Records Management & Information Governance
This privacy notice is for pupils in Primary and Secondary Schools and Sixth Forms and their parents/guardians. It sets out the ways in which the University of York’s Access and Outreach team gathers, uses, stores and shares data. It also sets out how long we keep data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
For the purposes of this privacy notice, the University of York is the Data Controller as defined in the UK GDPR. We are registered with the Information Commissioner’s Office and our entry can be found here. Our registration number is: Z4855807.
We collect information about you/your child/ward when applying to participate in, or registering your interest in, one of our programmes or events. This information is collected directly from application forms submitted via our web applications and management portal and is handled by the Access and Outreach Team at the University of York. We may also collect information when you complete questionnaires, evaluation forms, reflection logs or research projects specifically related to your participation in one of our programmes or events. We may also receive your personal information from partner institutions where a data sharing agreement is in place.
At key points we receive information from your school/college to provide us with information about you (e.g. family background and/or childhood experiences) to help us better understand and support you throughout your participation in our events and programmes. We also collect information from yourself or your school/college regarding your circumstances and eligible criteria for participation such as; your attainment at school/college, whether you have/are receiving free school meals, if you require any access support and information relating to safeguarding concerns.
Information collected from forms submitted as part of a travel expenses reimbursement claim.
We may also receive personal information for staff members at schools/colleges via third parties such as; UniTasterDay for the purpose of registering for an event.
Personal data such as name, date of birth, home address, email address, telephone number, details of your qualifications, emergency contact details, bank details (as part of a travel expense reimbursement claim) and parent/guardian education background.
Special category data such as information about disability, health, ethnicity and racial origin.
Typically, data will be processed:
We will use personal data (and special category data) for the following purposes:
The information provided will be used by the University of York for the purposes outlined above. It will also be shared with the following third parties:
There may be occasions where we need to share and return information with the local authority, police and schools/colleges, if a safeguarding matter arises. This will be actioned in line with our Safeguarding policy.
The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information please see our IT Security webpages.
In certain circumstances, it is necessary to transfer Personal Data (including Special Category Data) outside the UK. In respect of such transfers, the University will comply with our obligations under Data Protection Law and ensure an adequate level of protection for all transferred data.
The University will retain data in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.
Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. You can verify or correct information at any time by emailing email@example.com. For all other requests, see the University's subject rights webpage.
If you have any questions about this privacy notice or concerns about how data is being processed, please contact the University’s Data Protection Officer at firstname.lastname@example.org.
If you are unhappy with the way in which the University has handled personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see their complaints guidance.
We keep our privacy notice under regular review. This notice was last updated on 25th October 2022.