Accessibility statement

Privacy notice - students

This privacy notice is for University of York students. It sets out the ways in which the University of York gathers, uses, stores and shares your data. It also sets out how long we keep your data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. 

For the purposes of this privacy notice, University of York is the Data Controller as defined in the UK GDPR. We are registered with the Information Commissioner’s Office and our entry can be found here. Our registration number is: Z4855807.    

Where do we get your data from?

Much of the data we hold on you comes from your undergraduate or postgraduate application form. Additional information may also have been provided by you as part of your interactions with us before applying or once enrolled. Information relating to you may also have been provided to us by third parties e.g. your sponsor, agent, referee or previous employer, college or university. For students studying on the higher and degree apprenticeship pathway, data may also be provided by your current employer.

What data do we have?

Personal data including name, date of birth, postal address (term time and home), email address, telephone number, National Insurance number, Unique Learner Number, emergency contact details, education records (past and present), disciplinary and attendance records.

Special category data including information about disability, health, ethnicity and racial origin.  

What is our legal basis for processing your data?

The University needs to collect and retain certain types of data, in various formats, about its current and past students in order to fulfil its functions as an education provider and to maintain its lifelong relationship with its alumni community.

Typically, data will be processed:

  • on the grounds of contractual requirement or to take steps to enter into a contract with you e.g. to provide you with a University education;
  • because it is necessary for the performance of a task carried out in the public interest (for information on our public task see our function as set out in our charter);
  • because it is necessary for our or a third party’s legitimate interests;
  • to allow us to comply with our legal obligations; 
  • to protect your or another person’s vital interests;
  • to monitor equality and diversity; 
  • because you have given us your consent or, in the case of special category data, your explicit consent.  

How do we use your data?

The University may process your personal data (including special category data) for the following purposes:

  1. to administer applications and admissions processes and procedures and student records after admission;
  2. to deliver and facilitate your programme of study and provide you with teaching, research and educational services and support; 
  3. to provide you with and manage your use of University facilities and services and your participation at events;
  4. to administer the financial aspects of our relationship with you and any funders including processing any payments made by you to the University;
  5. to manage student accommodation, college residence and college social events;
  6. to monitor your performance and attendance;
  7. to manage academic progress (including the provision of references and the processing of student complaints and appeals, academic misconduct investigations and student disciplinary cases); 
  8. to operate the University’s quality assurance processes and arrangements;
  9. for legal, personnel, administrative and management purposes including the processing of any Sensitive Personal Data which may include information about your physical or mental health or condition in order to provide access arrangements, monitor fitness for study, leave from study, welfare and extenuating circumstances and/or other uses as may be required by law; 
  10. to enable effective communication with you including without limitation, providing you with information relating to University services and products, funding and/or sponsorship opportunities as well as links to relevant surveys and information on York student organisations; 
  11. for alumni relations purposes. For details see here
  12. to identify ways to enhance learning, teaching, assessment and the broader student experience;
  13. to monitor equal opportunities; 
  14. to compile statistical and personal returns which the University may be required to publish or pass to government bodies or the Higher Education Statistics Agency (HESA); 
  15. to maintain the safety and security of the campus for all users. This may include the use of CCTV for crime prevention and detection purposes.    

In addition, please note:

  • whilst on campus you may be captured in photographs or video footage as part of a wider group shot. These images/recordings may be used by the University for promotional purposes e.g. in the development of the University's prospectus. If you have any concerns about the use of your image please contact the Acting Data Protection Officer for more information, dataprotection@york.ac.uk.
  • the University uses lecture capture technology to record University teaching (typically audio only). In addition, students are sometimes granted permission to make their own recordings (again, typically audio only).  As a result, anything you say may be recorded whilst attending lectures, seminars and other teaching sessions depending on your proximity to the microphone. For rules around the use of recordings see: 

Who do we share your data with?

The University may share your data with:

  • employees and agents of the University;  
  • third parties that process data on behalf of the University to support it in fulfilling its obligations and responsibilities to and relationship with you (e.g. software and system providers);
  • other HE institutions, 3rd party providers or employers involved in delivery of your studies, educational services, international exchange or placement programmes;
  • FutureLearn as part of the provision of courses on their platform.
  • Higher York (to enable the analysis and monitoring of learning trends, profiles, choices and outcomes and inform planning and development across the partnership);
  • the University of York Students’ Union (YUSU) and Graduate Students’ Association (GSA) on the grounds there is a legitimate interest to ensure you have full representation and access to the services and support mechanisms offered by the charities. Both YUSU and GSA will offer you the opportunity to opt-out of communication/membership.   
  • professional and regulatory bodies (e.g. General Medical Council, Health and Care Professions Council, Nursing and Midwifery Council, the Office for Standards in Education, Children’s Services and Skills, Royal Society of Chemistry, British Psychological Society, Teaching Regulation Agency, Law Society) in relation to the confirmation qualifications, professional registration and conduct, regulation, and the accreditation of your course; 
  • sponsors (including Local Education Authorities, funding councils and Research Councils), the Students Loans Company, Student Awards Agency for Scotland, Student Finance Wales and Student Finance NI in respect of student progress/attendance; 
  • credit reference agencies or other credit assessment, debt tracing or fraud prevention organisations to support credit scoring, credit assessment, debt tracing or fraud and money-laundering prevention;  
  • government departments/agencies to whom we have a statutory obligation to release information (including the Office for Students, Higher Education Statistics Agency (HESA) (HESA's notice is available here), the UK Research Councils, the Education and Skills Funding Agency (ESFA) (ESFA’s notice is available here), the Quality Assurance Agency for Higher Education, the Home Office UK Visas and Immigration, HM Revenue and Customs and Council Tax and Electoral Registration Offices; 
  • Ipsos Mori for the purposes of administering student surveys commissioned by the Office for Students; 
  • current or potential employers of our students or current or potential providers of education (to provide references and verify details of your qualifications). The University is a member of the Higher Education Degree Datacheck Service: a shared service which allows employers or statutory bodies and their agents to verify basic degree and enrolment information about you, having sought your consent. These checks are most commonly made if you register with an employment agency or are offered a job; 
  • law enforcement agencies such as the police or relevant authorities dealing with emergency situations (only as required or appropriate and in line with Data Protection legislation)  

For Higher and Degree Apprenticeship learners, the University may also share your data with the End Point Assessment Organisation (EPAO), Department of Education (DfE) and Ofsted.

The University may also disclose your data to other 3rd parties not listed above on a case-by-case basis. Disclosures will be made in full accordance with the data protection legislation and only where necessary. Consent will be sought from you where appropriate and you will be told about such disclosures unless exceptional circumstances apply.

Where the University, Government or their respective agents (e.g. Office for Students) hold personal information provided by students, they may need to check the accuracy of this information against external data sources. This might involve contacting institutions to confirm qualifications obtained, for example, or checking whether a Higher Education Statistics Agency record already exists for a student. Any such checks will be made in compliance with data protection law.  

How do we keep your data secure?

The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information see, https://www.york.ac.uk/it-services/security/.   

How do we transfer your data safely internationally?

In certain circumstances, it is necessary to transfer your Personal Data (including Special Category Data) outside the UK. In respect of such transfers, the University will comply with our obligations under UK GDPR and ensure an adequate level of protection for all transferred data.  

How long will we keep your data?

The University will retain your data in line with legal requirements or where there is a business need. Retention timeframes will be determined in line with the University’s Records Retention Schedule.   

What rights do you have in relation to your data?

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. You can verify or correct information in your student record at any time by following the guidance here, https://www.york.ac.uk/students/studying/manage/student-record/. For all other requests, see https://www.york.ac.uk/records-management/generaldataprotectionregulation/individualsrights/.  

Questions or concerns

If you have any questions about this privacy notice or concerns about how your data is being processed, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk

Right to complain

If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see www.ico.org.uk/concerns.  

Changes to our privacy notice

We keep our privacy notice under regular review. This notice was last updated on 24 March 2022.