Accessibility statement

Privacy Notice - agents 

This privacy notice is for agents submitting and managing applications on behalf of individuals intending to study at the University of York and Hull York Medical School (HYMS). It sets out the ways in which the University of York gathers, uses, stores and shares your data. It also sets out how long we keep your data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR). 

For the purposes of this privacy notice, University of York is the Data Controller as defined in the General Data Protection Regulation. For the University’s registration with the Information Commissioner’s Office, see the Information Commissioner's Register of Fee Payers. Our registration number is: Z4855807.  

Where do we get your data from?

The organisation collects information from you in a variety of ways. These include:

  • information collected through new agent application forms and documents provided as part of a new agent application (including references, information from websites including phone number, email addresses etc.); 
  • information collected through any correspondence with you during the agent application process; 
  • information collected through any correspondence during the ongoing business relationship between the University of York and an agent;
  • information submitted via the University of York Agent Portal.

What data do we have?

Personal data including:

  • agent name, address, date of birth and contact details, including email address, telephone number and website address;
  • geographical areas in which you operate in;
  • description of services offered.

What is our legal basis for processing your data?

Typically, data will be processed:

  • on the grounds of contractual requirement e.g. for the purposes of setting your agent account, making commissions payments and managing your portfolio of applicants and students and;
  • to monitor equality and diversity.

How do we use your data?

The University will process your personal data for the following purposes:

  • to enable the ongoing business relationship with you;
  • to enable effective communication with you; 
  • to process commission claims;
  • to ensure effective general recruitment and admissions administration, including the analysis of applicant numbers and trends to improve our administrative processes;
  • to provide evidence that the University has met UKVI requirements in relation to the Tier 4 sponsorship guidance;
  • to respond to and defend against legal claims.

Who do we share your data with?

The University may share your data with:

  • third parties that process data on behalf of the University to support it in fulfilling its obligations and responsibilities to and relationship with you (eg software and system providers);
  • HYMS, International Pathway College (IPC) or third parties (such as Kaplan) in relation to the admissions process.

How do we keep your data secure?

The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information please see our IT Security webpages.

How do we transfer your data safely internationally?

In certain circumstances, it is necessary to transfer your Personal Data outside the European Economic Area. In respect of such transfers, the University will comply with our obligations under UK GDPR and ensure an adequate level of protection for all transferred data. 

How long will we keep your data?

The University will retain your data in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.

What rights do you have in relation to your data?

Under the UK General Data Protection Regulation, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. If you would like to exercise any of these rights please contact For further information see our guidance on your rights under UK GDPR.

Questions or concerns

If you have any questions about this privacy notice or concerns about how data is being processed, please contact the University’s Data Protection Officer at

Right to complain

If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see their complaints guidance

Changes to our privacy notice

We keep our privacy notice under regular review. This notice was last updated on 14th July, 2021.