Privacy notice - student applicants 

The organisation collects information about you in a variety of ways. These include:

• information collected through application forms and documents provided as part of an application; 
• information collected through any correspondence with you during the application process; 
• through interviews or other admissions assessments; 
• information collected from forms submitted as part of a travel expense reimbursement claim;
• from information provided to us by third parties, such as collaborative partners, Disclosure and Barring Service (DBS),  Higher Ed Partnerships (HEP), International Pathway College (IPC), Kaplan, Hull York Medical School (HYMS), The Universities and Colleges Admissions Service (UCAS), UK Visas and Immigration (UKVI), Acumen PACE, educational agents and funding agencies, Atlantic Data, OHWorks, IDP Live Offer in Principle service for the purpose of issuing prospective students with an offer in principle, The Ambassador Platform (TAP) for the purpose of registering and attending online events and one-to-one chats and Net Natives for the purpose of assisting with marketing activities. 

Personal data including:

• your name, address (including postcode), date of birth and contact details, including email address and telephone number;
• details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers;
• information about your entitlement to study in the UK, if you are required to provide it;
• previous immigration history, including copy of passport and copies of previous visas;
• information relating to a pre CAS credibility assessment (if relevant) e.g., Zoom recordings and decision outcomes; 
• proof of identity documents and;
• bank details (if you are submitting a travel expense reimbursement claim).

Special category data including information about disability, health, gender identity, ethnicity and racial origin. 

Mitigating circumstances

If you are required to to provide information in relation to mitigating circumstances you may be required to submit additional information and documents including:

• details of the impact on your academic study (e.g. illness, bereavement);
• supporting information from your school, college or doctor;
• additional reference details.

Note if you are required to provide information in relation to a fee status assessment you may be required to submit documents from you and/or your parent/guardian including:

• utility bills;
• immigration details including copies of passport and visas;
• employment payslips.

Criminal conviction and offences data at the point of application for regulated programmes e.g. medicine, nursing, teaching social work (spent and unspent) and at the point of firm acceptance for non regulated programmes (relevant, unspent criminal convictions). Note that central admissions have access to DBS clearance information, including DBS clearance status and identity checks (for teaching and social work offer holders) via the Atlantic Data portal.

The University needs to process personal data during the admissions process and keep records of that process. Processing data from applicants allows the organisation to manage the admissions process, assess and confirm an applicant's suitability for a program of study and decide to whom to

offer a program of study. The organisation may also need to process data from an admissions application to respond to and defend against legal claims.

Typically, data will be processed:

• on the grounds of contractual requirement or to take steps to enter into a contract with you eg to offer you a place on a program of study at the University;
• because it is necessary for the performance of a task carried out in the public interest (for information on our public task see our function as set out in our charter; 
• because it is necessary for our or a third party’s legitimate interests;
• to allow us to comply with our legal obligations; 
• for reasons of substantial public interest (specifically schedule 1, Part 1, 18 of the DPA 2018 (Safeguarding of children and of individuals at risk):
• to protect your or another person’s vital interests;
• to monitor equality and diversity; 
• because you have given us your consent or, in the case of special category data, your explicit consent.  

The University may process your personal data (including special category data) for the following purposes:

• to operate admissions recruitment and selection processes;
• to form the basis of a student record, should you be offered a place of study at the University;
• to enable effective communication with you as an applicant; 
• to check, where necessary, that applicants are eligible to work with children, patients and other vulnerable adults;
• to verify english language test scores or to verify academic qualifications;
• to ensure effective general recruitment and admissions administration, including the analysis of applicant numbers and trends to improve our administrative processes;
• to conduct market research;
• for conversion activity for offer holders, using social media platforms e.g. Instagram or Facebook; 
• to tell you about the University, the city and the experience of studying here and to make you aware of relevant upcoming events;
• to compile statistical and personal returns for reporting purposes;
• to maintain and promote equality and diversity;
• to respond to and defend against legal claims; 
• to provide evidence that the University has met UKVI requirements in relation to the Student Sponsor guidance; 
• to assess your pre CAS credibility status in relation to potential UKVI Student Visa applications;
• to verify government or employment financial sponsorship documentation;
• to check applicants eligibility in relation to the international relocation payment (IRP). Trainee teachers only; 
• to assess applicant financial scholarship applications;
• to assess an applicant’s fee status;
• to assess mitigating circumstances;
• to reimburse travels costs;
• to monitor potential distance travelled for prospective commuter students; 
• to meet the audit requirements of funding providers;
• to create an iVent profile to enable you to attend virtual events you have registered for (e.g. Post Offer Visit Days);
• to provide you with educational services in support of your application through the FutureLearn platform

Disability data 

The University has a duty under the Equality Act to make reasonable adjustments for students who declare or present with a disability, to avoid them being placed at a substantial disadvantage compared to other students

Where a mental or physical health condition or disability is not declared directly to us, but has been identified, we may also record this information in order to ensure reasonable adjustments can be made. 

In order to ensure we can meet these obligations, information relating to your disability will be shared on a need-to-know basis with those that are involved in identifying and putting in place this support.

This includes staff in Disability Services, those involved in the administration of teaching and assessments and academics in your department, and those that are required to assist with identifying and putting in place any reasonable adjustments during your studies.

Whilst we do not require your consent to enable us to arrange reasonable adjustments, we do require consent from you to liaise with external organisations for the purposes of arranging externally funded support.  

You can find more information about how the university shares disability data on our Sharing disability data webpage. 

Criminal conviction and offences data will be processed to:

• assess whether admission can be granted or whether it may only be granted with possible conditions/restrictions, in order to manage risk;
• to ensure that the University’s campus (including both on-site and online) is a safe environment for all applicants, staff, students and visitors.

The University may share your data with:

• educational agents of the University, for the purpose of assessing your application; 
• other HE institutions, HYMS, or third parties (such as funding or awarding bodies) in relation to the admissions process;
• The University of York's finance department (for the purpose of reimbursing you with travels costs);
• FutureLearn as part of the provision of courses on their platform.
• QS Enrolment Solutions (QSES) for the purposes of providing support to offer holders and enquiry management. This includes the QSES CRM, Acoustic and Twilio software;
• other HE institutions or 3rd party providers involved in delivery of your studies, educational services, international exchange or placement programmes (e.g. Maastricht University);
• verification organisations (eg.  UK ENIC, CHESSIC, IELTS etc) for the purpose of verifying qualifications and tests;
• Flywire, for the purpose of making a deposit payment (if applicable);
• the Disclosure and Barring Service (DBS), for the purpose of making criminal record checks;
• Atlantic Data, for the purpose of making criminal record checks for some courses related to regulated professions (e.g. Nursing, Teaching, Social Work and Medicine);
• OHWorks, for the purpose of making occupational health checks for courses related to regulated professions (e.g. Nursing, Teaching and Social Work);
• Department of Education for the purpose of checking eligibility for the international relocation payment (IRP). Note this specifically includes sharing passport data with the Department of Education. Trainee teachers only;
• Higher Education Statistics Agency (HESA), for the purpose of data reporting;
• third parties that process data on behalf of the University to support it in fulfilling its obligations and responsibilities to and relationship with you (e.g. software and system providers) including; Qualtrics, Formstack, Dynamics 365, ClickDimensions, Clickatell, iVent, DotDigital, Tableau, Alteryx, MPS Marketing Services, The Ambassador Platform (TAP), Salesforce and Net Natives;
• third parties who award financial scholarships;
• Acumen PACE for the purposes of conducting a pre CAS credibility assessment. 

The University maintains a high standard of information security. Access to information and systems for all users are restricted on a need-to-know basis, and security arrangements are reviewed to ensure their continued suitability. For further information see, our IT security webpages.

In certain cases, your personal data will be transferred outside the UK. For these transfers, the University will always comply with UK GDPR obligations and use necessary safeguards to protect your data.

The University will only keep your data as long as necessary to meet legal requirements or satisfy a defined business need. Specific retention timeframes are set out in the University’s Records Retention Schedule.

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction of processing, objection or portability (in certain circumstances). You also have a right to withdraw consent, and rights relating to automated decision making. For more information see Individuals’ Rights.

If you have any queries about this privacy notice or about how your data is being processed, please contact the University’s Information Governance Team at dataprotection@york.ac.uk.

If you wish to make a data protection complaint, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk.

If you are unhappy with the way in which the University has handled your personal data, you also have a right to complain to the Information Commissioner’s Office (ICO).

We keep our privacy notice under regular review. This notice was last updated on 16 June 2026.