Student privacy notice

When you applied to become a student, you were told in the Applicant Privacy Notice how the University would use your personal data to process your application. This referred you to this Student Privacy Notice which explains how we use your personal data while you are a student at the University.  

In addition to the information set out here, when you use specific services and facilities offered by the University, you will be told about any other uses of your personal data and may be directed to a webpage or privacy notice for more detailed information (for example, if you engage with the Counselling & Wellbeing, Learning Support, Disability and Mental Health Services).

If, once you graduate, there are ongoing student procedures such as academic appeals, the University will continue to process data relevant to that procedure in accordance with the Student Privacy Policy.

After you graduate, our Development and Alumni Relations Office may process data about you, and details of how they process alumni data is explained in the Alumni Privacy Notice.  

Sometimes another organisation will also be a data controller of your personal data (for example, if you are studying on a dual degree programme, a degree apprenticeship or other programme delivered in collaboration with, or on behalf of, another organisation).  That organisation should explain this to you as well as how it uses your data.

The details provided to us when you applied to the University form the basis of your core student record, which is the high-level record retained by Registry. Your core student record also includes:

• data you provide on registration, annual re-registration;
• data you provide through the my.bham portal; and
• information collected and entered by the University during your studies, which may be held either by Registry or your School or College. 

Your core record is generally that held by Registry on your central record but can include data held locally by your School or College.  Your core record includes:

• Your personal details, such as your name, home address and other contact details, age and date of birth, gender, nationality, country of birth, your dependents, whether you are a care leaver;
•  Information about your course or thesis;
• Tuition and other fee charges, funding and payments;
• Information about your sponsor;
• Immigration and visa information (if you are an international student);
• Details of incoming or outgoing student exchanges;
• Leave of absence, authorised absence or, exclusion data;
• Summaries of the outcomes of academic appeals;
• Information relating to modules and placements;
• Information about extracurricular activities which are recorded on your transcript (such as volunteer work, Guild of Students sabbatical positions, prizes won, sports achievements etc.);
• Data about your examinations, assessments and results, the qualification awarded;
• Any honours, scholarships and prizes you have been nominated for or have won;
• Your leaving date and the reason for leaving.

The School or department in which you study will also keep local records about you which will not form part of your core record, including:

• Details of your engagement with procedures (including academic appeals, Extenuating Circumstances, Fitness to Practise, leave of absence, plagiarism, misconduct procedures);
• Attendance and absence records;
• Information relating to modules, placements, examinations (including scripts) and assessments,
• Your Reasonable Adjustments Plan (if relevant to you);
• Your interactions with your tutors, supervisors and welfare tutors,
• Visa and immigration data; and
• General correspondence and administration.

Library Services will also keep records about you, which again will not form part of your core record, including:

• Your borrowing history;
• Fines;
• Notes relating to interactions with library staff;
• Inter Library Loans;
• Reservations; and
• Attendance at Library training or workshop events.

The University will also keep records about your use of the academic and non-academic facilities and services, including your use of IT Services and facilities, that we offer and processes and procedures with which you engage (for example, if you are a student representative or you raise a concern or complaint) or which you are subject to (such as misconduct proceedings).

In addition to this, the University may need to process some data about you that is classed as ‘special category’ or sensitive personal data. We will usually ask you for consent to do this. This data includes data about your ethnicity, sexual orientation, religious beliefs or health/disability data which we use to plan for and provide help or reasonable adjustments. We also use this data to help us plan our courses and facilities, and we also use it for reporting and monitoring purposes. The University will make sure that access to, and the sharing of, your special category personal data are controlled very carefully.

If necessary, where there has been an outbreak of a pandemic, such as Covid-19, or some other incident which may affect the health or safety of the University community, as part of the University’s public task, the University may also collect data on which areas or buildings of the University campus you have recently accessed and when, for the purposes of managing the health and safety of the University community. The data collected for this purpose will be your name, student ID number, telephone/email address so that if necessary, we can contact you in relation to NHS Test and Trace and to help prevent the spread of Covid-19. This data will be kept and held securely for 21 days after which it will be deleted or destroyed. We may also collect special category (e.g. health) data as part of this duty and for reasons of public health, for example, if you have told us that you have tested positive for Covid-19. Where it is necessary to collect special category data, such as health information, for this purpose we will only share this with government agencies, such as National Institute for Health Protection/Public Health England (or such other relevant government body) for the purposes of government initiatives like Test and Trace, in order to comply with our legal obligations. In any other case we will ask for your express consent before passing this data to any other organisation.

For certain courses, in order to assess your suitability to work with patients, children or other vulnerable people and your fitness to practise for entry into some regulated professions, it is necessary to process other special category data, such as data about your health or disability.

Criminal convictions: The University may hold and process data about criminal offences and criminal convictions if you have disclosed this as part of the admissions process, or by completing the yearly online registration, or if it is appropriate, given the nature of your programme (for example, if a Disclosure and Barring Service (DBS) check is needed for your programme). We will use information about criminal convictions and offences in the following ways:

• To consider your suitability to become a member of the University or to continue to be a member of the University or to decide if any support or measures need to be put in place;
• To comply with regulatory requirements to decide your suitability to study on a regulated programme or to practise in a regulated profession;
• To ensure that we adequately assess any risk posed to the wider University community.

We will only use information relating to criminal convictions where the law allows us to do so and in line with our Data Protection Policy. Personal data relating to criminal convictions will be retained confidentially and securely and access to that data will be strictly controlled.

When using video conferencing applications such as Zoom or Microsoft Teams, your name, user name, email address, your computer’s IP address, MAC address and device name may be collected.

The University will process your personal data for the following purposes:

• To deliver and administer your education, record the details of your studies (including any placements with external organisations), and determine/confirm your academic achievements (for example, results, prizes). This includes your engagement with procedures relating to your studies or research, such as the academic appeals, extenuating circumstances, leave of absence procedures;
• When relevant, to monitor, evaluate and support your research activity;
• To administer the financial aspects of your relationship with us and any funders;
• To deliver services and facilities to you (for example, IT including MyUoB App and M365, sport, libraries, accommodation, careers);
• To enable you to take part in events (for example, functions, graduation);
• To communicate effectively with you by post, email, phone or other electronic media, including the distribution of relevant newsletters and information, and invitations to take part in research activities;
• To operate security (including CCTV), governance, disciplinary (including plagiarism and academic and non academic misconduct), complaint, audit and quality assurance processes and arrangements;
• To support your training, medical, safety, wellbeing, welfare and religious requirements;
• To compile statistics and conduct research statutory reporting purposes;
• To enable local authorities to carry out their public functions
• To manage and develop the University’s business;
• To fulfil and monitor our legal responsibilities, for example, under equalities, immigration and public safety legislation;

To enable us to contact others in the event of an emergency (we will assume that you have obtained consent from those individuals before you supply their contact details to us).

Video conferencing applications

When using video conferencing applications, such as Zoom and Microsoft Teams, personal data such as your IP address and device name may collected by the companies who own these applications in order to schedule and create a record of meetings, improve and tailor your experience when using these applications. Where video conferencing applications are used to record meetings, personal data captured within the recording are stored within the cloud service owned by that company. Where recording is taking place, you will be notified at the beginning of or as you enter the recording session.

Data held and used by the University are compliant with GDPR. Personal data stored by a service provider within the cloud may be stored outside of the European Economic Area. 

We consider the processing of your personal data for these purposes to be necessary for:

• the performance of our contractual obligations with you (e.g. to manage your studies, accommodation, your library access, your student experience and welfare while studying at Birmingham);
• compliance with a legal obligation (e.g. equal opportunities monitoring) or regulatory obligation (e.g. reporting to Government or governmental bodies), providing local authorities with personal data to enable them carry out public tasks;
• the performance of tasks we carry out in the public interest (e.g. teaching and research);
• the pursuit of the legitimate interests of the University, students or external organisations (e.g. to enable your access to external services); or
• archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

If we require your consent for any specific use of your personal data, we will collect it at the appropriate time, explaining why we are collecting the data and how we will use it, and you can withdraw this at any time.

We do not use your personal data to carry out any wholly automated decision-making that affects you.

Within the University, your data is shared with only those University staff who need access for the purpose of delivering our academic and non-academic services and facilities. 

Your personal data is shared with a range of external organisations as is necessary for the purposes set out above and as permitted or required by law,  including the following:

• Higher Education Statistics Agency.  This will include reporting special category data you provided on registration or re-registration (for example, relating to your ethnicity, sexuality, disability etc. (HESA is a non-Governmental organisation which is the designated data body for England for collecting, processing, and publishing data about higher education in the UK. HESA explains how it will use your personal data in its statement published at https://www.hesa.ac.uk/about/regulation/data-protection/notices);   
• Your funders and/or sponsors (for example, as relevant, the Student Loans Company, Research Councils, the funders of any awards or prizes).  Unless you have agreed otherwise with your sponsor, we only share with them information about your academic progress;
• The providers of any external or collaborative learning and training placements or fieldwork opportunities (and we will explain to you how and when this will be shared when we collect the data from you);
• Your employer, if your programme is a requirement of your employment or being employed is a requirement of your programme;
• External examiners and assessors, and external individuals involved in relevant University committees or procedures;
• Relevant Government Departments (for example, the Home Office, the Foreign and Commonwealth Office, Department of Health);
• Relevant executive agencies or non-departmental public bodies (for example, UK Visas and Immigration, HM Revenue and Customs, the Health and Safety Executive);
• Relevant Higher Education bodies (for example, the Office for Students, UK Research and Innovation, Universities and Colleges Admissions Service, Office for Fair Access, Office of the Independent Adjudicator, the organisation(s) running the National Student Survey and other student and leaver surveys);
• Any relevant professional or statutory regulatory bodies (for example, the General Medical Council); we will tell you in what circumstances we share data with these organisations;
• Our partner accommodation providers, if you apply for accommodation;
• The Guild of Students, in order to facilitate your membership of the Guild and access to their services (we provide them with your name, gender, date of birth, nationality, residency for fees, student ID number, contact details, programme details, year of study, your School and whether you have informed us you have dependents).  Occasionally we share data to implement measures and sanctions arising in relation to misconduct proceedings; 
• Local authorities, including for Council Tax purposes (in particular, we have an agreement with Birmingham City Council to share student data to assist with the students’ applications for exemption from Council Tax), care leavers data to enable local authorities to perform their public functions;
• Occasionally and when necessary, the police and other law enforcement agencies, for the prevention or detection of crime;
• Occasionally and when necessary internal and external auditors or regulators;
• Individuals, companies or organisations providing specific services to, or on behalf of, the University (for example, the University Medical Officer, external Occupational Health services);
• In the year you leave the University, your details (name, gender, contact details, information about your programme and award and registration status, emergency contact details, details of other universities attended, nationality, and secondary school details) will be shared with the University’s Development and Alumni Relations department while you are still a student so that you can be added to the alumni database.  The University considers it is in the legitimate interests of the University to do so, as alumni are very important supporters of and ambassadors for the University, and that it is in the legitimate interests of alumni to do so, to develop their social and professional networks and help alumni achieve positions of success and influence. Information about how alumni personal data is used by the University is set out in the Alumni Privacy Notice; you will receive more details at the relevant time.

We ensure we have appropriate data sharing agreements in place before sharing your personal data with any other data controllers.

With your consent, we will share your data with the Multi-Faith Chaplaincy and with the University’s chaplains (who are not members of staff).

We will normally confirm details of the degree awarded to external enquirers or organisations, and at your request we will provide references to third parties

Your name and the type of degree awarded, including classification for those gaining a First, and Merit or Distinction for Taught postgraduate students, will be published in the relevant congregation programme. This information may also be published in newspapers and will be made publicly available.

Your University email account will be included on the University general email list which is used for contacting you about University business and activities.

Sometimes, we may have to send your personal data outside the European Economic Area (for example, so you can take part in an exchange visit or so we can to report to an overseas funding provider, or if you are studying at a campus overseas, for example, in Dubai). This is usually necessary to meet our contractual obligations with you, or your contractual obligations with a third party, and we make sure that appropriate safeguards are in place to ensure the confidentiality and security of your personal data.

Your personal data is shared as is necessary, on a considered and confidential basis, with several external organisations which assist with processing your information.  These organisations act on our behalf in accordance with our instructions and do not process your data for any purpose over and above what we have asked them to do.  We make sure we have appropriate contracts in place with them.  Sometimes your personal data is processed by these organisations outside the European Economic Area (for example, because they use a cloud-based system with servers based outside the EEA), and if so, we make sure that appropriate safeguards are in place to ensure the confidentiality and security of your personal data. 

We do not share your data with external organisations for marketing their products or services. We do not sell your personal data to third parties under any circumstances, or permit third parties to sell on the data we have shared with them.

After you leave the University, we will retain most personal data we hold about you for 7 years.  We do this so we can respond to any queries you or third parties may have about your studies, qualifications or student experience, to prepare references, to respond to any concerns or complaints and as part of our assessment of any future application you make for further studies at the University.  We are required by law to retain some data for longer, for example records of exposure to hazardous materials.  Some data is kept for less than 7 years including assessments or examination scripts which are retained for 1 year (unless you submit an appeal or you are subject to an examination irregularity investigation in relation to that script); we will tell you when data is kept for periods other than 7 years from the date you leave the University.

Your core record of your studies is retained indefinitely so that the details of your academic achievements can be confirmed.  The University will also use your data, together with data about other current and former students, to carry out statistical analysis in relation to its student population or for historical or research purposes (but not to make decisions about you).

The University is sometimes required to take part in surveys or research conducted by or on behalf of Government departments, executive agencies, non-departmental public bodies or Higher Education bodies relating to individuals who have graduated from or left the University.  If so, your contact details will be shared with the organisation carrying out the survey or research on behalf of the University.

Where your personal data is collected for the purposes of the University’s management of the health and safety of the University community (if for example, you may have been in contact with someone who has tested positive for Covid-19 and you have recently been on the University campus), this data will only be kept as long as necessary for those purposes, usually 21 days.

Details about your rights are set out on the website page ‘Data Protection – How the University Uses Your Data’.  This also explains how to ask any questions you may have about how your personal data is used, exercise any of your rights or complain about the way your data is being handled.

This privacy notice is effective from 25 May 2018 and was last updated on the 10 September 2020. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified by email, on mybham or as appropriate.