Student applicant privacy notice

This privacy notice provides information about how the University uses the personal data we collect and process when you make an application to study at the University of Birmingham. It supplements the page on our website ‘Data Protection – How the University Uses Your Data’.

It is important that the personal information we hold about you is accurate and current. Please keep your personal information updated during your working relationship with us.

How does this privacy notice relate to other privacy notices?

If you enquired about studying at the University, you were told how the University would use your personal data to process your enquiry and we referred you to the Enquirer Privacy Notice on our website. This referred to this Applicant Privacy Notice for details about how we would use your personal data if you apply to become a student at the University.  After you have applied, we process your data as set out on our website in both the Enquirer Privacy Notice and this Applicant Privacy Notice.

If you have submitted or are intending to submit your application through the Universities and Colleges Admissions Service (UCAS) or another clearing house, that organisation will inform you of the basis upon which they share your personal data with us. This page provides information about how we will use the personal data we received from that organisation.

If you have applied, or are intending to apply, directly to the University, this page explains how we will use the personal data you will provide, or have provided, to us directly.

Sometimes another organisation will also be a data controller of your personal data for example, if you are applying to study on a dual degree programme, a degree apprenticeship or other programme delivered in collaboration with, or on behalf of another organisation, or if you have applied to us for accommodation as we provide student details to private ‘Partner accommodation’ providers who form part of our Guarantee Scheme so they can allocate accommodation.  That organisation should explain this to you, as well as how and why it uses your data.  

What personal data will be processed?

The data we process will be:

  • Details you provide to us when you submitted your application to the University (whether directly to the University or via a third party service such as UCAS) form the basis of your core application record including:
    • Your personal details, such as your name, home address and other contact details, age and date of birth, gender, nationality, country of birth, your dependents, whether you are a care leaver,
    • Information about your course or thesis;
    • Funding arrangements (for example, your sponsor);
    • Immigration and visa information (if you are an international student);
    • Your qualifications (awarded or anticipated);
    • Information about your previous education and work experience; and
  • Information in any supporting documentation which is provided by you or a third party (such as information from referees, from qualification awarding bodies or results which UCAS provides to us) during the application process. 

The School or department within the University in which you have applied to study may also keep records about your application, including:

  • details of your engagement with and the outcomes of any selection procedures (including interviews, selection tests, and, where relevant, fitness to practice and/or health declarations or other suitability assessments);
  • Your interactions with your  proposed supervisors or admissions tutors;
  • Attendance at applicant visit events;
  • Eligibility for scholarships and prizes;, and
  • General correspondence and administration in relation to your application.

In addition to this, the University may need to process some data about you that is classed as ‘special category’ or sensitive personal data.  This data includes data about your ethnicity, sexual orientation, religious beliefs or health/disability data.  We use this data to offer you relevant support or reasonable adjustments and for statistical, research and monitoring purposes.  Access to, and the sharing of, your special category personal data are controlled very carefully.

If necessary, where there has been an outbreak of a pandemic, such as Covid-19, or some other incident which may affect the health or safety of the University community, as part of the University’s public task, the University may also collect data on which areas or buildings of the University campus you have recently accessed and when, for the purposes of managing the health and safety of the University community. The data collected for this purpose will be your name, student ID number, telephone/email address so that if necessary, we can contact you in relation to NHS Test and Trace and to help prevent the spread of Covid-19. This data will be kept and held securely for 21 days after which it will be deleted or destroyed. We may also collect special category (e.g. health) data as part of this duty and for reasons of public health, for example, if you have told us that you have tested positive for Covid-19. Where it is necessary to collect special category data, such as health information, for this purpose we will only share this with government agencies, such as National Institute for Health Protection/Public Health England (or such other relevant government body) for the purposes of government initiatives like Test and Trace, in order to comply with our legal obligations. In any other case we will ask for your express consent before passing this data to any other organisation.

Your personal data is created, stored and transmitted securely in a variety of paper and electronic formats, including databases. Only those University staff who need access for the purpose of administering the admissions process and allocating accommodation will be able to access your personal data. 

For certain courses, in order to assess your suitability to work with patients, children or other vulnerable people and your fitness to practise for entry into some regulated professions, it is necessary to process other special category data, such as data about your health or disability.  

Criminal convictions: The University may hold and process data about criminal offences or convictions if you have disclosed this on your application or if it is appropriate given the nature of your programme (for example, if a Disclosure and Barring Service (DBS) check is needed for your programme). We will use information about criminal convictions and offences in the following ways:

  • To consider your suitability to become a member of the University or to continue to be a member of the University or to decide if any support or measures need to be put in place;
  • To comply with regulatory requirements to decide your suitability to study on a regulated programme or to practise in a regulated profession;
  • Consideration of safeguarding issues.

We will only use information relating to criminal convictions where the law allows us to do so and in line with our Data Protection Policy. Personal data relating to criminal convictions will be retained confidentially and securely and access to that data will be strictly controlled.

When using video conferencing applications such as Zoom or Microsoft Teams, your name, user name, email address, your computer’s IP address, MAC address and device name may be collected.

What is the purpose of the processing?

The University will process your personal data for the following purposes:

  • To consider the suitability of your application for the programme to which you have applied or, if we cannot make an offer of admission for that programme, for any other programme for which your application is relevant;
  • To enable you to take part in events for applicants (for example, applicant visit days, interviews or other selection events);
  • To consider your application for accommodation;
  • To communicate effectively with you by post, email, phone or other electronic media;
  • To provide you with information about the programme and accommodation for which you have applied;
  • To provide you with information relating to the, city of Birmingham and the local area and the University (including its facilities and services);
  • To notify you of our decision on your application;
  • To allocate accommodation;
  • To compile statistics and conduct research for statutory reporting purposes;
  • To fulfil and monitor our legal responsibilities, for example, under equalities, immigration and public safety legislation;
  • To enable us to contact others  (for example, any next of kin or emergency contact details you have provided) in the event of an emergency (we will assume that you have obtained consent from those individuals before you supply their contact details to us);
  • To comply with any relevant statutory obligations.

If you have disclosed on your application that you have a disability, our Student Support team will contact you to let you know how you can access the Learning Support, Disability and Mental Health services.  You will be provided with further details about how your data will be used for this purpose at the relevant time.

We also use the information you provide to compile statistics and conduct research in relation to enquirers, applicants and students for the purpose of planning, reviewing, managing and developing the University’s business, (but not to make any decisions about you).

We sometimes use ‘profiling’ software to help us make sure the information we send you is appropriate for you, but we do not use ‘profiling’ software to make any automated decisions about your application to the University.

Video conferencing applications

When using video conferencing applications, such as Zoom and Microsoft Teams, personal data such as your IP address and device name may collected by the companies who own these applications in order to schedule and create a record of meetings, improve and tailor your experience when using these applications. Where video conferencing applications are used to record meetings, personal data captured within the recording are stored within the cloud service owned by that company. Where recording is taking place, you will be notified at the beginning of or as you enter the recording session.

Data held and used by the University are compliant with GDPR. Personal data stored by a service provider within the cloud may be stored outside of the European Economic Area. 

What is the legal basis of the processing?

We consider the processing of your personal data for these purposes to be necessary for:

  • Taking all relevant and necessary steps to determine whether to make an offer to study at the University and, if so,  to decide on the terms of that offer so you can decide whether to enter into a contract with the University, that is, to take steps at your request before entering into a contract;
  • Compliance with a legal obligation (for example, equal opportunities monitoring) or regulatory obligation (for example, reporting to Government or governmental bodies);
  • The performance of tasks we carry out in the public interest (for example, teaching and research);
  • For the purposes of the University’s legitimate business interests (for example, in order to manage and develop its business).
  • For the purposes of an external organisation’s legitimate interests (for example, to enable your access to external services); or
  • Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

We will only process your special category data with your explicit consent or if it is necessary:

  • For the establishment, exercise or defence of legal claims;
  • Very occasionally, when it is needed to protect your or another person’s vital interests and you are not capable of giving your consent (for example, in an emergency);
  • If it is in the substantial public interest;
  • Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

If we require your consent for any specific use of your personal data, it will be collected at the appropriate time by us or another relevant organisation (for example, UCAS), explaining why we are collecting the data and how we will use it, and you can withdraw your consent at any time.

Who will your personal data be shared with?

Within the University, your data is shared with only those University staff who need access for the admissions process, to allocate accommodation and to discuss any support needs you may have. 

Your personal data is shared with a range of external organisations as is necessary for the purposes set out above and as permitted or required by law,  including the following:

  • The providers of any external or collaborative learning and training placements or fieldwork opportunities (and we will explain to you how and when this will be shared when we collect the data from you);
  • The employer for any Degree Apprenticeship programme
  • Relevant Government Departments (for example, the Home Office or the Foreign and Commonwealth Office);
  • Relevant executive agencies or non-departmental public bodies (for example, UK Visas and Immigration);
  • An overseas representative formally recognised by the University through whom you have submitted your application or who is supporting your application.  This may include an agent or prospective sponsor who has submitted an application on your behalf;
  • Relevant Higher Education bodies (for example, the Office for Students, UK Research and Innovation, Universities and Colleges Admissions Service, the Office for Fair Access);
  • Any relevant professional or statutory regulatory bodies (for example, General Medical Council); we will tell you in what circumstances we share information with these organisations;
  • Occasionally and when necessary, the police and other law enforcement agencies, for the prevention or detection of crime;
  • Occasionally and when necessary internal and external auditors or regulators; and
  • Individuals, companies or organisations providing specific services to, or on behalf of, the University (for example, the University Medical Officer, external Occupational Health services).

We ensure we have appropriate data sharing agreements in place before sharing your personal data with any other data controllers.

Your personal data is shared as is necessary, on a considered and confidential basis, with several external organisations which assist with the handling of enquiries and student applications and sending you information about studying here.  These organisations act on our behalf in accordance with our instructions for the purposes outlined above and do not process your data for any purpose over and above what we have asked them to do.  We make sure we have appropriate contracts in place with them.  Sometimes your personal data is processed by these organisations outside the European Economic Area (for example, because they use a cloud-based system with servers based outside the EEA), and if so, appropriate safeguards are in place to ensure the confidentiality and security of your personal data. 

There may be other occasions when we may have to send your personal data outside the European Economic Area (for example, to share information relating to your application with an Overseas representative acting on your behalf, or if you are applying to study at a campus overseas, for example, in Dubai). This is usually required as part of the steps necessary to enter into a contract with you or as part of your contractual obligations (or potential contractual obligations) with a third party, and again, we make sure that appropriate safeguards are in place to ensure the confidentiality and security of your personal data.

If your application to the University is successful, the information held in your core application record will form the basis of your core student record.  Details of how we use student data can be found in the Student Privacy Notice on the University website.

We do not share your data with external organisations for marketing their products or services. We do not sell your personal data to third parties under any circumstances, or permit third parties to sell on the data we have shared with them.

How long is your data kept?

If you are admitted as a student of the University, we will retain the personal data collected during the admissions process for 10 years after the start of the academic year in which you were admitted to the University.  We do this so we can respond to any queries you or third parties may have about your application or studies, qualifications or student experience, to prepare references, to respond to any concerns or complaints and as part of our assessment of any future application you make for further studies at the University.  We are required by law to retain some data for longer, for example, if you require a Tier 4 student visa to undertake your studies, we will retain your information in order to meet the audit requirements of the Home Office

If your application is unsuccessful, or you decline an offer of a place at the University, we will retain your personal data for 3 years after the start of the academic year for which you applied.  We do this so we can respond to any queries you or third parties may have about your application, to respond to any concerns or complaints and as part of our assessment of any future application you make for further studies at the University.

If you defer an application from one academic year to the next the above schedules will apply from the start of the academic year to which your application was deferred.

Your core application record (see ‘What personal data will be processed?’ above) is retained indefinitely to carry out statistical analysis in relation to applicant groups and student population or for historical or research purposes or to meet such reporting obligations as may be imposed on the University by relevant authorities, for example the Office for Students. Information held for these purposes will not be used to make decisions about you or to contact you with any marketing or other materials.

Where your personal data is collected for the purposes of the University’s management of the health and safety of the University community (if for example, you may have been in contact with someone who has tested positive for Covid-19 and you have recently been on the University campus), this data will only be kept as long as necessary for those purposes, usually 21 days.

Your rights in relation to your data

Details about your rights are set out on the website page ‘Data Protection – How the University Uses Your Data’.  This also explains how to ask any questions you may have about how your personal data is used, exercise any of your rights or complain about the way your data is being handled.

Are changes made to this webpage?

This privacy notice is effective from 25 May 2018 and was last updated on 10 September 2020. It is reviewed when necessary and at least annually. Any changes will be published here.