This privacy notice is for Undergraduate and Postgraduate enquirers who are interested in applying to the University of York and the Hull York Medical School (HYMS). This also includes enquirers who register to attend University events, enquirers who commence an online application form but do not officially submit it and enquirers from schools and colleges.
It sets out the ways in which the University of York gathers, uses, stores and shares your data. It also sets out how long we keep your data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.
For the purposes of this privacy notice, University of York is the Data Controller as defined in the UK GDPR . For the University’s registration with the Information Commissioner’s Office, see the Information Commissioner's Register of Fee Payers. Our registration number is: Z4855807.
The University collects information about you in a variety of ways. These include:
Personal data including:
Special category data e.g. if you require additional support at an event e.g. wheelchair access or communication support.
If you commence a postgraduate online application form and do not officially submit it, we may also hold personal data including:
Special category data including information about disability, health, gender identity, ethnicity and racial origin.
The University needs to process personal data during the enquiry process and keep records of that correspondence. Processing data from enquirers allows the organisation to manage the registration of University events (either on campus or virtual) and provide information to enquirer’s regarding the admissions process, suitability for a program of study and to decide to whom to offer a program of study.
Typically, data will be processed:
The University may process your personal data for the following purposes:
The University may share your data with:
The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information please see our IT Security webpages.
In certain circumstances, it is necessary to transfer your Personal Data (including Special Category Data) outside the UK a. In respect of such transfers, the University will comply with our obligations under UK GDPR and ensure an adequate level of protection for all transferred data.
The University will retain your data in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.
Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. If you would like to exercise any of these rights, for admissions queries please contact firstname.lastname@example.org, for international questions please contact email@example.com and for EU questions please contact firstname.lastname@example.org. For further information see our guidance on your rights under UK GDPR.
If you have any questions about this privacy notice or concerns about how your data is being processed, please contact the University’s Data Protection Officer at email@example.com.
If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see their complaints guidance.
We keep our privacy notice under regular review. This notice was last updated on 8th November, 2021.