Appendix 11: Privacy Notice
This privacy notice applies to current students and applicants who have accepted offers from Merton College
A summary of what this notice explains
Merton College is committed to protecting the privacy and security of personal data.
This notice explains what personal data Merton College holds about you, how we use it internally, how we share it, how long we keep it and what your legal rights are in relation to it.
For the parts of your personal data that you supply to us, this notice also explains the basis on which you are required or requested to provide the information. For the parts of your personal data that we generate about you, or that we receive from others, it explains the source of the data.
There are some instances where we process your personal data on the basis of your consent. This notice sets out the categories and purposes of data where your consent is needed.
Merton College has also published separate notices, which are applicable to other groups and activities. Those notices may also apply to you, depending on your circumstances, and it is important that you read this privacy notice together with other applicable privacy notices, available at www.merton.ox.ac.uk/privacy:
- applicants and prospective students
- alumni and donors (including what financial information we hold about our alumni and how we use it when considering fundraising initiatives)
- archives (which explains what data we hold about former students in our archive)
- security, maintenance and health and safety (including how we use CCTV)
- website and cookies (including how we monitor use of our website)
- IT systems (including how we monitor internet and email usage)
- Staff (which may be relevant for example if you are a graduate student out tutor)
What is your personal data and how does the law regulate our use of it?
“Personal data” is information relating to you as a living, identifiable individual. We refer to this as “your data”.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it.
Data protection law requires us:
- To process your data in a lawful, fair and transparent way;
- To only collect your data for explicit and legitimate purposes;
- To only collect data that is relevant, and limited to the purpose(s) we have told you about;
- To ensure that your data is accurate and up to date;
- To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
- To ensure that appropriate security measures are used to protect your data.
Merton College’s Contact Details
If you need to contact us about your data, please contact:
Data Protection Officer
Telephone: 01865 276310
Data that you provide to us and the possible consequences of you not providing it
The provision of most data that you provide to us is a contractual requirement. If you do not provide us with information that you are contractually obliged to provide, the consequences will depend on the particular circumstances. In some cases we may not be able to provide you with certain services; in other cases, this could result in disciplinary action or the termination of your contract.
Other sources of your data
Apart from the data that you provide to us, we may also process data about you from a range of sources. These include:
- Data that we and our staff generate about you, such as during tutorials and in connection with your attendance and accommodation at Merton College;
- The University of Oxford, which operates a number of systems that Colleges have access to, including access your examination results, fees outstanding, degree ceremony bookings, emergency contact details, student loan status, “right to work” checks and visa information, disability information and reports by supervisors;
- Your school or previous educational establishments or employers if they provide references to us;
- Fellow students, family members, friends, visitors to Merton College and other contacts who may provide us with information about you if and when they contact us, or vice versa.
The lawful basis on which we process your data
The law requires that we provide you with information about the lawful basis on which we process your personal data, and for what purposes.
Most commonly, we will process your data on the following lawful grounds:
- Where it is necessary to perform the contract we have entered into with you;
- Where it is necessary for the performance of a task in the public interest;
- Where it is necessary to comply with a legal obligation;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on the basis of your consent.
How we apply further protection in the case of “Special Categories” of personal data
"Special categories" of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.
The Special Categories of personal data consist of data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership.
They also consist of the processing of:
- genetic data;
- biometric data for the purpose of uniquely identifying someone;
- data concerning health;
- data concerning someone's sex life or sexual orientation.
We may process special categories of personal data in the following circumstances:
- With your explicit written consent; or
- Where it is necessary in the substantial public interest, in particular:
- is necessary for the purposes of the prevention or detection of an unlawful act, must be carried out without the consent of the data subject so as not to prejudice those purposes; or
- for equal opportunities monitoring;
- Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law.
We have in place an appropriate policy document and other safeguards which we are required by law to maintain when processing such data.
Less commonly, we may process this type of data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the data public.
Criminal convictions and allegations of criminal activity
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
Details of our processing activities, including our lawful basis for processing
We have prepared a detailed table setting out the processing activities that we undertake, the source of the data, the reasons why we process it, how long we keep it and the lawful basis we rely on.
The table includes detailed information about how and why we process various categories of data, and the related lawful basis including:
- Details of which course you are studying
- Other data that is necessary to the operation of the Merton College/student contract or to the functioning of Merton College including:
- any data about you contained in your assessed work, our assessments of your work and details of any qualifications you are awarded;
- details of any disciplinary complaints or decisions about you;
- your contact and accommodation details;
- any communications you have with us, and any communications we generate about you, for example if you ask us to defer your studies to a later academic year;
- details of any payments that you make to us, including your bank/payment card details.
- Data you and others sent us when you applied to us (including information sent to us via UCAS and your predicted grades). This includes your academic record and personal statement which we use to assess your application;
- Details of any relevant criminal convictions, allegations or charges that we ask you to declare to us either when you apply to us, or whilst you are a student, or which are reported to us, and of any Disclosure and Barring Service checks that we request. Relevant criminal convictions or charges are those that indicate an applicant or student might pose an unacceptable risk to other students or staff.
More information is available for undergraduate admissions at www.ox.ac.uk/admissions/undergraduate/applying-to-oxford/decisions/criminal-convictions and for graduate admissions at www.ox.ac.uk/admissions/graduate/applying-to-oxford/university-policies/criminal-convictions.
- Information that you voluntarily provide to us about any disabilities or health conditions you have, and about your age, ethnicity, gender, religion and belief, and/or sexual orientation. You may also provide this information to us as part of the equality monitoring that we undertake pursuant to our legal obligations under the Equality Act 2010.
- Where you inform us of a health condition or disability, we will take this information into account when considering whether to make a reasonable adjustment under equality law and in other cases where we are legally required to.
- Data about you that we have to collect by law (for example where UK immigration law requires us to record information about you, or to report it to the immigration authorities);
- Data that we voluntarily provide about you, either whilst you are a student or after you graduate, for example if you ask us for a reference.
- Bank and other payment details, where we need to reimburse you, or where you provide such details to us when making a payment.
How we share your data
We will not sell your data to third parties. We will only share it with third parties if we are allowed or required to do so by law. This includes for example:
- where we are required to report information about students that are subject to visa controls to UK Visas and Immigration;
- where we are required to report information to the University of Oxford in order for it to fulfil its obligations to report information to the Higher Education Statistics Agency or its successor body in order to comply with regulatory obligations;
- where we decide to report alleged criminal misconduct to the police;
It also includes disclosures where the third party is an agent or service provider appointed by the College to enable us to operate effectively, provided we are satisfied that appropriate safeguards have been put in place to ensure adequate levels of security for your data. All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies, and are only permitted to process your personal data for specific purposes in accordance with our instructions. We do not allow our third party providers to use your personal data for their own purposes.
More information on the categories of recipients of your data is set out in a table.
We do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.
Sharing your data outside the European Union
The law provides various further safeguards where data is transferred outside of the EU.
When you are resident outside the EU in a country where there is no “adequacy decision” by the European Commission, and an alternative safeguard is not available, we may still transfer data to you which is necessary for performance of your contract with us, or to take pre-contractual measures at your request.
We may transfer your data outside the European Union, but only for the purposes referred to in this notice and provided either:
- There is a decision of the European Commission that the level of protection of personal data in the recipient country is adequate; or
- Appropriate safeguards are in place to ensure that your data is treated in accordance with UK data protection law, for example through the use of standard contractual clauses; or
- There is an applicable derogation in law which permits the transfer in the absence of an adequacy decision or an appropriate safeguard.
How long we keep your data
The detailed table of processing activities explains how long we will keep your data. In some cases student data is retained permanently for archiving and/or research purposes, as explained in the table. Merton College’s privacy notice relating to its archives has further detail about the information retained in the archive and your rights when data is archived.
Please note that we may keep anonymised statistical data indefinitely, but you cannot be identified from such data.
Your legal rights over your data
Subject to certain conditions set out in UK data protection law, you have:
- The right to request access to a copy of your data, as well as to be informed of various information about how your data is being used;
- The right to have any inaccuracies in your data corrected, which may include the right to have any incomplete data completed;
- The right to have your personal data erased in certain circumstances;
- The right to have the processing of your data suspended, for example if you want us to establish the accuracy of the data we are processing.
- The right to receive a copy of data you have provided to us, and have that transmitted to another data controller (for example, another University or College).
- The right to object to any direct marketing (for example, email marketing or phone calls) by us, and to require us to stop such marketing.
- The right to object to the processing of your information if we are relying on a “legitimate interest” for the processing or where the processing is necessary for the performance of a task carried out in the public interest. The lawful basis for any particular processing activity we carry out is set out in our detailed table of processing activities.
- The right to object to any automated decision-making about you which produces legal effects or otherwise significantly affects you.
- Where the lawful basis for processing your data is consent, you have the right to withdraw your consent at any time. When you tell us you wish to exercise your right, we will stop further processing of such data. This will not affect the validity of any lawful processing of your data up until the time when you withdrew your consent. You may withdraw your consent by contacting the relevant part of the University that you are dealing with or that is processing your data.
Further guidance on your rights is available from the Information Commissioner’s Office. You may also wish to contact the College’s Data Protection Officer (see contact details above) if you are considering how or whether to exercise your rights.
You have the right to complain to the UK’s supervisory office for data protection, the Information Commissioner’s Office if you believe that your data has been processed unlawfully.
Future changes to this privacy notice, and previous versions
We may need to update this notice from time to time, for example if the law or regulatory requirements change, if technology changes, if the University makes changes to its procedures, or to make Merton College’s operations and procedures more efficient. If the change is material, we will give you not less than two months’ notice of the change so that you can decide whether to exercise your rights, if appropriate, before the change comes into effect. We will notify you of the change by email and via the student intranet.
You can access past versions of our privacy notices at www.merton.ox.ac.uk/privacy/archive.