The organisation collects information about you in a variety of ways. These include:

• initial bursary application form;
• payment details form (successful applicants only);
• information collected through any correspondence with you during the application process.

Information relating to you (verifying you are an independent student) may also be provided to us by third parties e.g. your foster carer or support worker.

Personal data including:

• your name, email address, address, date of birth; 
• supporting personal statement (that may include information about your background);
• financial details including bank account number and sort code for the purpose of making a bursary payment to you.

The University needs to collect and process personal data about applicants for the pre-entry bursaries in order to fulfil the functions of a bursary provider. The organisation may also need to process data from a care experienced or estranged student to respond to and defend against legal claims.

Typically, data will be processed:

• on the grounds of contractual requirement or to take steps to enter into a contract with you eg to provide you with a pre-entry bursary
• because it is necessary for the performance of a task carried out in the public interest (for information on our public task see our function as set out in our charter). 

The University may process your personal data (including special category data) for the following purposes:

• to administer pre-entry bursary applications  
• to administer the financial aspects of our relationship with you including processing successful bursary payments made by the University to you;
• to ensure effective general recruitment and administration, including the analysis of applicant numbers and trends to improve our administrative processes.

The University may share your data with:

• Employees within the Student Finance department at the University;  
• The named professional you state on your bursary application form, to verify your status as a care experienced or estranged student.

The University maintains a high standard of information security. Access to information and systems for all users are restricted on a need-to-know basis, and security arrangements are reviewed to ensure their continued suitability. For further information see, our IT security webpages.

In certain cases, your personal data will be transferred outside the UK. For these transfers, the University will always comply with UK GDPR obligations and use necessary safeguards to protect your data.

The University will only keep your data as long as necessary to meet legal requirements or satisfy a defined business need. Specific retention timeframes are set out in the University’s Records Retention Schedule.

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction of processing, objection or portability (in certain circumstances). You also have a right to withdraw consent, and rights relating to automated decision making. For more information see Individuals’ Rights.

If you have any queries about this privacy notice or about how your data is being processed, please contact the University’s Information Governance Team at dataprotection@york.ac.uk.

If you wish to make a data protection complaint, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk.

If you are unhappy with the way in which the University has handled your personal data, you also have a right to complain to the Information Commissioner’s Office (ICO).

We keep our privacy notice under regular review. This notice was last updated on 16 June 2026.