Accessibility statement

Privacy notice - Access & Outreach Pre-Entry Bursaries

This privacy notice is for individuals who apply for any Access and Outreach pre-entry bursaries . It sets out the ways in which the University of York gathers, uses, stores and shares your data. It also sets out how long we keep your data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR). 

For the purposes of this privacy notice, University of York is the Data Controller as defined in the UK GDPR . For the University’s registration with the Information Commissioner’s Office, see the Information Commissioner's Register of Fee Payers. Our registration number is: Z4855807.   

Where do we get your data from?

The organisation collects information about you in a variety of ways. These include:

  • initial bursary application form;
  • payment details form (successful applicants only);
  • information collected through any correspondence with you during the application process.

Information relating to you (verifying you are an independent student) may also be provided to us by third parties e.g. your foster carer or support worker.

What data do we have?

Personal data including:

  • your name, email address, address, date of birth; 
  • supporting personal statement (that may include information about your background);
  • financial details including bank account number and sort code for the purpose of making a bursary payment to you.

What is our legal basis for processing your data?

The University needs to collect and process personal data about applicants for the pre-entry bursaries in order to fulfil the functions of a bursary provider. The organisation may also need to process data from a care experienced or estranged student to respond to and defend against legal claims.

Typically, data will be processed:

  • on the grounds of contractual requirement or to take steps to enter into a contract with you eg to provide you with a pre-entry bursary
  • because it is necessary for the performance of a task carried out in the public interest (for information on our public task see our function as set out in our charter). 

How do we use your data?

The University may process your personal data (including special category data) for the following purposes:

  • to administer pre-entry bursary applications  
  • to administer the financial aspects of our relationship with you including processing successful bursary payments made by the University to you;
  • to ensure effective general recruitment and administration, including the analysis of applicant numbers and trends to improve our administrative processes.

Who do we share your data with?

The University may share your data with:

  • Employees within the Student Finance department at the University;  
  • The named professional you state on your bursary application form, to verify your status as a care experienced or estranged student.

How do we keep your data secure?

The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information please see our IT Security webpages.

How do we transfer your data safely internationally?

In certain circumstances, it is necessary to transfer your Personal Data (including Special Category Data) outside the UK. In respect of such transfers, the University will comply with our obligations under UK  GDPR and ensure an adequate level of protection for all transferred data.

How long will we keep your data?

The University will retain your data in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.

What rights do you have in relation to your data?

Under the UK GDPR , you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. If you would like to exercise any of these rights, please contact For further information see our guidance on your rights under UK GDPR.

Questions or concerns

If you have any questions about this privacy notice or concerns about how your data is being processed, please contact the University’s Data Protection Officer at

Right to complain

If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see their complaints guidance.

Changes to our privacy notice

We keep our privacy notice under regular review. This notice was last updated on 13th October, 2021.