Privacy notice
About this notice
We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal data, your rights in relation to your personal data and on how to contact us and supervisory authorities in the event that you have a query or complaint.
The University of Warwick (“We”) are committed to protecting the privacy and security of personal data. The purpose of this notice is to promote transparency in the use of personal data, and to outline how we collect and uses personal data during and after your working or visiting relationship with us, in accordance with the UK General Data Protection Regulation 2016 (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).
We collect, use and are responsible for certain personal data about you. This is known as “processing”. When we do so we are regulated under the UK GDPR and DPA 2018 which applies across the UK and we are responsible as ‘data controller’ of that personal data for the purposes of those laws.
The purpose of this notice is to explain how we will collect and use (process) your personal data, what rights you have in relation to that data and to provide transparency about the data collected about you.
Contents
- Why we collect personal data
- The Personal Data we collect and use
- How we obtain your Personal Data
- Purpose and Associated Lawful Basis
- Lawful basis for processing your Personal Data under the UK GDPR and DPA 2018
- Special Category Data
- Data Sharing
- Transfers of data outside the UK
- Retention of your Personal Data
- Data Subject Rights
- Keeping your Personal Data Secure
- How to Contact Us
- Changes to this Privacy Notice
Why we collect personal data
ThinkHigher, (hosted by University of Warwick in partnership with Coventry University, Coventry City Council, Warwickshire County Council, North Warwickshire and Hinckley College and Coventry and Warwickshire Local Enterprise Partnership), undertakes outreach activities with schools, colleges and communities across Coventry and Warwickshire, to support progression and widen participation into higher education. This is part of our partnership’s commitment to open opportunities and transform lives, as well as part of government policy to widen participation in higher education, as overseen by the Office for Students.
We collect details of individuals taking part in our activities for the following reasons:
- To plan activities
- To monitor participation in activities
- To evaluate and report on the effectiveness and impact of our outreach activities
- To understand the student journey through education and progression to HE/future careers
Under data protection law we are able to process this data because it is necessary for a task carried out in the public interest.
The personal data we collect and use
The following are examples of personal data which may be collected, stored and used:
- Full name
- Date of birth
- Address including postcode
- School/college name
- Unique learner ID
- Gender
- Ethnicity
- Refugee or asylum seeker status
- School attendance data
- Disability/SEN
- Looked after child
- Young carer status
- Year/Tutor group
- Educational attainment and progress scores
- 1st generation Higher Education
- Pupil premium/free school meals status
- Home phone number and parent/carer email
- Military service family status
If you are asked to provide any sensitive information about yourself, such as your ethnicity, health/disability status, religion, or sexual orientation, this is used solely for research purposes and for equalities monitoring, both by ThinkHigher and as part of wider national research projects. Any other uses of this sensitive information (e.g. to make accessibility adjustments or otherwise facilitate your attendance) require your consent, which is given by you providing us with the information. The supply of such information will often be optional.
Some of your information you are legally or contractually obliged to provide. If you decline to provide the information to us we may not be able to provide services to you or to meet our legal obligations.
How we obtain your personal data
Personal data of individuals taking part in our activities is typically collected directly from you, or via schools and colleges for evaluation and research purposes.
Purpose and Associated Lawful Basis
| Purpose |
Lawful Basis |
| Providing professional services |
Legitimate interest to deliver a professional service to clients and relevant individuals |
| Ensuring the safety and security of ThinkHigher, its people and facilities |
Compliance with a legal obligation |
| Registering you as a visitor to our site |
Compliance with a legal obligation |
| Issuing identity access cards to visitors |
Legitimate interest of maintaining security whilst allowing visitors access to relevant areas |
| To monitor your use of our information and communication systems to ensure compliance with our IT policies, where applicable |
Legitimate interest of ensuring proper usage and network security of University IT systems |
| Providing visitor parking permits |
Performance of a contract |
| Business management and planning, including accounting and auditing |
Compliance with a legal obligation and/or legitimate interest of sound management of the business of the University |
| To prevent fraud |
Compliance with a legal obligation or legitimate interests |
Lawful basis for processing your Personal Data under the UK GDPR and DPA 2018
Personal data will only be processed when the law permits this to happen. Most commonly personal data will be processed in the following circumstances:
- Where you have given us your consent.
- In order to fulfil our obligations to you as part of any contract we have with you.
- Where we need to comply with a legal obligation; where it is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests. Our interests are the effective and efficient operation of the organisation.
- To protect the vital interests of you or of another person (for example, in the case of a medical emergency).
- In order to perform a task carried out in the public interest.
Special Category Data
We may only process special category personal data in the following circumstances where, in addition to a lawful basis for processing, there exists one of the following grounds:
- Explicit consent – where you have given us explicit consent.
- Legal obligation – where the processing is necessary for us/you to carry out/exercise obligations and rights of a legal nature
- Vital interests – the processing is necessary in order to protect the vital interests of you or another individual where you are physically or legally incapable of giving consent. This is typically limited to processing needed for medical emergencies.
- Not for profit bodies – the processing is carried out in the course of the legitimate activities of a not-for-profit body and only relates to members or related persons and the personal data is not disclosed outside that body without consent.
- Public information – the processing relates to personal data which is manifestly made public by you.
- Legal claims – the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
- Substantial public interest – the processing is necessary for reasons of substantial public interest, on the basis of law.
- Healthcare – the processing is necessary for healthcare purposes and is subject to suitable safeguards.
- Public health – the processing is necessary for public health purposes and is based on law.
- Archive – the processing is necessary for archiving, scientific or historical research purposes, or statistical purposes and is based on law. Member States can introduce additional conditions in relation to health, genetic, or biometric data.
In limited circumstances we may contact you about processing of particularly sensitive data. In such circumstances we will provide you with full details of the information needed and the reason it is needed. Where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Individuals need to write to infocompliance@warwick.ac.uk to withdraw their consent. Once we have been notified that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. If the latter is the case we will inform you of this legitimate basis.
We will only use personal data for the purposes for which it was collected unless it considers reasonably that it is needed for another purpose and the reason is compatible with the original purpose. If the University needs to use your personal data for an unrelated purpose, it will notify you and will explain the legal basis that permits it to do so. The University may process your personal data without your knowledge or consent, where this is permitted by law.
Data Sharing
We may share your personal data with third parties where required by law, where it is necessary to administer our relationship with you or where there is another legitimate interest in so doing including, but not limited to, for joint appointments with other external organisations.
Transfers of data outside of the UK
If we have to transfer any of your personal data outside the UK we will let you know if the receiving country or organisation is deemed to have adequate data protection provision. Where a country or organisation does not have adequate protections we will put safeguards in place. Details of these safeguards can be provided to you upon request to Legal and Compliance Services.
Retention of your Personal Data
The UK GDPR and DPA 2018 require that personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed (except in certain specific and limited instances).
In order to evidence the impact of activities over time without having to ask you further questions, we will hold your data for a maximum of 17 years. Data will be stored securely in HEAT (Higher Education Access Tracker) to enable us to investigate the effect of outreach on young people’s long-term outcomes, including employment and also enable us to support you during your educational trajectory if required.
The University of Warwick’s Record Retention Schedule (RRS) is a tool that enables the University to transparently demonstrate how the organisation complies with its data protection obligations by making provision for the time periods for which common classes of record are retained by UoW.
Full details of the retention periods of records can be found by viewing the records management page and selecting the University’s Record Retention Schedule (RRS), which is kept up to date separately.
Data Subject Rights
Under the UK GDPR and DPA 2018 you have a number of important rights free of charge.
You have the right to:
- Be informed of how we collect and use your personal data
- Access your personal data
- Require us to correct any mistakes in the data we hold on you
- Require the erasure of personal data concerning you in certain situations
- Restrict our processing of your personal data in certain circumstances
- Receive your personal data, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- Object in certain situations to our continued processing of your personal data or at any time to processing of your personal data for direct marketing; and
- Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you.
Find out more about how to exercise any of these rights. If a subject access request is made and the request for access is clearly unfounded or excessive, the University reserves the right to refuse to comply with the request in these circumstances.
Keeping your Personal Data Secure
The University of Warwick keeps your personal data secure at all times using organisational, physical and technical measures.
Where appropriate, we also take measures such as anonymisation to ensure data cannot be used to identify you and/or encryption to ensure that the data cannot be accessed without the right security accesses and codes.
Where we engage a third party to process personal data we will do so on the basis of a written contract which conforms to the security requirement of the UK GDPR.
We take measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.
We also ensure that we have appropriate processes in place to test the effectiveness of our security measures.
How to Contact Us
We hope that our Data Protection Officer (DPO) can resolve any query, concern or complaint you raise about our use of your personal data on the contact details below:
The DPO can be contacted via e-mail at infocompliance@warwick.ac.uk.
Or write to:
The Data Protection Officer
Legal and Compliance Services
University of Warwick
University House
Kirby Corner Road
CV4 8UW
The UK GDPR and DPA 2018 also gives you the right to lodge a complaint with the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: [0303 123 1113].
Changes to this Privacy Notice
This privacy notice was published May 2023. We may change this privacy notice from time to time, so please do refer back to this page frequently to ensure you are aware of any amendments. Last revised: 25 May 2023.