Accessibility statement

University of York General Privacy Notice

This general privacy notice is for any individual who provides personal data or special category data to the University of York. It should be read in conjunction with the tailored information provided in this statement by the department that will gather your data. 

For the purposes of this privacy notice, University of York is the Data Controller as defined in the General Data Protection Regulation. We are registered with the Information Commissioner’s Office (ICO) and our entry can be found here on the ICO website. Our registration number is: Z4855807.  

How we use your personal information

Please find below some more details about the ways in which SUCI deals with personal data, explaining:

  • The type of personal information collected and stored by SUCI
  • How data is collected
  • How information is kept secure
  • How long we will keep your data
  • Your rights concerning personal data
  • Confidentiality & how to withdraw your data from SUCI
  • Who to contact if you have any questions or concerns
  • How to make a complaint.

The types of personal data we collect

  • Name (surname, forename)
  • Contact details
  • Information regarding the types of forum activities you wish to participate in
  • Information regarding the types of relevant experiences you have had in relation to health services
  • Information regarding protected characteristics or demographics where this is relevant to the activities you wish to participate in.

How data is collected

The data will be collected through your own completion of the initial form, and the answers you give during a telephone interview with a member of the SUCI group following receipt of your form. This information will be electronically recorded and will be stored in University of York approved storage services. Additional data regarding protected characteristics or demographic information may be requested and stored where relevant to activities undertaken.

How information is kept secure

The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information see the University's IT Security webpage. 

What is the legal basis for SUCI collecting and using personal and special category data and what permissions do SUCI have?

Under the General Data Protection Regulation (GDPR), the University of York has to identify a legal basis for processing personal data, and an additional legal basis for processing special category data. In line with the University’s charter, which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the GDPR:

Processing is necessary for the performance of a task carried out in the public interest

Special category data is processed under Article 9 (2) (j):

Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes

In line with ethical expectations, and to comply with common law duty of confidentiality, SUCI will seek your consent to participate where appropriate. This consent is not, however, our legal basis for processing data under the GDPR. 

What and who is the data controller?

A data controller is an organisation that has full authority to decide how and why personal data are processed; this includes using, storing and deleting data. The University of York is the data controller for SUCI. 

How long will we keep your data?

The University will retain your data in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule. You may choose to have the data removed at any time (please see below).  

What rights do you have in relation to your data?

Under the General Data Protection Regulation, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. For all requests, see the individual rights page of the University GDPR webpage.  

You may choose to have your data removed from our database at any time. If you wish for us to remove your data or view the data we hold about you, please email, clearly stating your request to view or remove data.

Will information be kept confidential?

All information held by SUCI is kept in accordance with the Data Protection Act. 

Questions or concerns

If you have any questions about this privacy notice or concerns about how your data is being processed, please contact the SUCI forum in the first instance ( or the University’s Data Protection Officer at

Right to complain

If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see

Department of Health Sciences, University of York.

University of York legal statements.