Privacy Notice - Research Impact Evidence - Records Management and Information Governance, University of York

Privacy Notice for Research Impact Evidence Collection for REF 2029

This privacy notice is for individuals providing the University of York with evidence of research impact. It sets out the ways in which the University of York gathers, uses, stores and shares your data. It also sets out how long we keep your data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR).

For the purposes of this privacy notice, University of York is the Data Controller as defined in the UK General Data Protection Regulation. We are registered with the Information Commissioner’s Office (ICO); see our entry to the ICO. Our registration number is: Z4855807.

Where do we get your data from?

The data in most cases will be provided directly by the data subjects. However, in some cases the data will come from publicly available sources.

What data do we have?

We collect personal data for the purposes of providing evidence of impact deriving from research conducted at the University of York. Data may include:

Name, organisation, job title, email address and contact details, the nature of the individual’s interaction with the University of York and the evidence to corroborate the impact of the research. The latter may include testimonial letters, emails and/or feedback forms after events.

How do we use your data and what is our legal basis for processing?

We will use the data to record and assess the effectiveness of our research impact; we will also use the data to inform the University’s submission to the Research Excellence Framework 2029.

In line with our charter which states that we advance learning and knowledge by teaching and research, the University processes personal data for research purposes under Article 6 (1) (e) of the UK General Data Protection Regulation (GDPR), i.e. Processing is necessary for the performance of a task carried out in the public interest. Due to the close nature of the relationship between research and research impact, public task is also the legal basis for the University for processing personal data relating to research impact.

Who do we share your data with?

This information will be processed within the University and may be shared with Research England (RE), who is conducting REF 2029. RE is part of UK Research and Innovation (UKRI) and under this arrangement UKRI has the role of “data controller” for personal data submitted to the REF 2029. Any personal data submitted by Universities to REF 2029 will be collected, stored and processed in accordance with current data protection legislation. The University of York will not share your information externally for any other purposes without your consent unless exceptional circumstances apply.

How do we keep your data secure?

The University maintains a high standard of information security. Access to information and systems for all users are restricted on a need-to-know basis, and security arrangements are reviewed to ensure their continued suitability. For further information see, our IT security webpages.

How do we transfer your data safely internationally?

In certain cases, your personal data will be transferred outside the UK. For these transfers, the University will always comply with UK GDPR obligations and use necessary safeguards to protect your data.

How long will we keep your data?

The University will only keep your data as long as necessary to meet legal requirements or satisfy a defined business need. Specific retention timeframes are set out in the University’s Records Retention Schedule.

What rights do you have in relation to your data?

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction of processing, objection or portability (in certain circumstances). You also have a right to withdraw consent, and rights relating to automated decision making. For more information see Individuals’ Rights.

Questions or concerns

If you have any queries about this privacy notice or about how your data is being processed, please contact the University’s Information Governance Team at dataprotection@york.ac.uk.

Right to complain

If you wish to make a data protection complaint, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk.

If you are unhappy with the way in which the University has handled your personal data, you also have a right to complain to the Information Commissioner’s Office (ICO).

Changes to our privacy notice

We keep our privacy notice under regular review. This notice was last updated on 16 June 2026.