contract
Maintaining student records	Necessary for the provision of a contract
Management and administration of student finance (including bursaries and scholarships)	Necessary for the provision of a contract
Data sharing with third parties to facilitate the manufacture of a certificate to evidence the achievement	Necessary for the provision of a contract
Delivering plagiarism checking and academic validation services	Necessary for the provision of a contract
Management and administering of Ethics Applications submitted	Necessary for the provision of a contract
Data sharing with third parties necessary for provision of the purposes listed above	Processing is necessary for fulfilling the legitimate interest of Oxford Brookes University

Purpose - Other	Lawful Basis for Processing
Providing services necessary for the student experience (Including Library, IT and communication services). Some telephone communications (e.g. exchanges with the IT Service Desk) may be recorded. You will be given advance notification where it is necessary to audio and/or video record a meeting or other online engagement.	Necessary for the provision of a contract
Providing support and maintenance services (including IT, estates and accommodation)	Necessary for the provision of a contract
Providing student support services including: - Disability and learning support services - Careers and employment advice and services - Health and wellbeing services - Brookes Medical centre	Necessary for the provision of a contract Additional information will be processed with your consent
Graduation (including award, classification and images published in the graduation media)	Necessary for the provision of a contract
Records of cultural life such as staff or student photos for events and occasions	Necessary for the provision of a contract
There may be ancillary processing for such as meal bookings, meeting bookings, passports for overseas events and the like	Necessary for the provision of a contract
Information sharing with host organisations in relation to student work placements (bespoke privacy notices aligned with the respective placement will be put in place prior to the start of work placements)	Necessary for the provision of a contract
Information sharing with home universities (incoming exchange students only)	Necessary for the provision of a contract
Information sharing with Brookes Union	Processing is necessary for fulfilling the legitimate interest of Oxford Brookes University
Monitoring equal opportunities	Necessary to fulfil a legal obligation
Safeguarding and promoting welfare of students	Necessary for the provision of a contract
Providing Closed Circuit Television (CCTV footage and Body Worn Video (BWV) footage as required by public authorities	Necessary to fulfil a legal obligation
Providing Closed Circuit Television (CCTV footage and Body Worn Video (BWV) footage within Oxford Brookes University, as required to address disciplinary and other matters	Necessary for the provision of a contract
Managing student accommodation	Necessary for the provision of a contract
Social media interactions including images and media posted on the University website (academic) to acknowledge and celebrate student achievements	You consent to providing it to us
Management of car parking, CCTV, BWV and security access systems	Processing is necessary for fulfilling the legitimate interest of Oxford Brookes
Providing prospective employers with confirmation of qualification and provision of references	Necessary to fulfil a public task
Your personal information can be be shared with a third party upon your request, for example to fulfill a request for a reference or if you are supported by a Union (or other) representative	You consent to providing it to us
Performing research and statistical analysis	Processing is necessary for fulfilling the legitimate interest of Oxford Brookes
Performing audits (for regulatory and legal obligations)	Necessary to fulfil a legal obligation
Providing safety and operational information	Necessary to fulfil a legal obligation
Promoting our services (e.g. summer schools, student exchanges, or other events happening on and off campus)	You consent to providing it to us
Providing careers and placement advice and services	Necessary for the provision of a contract
Preventing and detecting crime	Necessary to fulfil a legal obligation
Administration of insurance and legal claims	Necessary to fulfil a legal obligation
Assessment of Council Tax	Necessary to fulfil a public task
Complaints may be progressed to the Office of the Independent Adjudicator for Higher Education	Necessary to fulfil a legal obligation
Personal and special category data may be shared with the Brookes Data Protection Officer	Necessary to fulfil a legal obligation
Medical information and information relevant to self isolation is collated (e.g. about Coronavirus) is disseminated internally and may be shared with Government Agencies, medical professionals, families and others as necessary, as well as in accordance with the University’s Pandemic policy and public health requirements. The processing is in the legitimate interests of those involved including the wider student and staff community and may be to protect vital interests in extremis or otherwise to promote public health.	The processing is in the legitimate interests of those involved including the wider student and may be to protect vital interests in extremis or otherwise to promote public health.
Data sharing with third parties necessary for provision of the purposes listed above	Processing is necessary for fulfilling the legitimate interest of Oxford Brookes
The management of data protection subject rights requests and the associated logs	Necessary to fulfil a legal obligation

Other relevant information sharing for the purpose of statutory reporting

Where not explicit above, Oxford Brookes may also share your data with the following third parties:

The Higher Education Statistics Agency (HESA) - necessary to fulfil a legal obligation.
The Office for Students (OfS), previously known as the Higher Education Funding Council for England (HEFCE) - necessary to fulfil a legal obligation.
Education & Skills Funding Agency - necessary to fulfil a legal obligation.
Other relevant training & development agencies - necessary to fulfil a legal obligation.
Police and other law enforcement agencies - necessary to fulfil a legal obligation.
Officers of the Court - necessary to fulfil a legal obligation.
United Kingdom Visas & Immigration (a government agency) - necessary for fulfilling our legal duties as a sponsor of international students.

Will Oxford Brookes University transfer my data outside of the UK?

Yes, in some instances your personal data will be shared with third parties outside of the UK, for example the EEA, North America and Australia. Oxford Brookes will only transfer your personal data outside of the UK when one of the following conditions have been met:

You have given us explicit consent for the transfer.
The country has adequate data protection laws (this is determined by the Information Commissioner’s Office, not us).
There are adequate safeguards in place, for example international data sharing frameworks or we have sufficiently robust contracts in place with the international third party.

What privacy rights do I have in respect to the personal data you hold?

You have the following rights under UK data protection law:

the right to be informed
the right of access to your data
the right to withdraw your consent where that is the legal basis of our processing
the right to correct data
the right to ask for your data to be deleted
the right to restrict use of the data we hold
the right to data portability
the right to object to Oxford Brookes using your data

Your rights will depend on the legal ground used to process your data.

Please see the ICO website for further information on the above rights.

Are there any consequences of not providing the requested data?

Yes, in many cases we will not be able to meet our commitments to you if we do not collect and store your personal data.

In a situation where your explicit consent is required we will make clear the specific consequence of not providing your data.

Will there be any automated decision making using my data?

No, Oxford Brookes does not currently undertake any automated decision making or profiling using your personal data that falls within the scope of UK law.

How long will you keep my personal data?

Oxford Brookes will only retain personal data for as long as necessary to:

Fulfil the purpose for which the data was collected or obtained.
Fulfil our own obligations under UK law.

Your personal data will be securely deleted once either of these conditions no longer apply. For more information on retention periods (the exact length of time Oxford Brookes retains each category of personal information) please refer to the University record retention schedule.

Who can I contact if I have further questions or concerns?

Please contact the IT Services Information Security Management team

Email: info.sec@brookes.ac.uk

In certain circumstances we may refer your query or concern to the University Data Protection Officer (DPO), a semi-independent role at Brookes required by UK law. If you would prefer to contact the DPO directly please email brookesdpo@brookes.ac.uk.

What is the Information Commissioner’s Office (ICO)?

The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. While we recommend that you raise any concerns or queries with us first you have the right to complain to the ICO directly if you believe Brookes is using your personal data unlawfully.

Please visit the ICO website for information on how to make a complaint or if you would like independent and impartial guidance on data protection and privacy.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 30 June 2021.

Contact us

Information Security Management team

Office hours are 9.00am to 5.00pm, Monday to Friday

Oxford Brookes University
Headington Campus
Oxford
UK
OX3 0BP

info.sec@brookes.ac.uk

Addendum

Third Parties that Oxford Brookes University may share your data with.

Please note that the exact third parties who Oxford Brookes shares your data with will depend on your status (student, member of staff, etc) and the course you are studying.

Third party	Purpose
A1SecurityPrint	Provision of graduation certificates
Abintegro Limited	Provision of an online careers platform
Advanced (E5)	Provision of finance, procurement and accounting management software
Alfresco	Document storage platform
Aluminati Network Group	Alumni contact and collaboration platform
Amadeus	SMS service for the University staff and students abroad (a traveller tracking system that provides advice in emergency situations)
Ardington Archives	Provision of archive storage
Avinasta	Table bookings at Brookes Restaurant
Blackbaud Inc.	Provision and hosting of Alumni CRM platform (Raiser’s Edge)
BlueRunner Solutions	Catering bookings
Brookes Union	Facilitation of Brookes Union membership
Calendly LLC	Web-based meeting scheduling and productivity application that integrates with Google Calendar (and other web services)
Clarivate Analytics (Converis)	Research Project Database
CoreHR	Staff HR database
Co-Sector (University of London)	Hosting of Moodle VLE Hosting of Visa information / enrolment data (Arkivum)
Data Harvesting	International Student CRM
DotMailer	Marketing
E-days Absence Management Ltd.	Recording of holidays and absences
Ede & Ravenscroft	Provision of Graduation gowns and photographs
Education & Skills Funding Agency	Statutory reporting
Ellucian	Provision and hosting of student record system
English Language Testing Ltd.	Provision of English language password tests used to recruit, support and retain students whilst upholding academic standards
Enroly CAS SHIELD	Provision of support and preparation of Confirmation of Acceptance for Studies (CAS) for international applicants
European Mentoring and Coaching Council	Programme accreditation
Eventbrite	Event booking System
Ex-Libris	Provision of library management software
Gladstone Software	Brookes Sport membership management and billing
Google	Provision of enterprise software and Brookes data hosting provider
Google Hangouts and Google Meet	Provision of audio and video conferencing services (to include recording where necessary)
Green Inc.	Business School commercial information CRM platform
Health Education England - Intrepid Database	NHS Contract Payments
Higher Education Statistics Agency (HESA)	Statutory reporting
ideiio	Provision of access and identity management services
In-Tend Ltd.	Procurement and contract management platform
International Graduate Insight Group Limited (part of the Tribal Group)	Provider of Leavers Survey
Ipsos MORI	National Student Survey (NSS) providers
JISC	Login details may be shared with JISC as part of a pilot project concerning information security at Oxford Brookes University
JobTeaser	Provision of an online careers platform
Kortext	Provision of e-books
Layershift Ltd.	ACCA database (UK datacentre)
LinkedIn Learning	Provision of expert led online training courses on IT, Business, careers and soft skills
Liquid Web LLC	ACCA database (US datacentre)
Lorensbergs Ltd	Platform used to provide online booking for guest and visitor parking as well as audio visual equipment bookings.
Mailchimp Inc.	Marketing and Communications web platform
Mitie	Provision of University security services
OCLC	Provision and hosting of library services platform
Office for Students (OFS)	Statutory reporting
Oxinet Ltd.	PEMS - Placement Management System
Panopto	A platform used to store recorded teaching and academic contact sessions from Zoom and other lecture capture systems. It is used to distribute, display, process, and store video, audio, written, and other content
PCMIS Health Technologies Ltd	Information may be recorded in relation to any concerns about your wellbeing and/or referrals about your wellbeing
Puzzel Ltd.	Provision of telecommunications services
Qualtrics	Platform providing analytical tools for researchers
QS Enrolment Solutions (formally Hobsons)	International student enrolment services
ServiceNow Inc.	IT and Estates service management platform
Simply Do Ideas Limited	Access to an online sharing platform
SOP Hilmbauer & Mauberger GmbH & Co KG	Provision of Mobility-Online student exchange management platform
Splunk	Login details may be shared with Splunk as part of a pilot project concerning information security at Oxford Brookes University
StarRez	Provision of student accommodation management software
Student Loans Company (and overseas equivalents)	Assistance with the administration and verification of student finance and to ensure public funds are used appropriately
SurveyMonkey Inc.	Survey management
TurnitinUK	Plagiarism and validation services
Tribal (i-Graduate)	Provider of leavers survey
UCAS	Confirmation of accepting an offer to study at Brookes
University of Kent	Hosting of widening participation platform (HEAT database)
University of York	Provision and hosting of mental health case management software (PCMIS)
University of Arts London	Awarding Body for the Foundation Diploma in Art & Design
Warwick International	Provision of a platform to process occupational health records (eOPAS)
Zoom Inc.	Provision of audio and video conferencing services (to include recording where necessary)