Privacy Notice - agents 

The organisation collects information from you in a variety of ways. These include:

• information collected through new agent application forms and documents provided as part of a new agent application (including references, information from websites including phone number, email addresses etc.); 
• information collected through any correspondence with you during the agent application process; 
• information collected through any correspondence during the ongoing business relationship between the University of York and an agent;
• information submitted via the University of York Agent Portal.

Personal data including:

• agent name, address, date of birth and contact details, including email address, telephone number and website address;
• geographical areas in which you operate in;
• description of services offered.

Typically, data will be processed:

• on the grounds of contractual requirement e.g. for the purposes of setting your agent account, making commissions payments and managing your portfolio of applicants and students and;
• to monitor equality and diversity.

The University will process your personal data for the following purposes:

• to enable the ongoing business relationship with you;
• to enable effective communication with you; 
• to process commission claims;
• to ensure effective general recruitment and admissions administration, including the analysis of applicant numbers and trends to improve our administrative processes;
• to provide evidence that the University has met UKVI requirements in relation to the Tier 4 sponsorship guidance;
• to respond to and defend against legal claims.

The University may share your data with:

• third parties that process data on behalf of the University to support it in fulfilling its obligations and responsibilities to and relationship with you (eg software and system providers);
• HYMS, International Pathway College (IPC) or third parties (such as Kaplan) in relation to the admissions process.

The University maintains a high standard of information security. Access to information and systems for all users are restricted on a need-to-know basis, and security arrangements are reviewed to ensure their continued suitability. For further information see, our IT security webpages.

In certain cases, your personal data will be transferred outside the UK. For these transfers, the University will always comply with UK GDPR obligations and use necessary safeguards to protect your data.

The University will only keep your data as long as necessary to meet legal requirements or satisfy a defined business need. Specific retention timeframes are set out in the University’s Records Retention Schedule.

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction of processing, objection or portability (in certain circumstances). You also have a right to withdraw consent, and rights relating to automated decision making. For more information see Individuals’ Rights.

If you have any queries about this privacy notice or about how your data is being processed, please contact the University’s Information Governance Team at dataprotection@york.ac.uk.

If you wish to make a data protection complaint, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk.

If you are unhappy with the way in which the University has handled your personal data, you also have a right to complain to the Information Commissioner’s Office (ICO).

We keep our privacy notice under regular review. This notice was last updated on 16 June 2026.