Privacy notice - higher and degree apprenticeship applicants

The organisation collects information about you in a variety of ways. These include:

• information collected through application forms and documents provided as part of an application; 
• information collected through any correspondence with you during the application process; 
• information obtained during initial assessment interview; 

from information provided to us by third parties, such as the Learning Records Service and the Disclosure and Barring Service (DBS).

Personal data including:

• your name, address, date of birth and contact details, including email address and telephone number;
• details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers;
• details of your current employer;
• information about your entitlement to study in the UK, if you are required to provide it;
• proof of identity documents.

Special category data including information about disability, health, gender identity, ethnicity and racial origin.  

Criminal conviction and offences data  at the point of application for regulated programmes e.g. medicine, nursing, teaching,  social work (spent and unspent).

The University needs to process personal data during the admissions process and keep records of that process. Processing data from applicants allows the organisation to manage the admissions process, assess and confirm an applicant's suitability for a program of study and decide to whom to offer a program of study. The organisation may also need to process data from an admissions application to respond to and defend against legal claims.

Typically, data will be processed:

• on the grounds of contractual requirement or to take steps to enter into a contract with you eg to offer you a place on a program of study at the University;
• because it is necessary for the performance of a task carried out in the public interest (for information on our public task see our function as set out in our charter; 
• because it is necessary for our or a third party’s legitimate interests;
• to allow us to comply with our legal obligations; 
• to protect your or another person’s vital interests;
• to monitor equality and diversity; 
• because you have given us your consent or, in the case of special category data, your explicit consent.  

The University may process your personal data (including special category data) for the following purposes:

• to operate admissions recruitment and selection processes;
• to form the basis of a student record, should you be offered a place of study at the University;
• to enable effective communication with you as an applicant; 
• to check, where necessary, that applicants are eligible to work with children, patients and other vulnerable adults;
• to ensure effective general recruitment and admissions administration, including the analysis of applicant numbers and trends to improve our administrative processes;
• to compile statistical and personal returns for reporting purposes;
• to maintain and promote equality and diversity;
• to respond to and defend against legal claims; 
• to meet the audit requirements of funding providers. 

Criminal conviction and offences data will be processed to:

• assess whether admission can be granted or whether it may only be granted with possible conditions/restrictions, in order to manage risk;
• to ensure that the University’s campus (including both on-site and online) is a safe environment for all applicants, staff, students and visitors.

The University may share your data with:

• Disclosure and Barring Service (DBS), for the purpose of making criminal record checks;
• Atlantic Data, for the purpose of making criminal record checks;
• OHWorks, for the purpose conducting health checks to ensure you are fit to enrol at the University and fit for practice placements;
• Higher Education Statistics Agency (HESA), for the purpose of data reporting;
• Department for Education (DfE);
• OFSTED;
• National Health Service (NHS) partners;
• QS Enrolment Solutions (QSES) for the purposes of providing support to offer holders and enquiry management. This includes the QSES CRM, Acoustic and Twilio software.
• aptem who process data on behalf of the University to deliver a Learner Management System (LMS) which is required to manage the degree apprenticeship journey from admissions to End Point assessment.

The University maintains a high standard of information security. Access to information and systems for all users are restricted on a need-to-know basis, and security arrangements are reviewed to ensure their continued suitability. For further information see, our IT security webpages.

In certain cases, your personal data will be transferred outside the UK. For these transfers, the University will always comply with UK GDPR obligations and use necessary safeguards to protect your data.

The University will only keep your data as long as necessary to meet legal requirements or satisfy a defined business need. Specific retention timeframes are set out in the University’s Records Retention Schedule.

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction of processing, objection or portability (in certain circumstances). You also have a right to withdraw consent, and rights relating to automated decision making. For more information see Individuals’ Rights.

If you have any queries about this privacy notice or about how your data is being processed, please contact the University’s Information Governance Team at dataprotection@york.ac.uk. 

If you wish to make a data protection complaint, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk.

If you are unhappy with the way in which the University has handled your personal data, you also have a right to complain to the Information Commissioner’s Office (ICO).

We keep our privacy notice under regular review. This notice was last updated on 16 June 2026.