Privacy information for all other Data Processing

Introduction

 

Anglia Ruskin University Higher Education Corporation (ARU) is committed to protecting your personal information when you use our services. 

When saying “we”, “our” or “ARU”, we’re referring to Anglia Ruskin University.

This statement explains how ARU handles and uses the personal data we collect about you. ARU in this context means the central University (Cambridge, Chelmsford, Peterborough and London campuses as well as our partner colleges and former institutions including Cambridgeshire College of Arts and Technology (CCAT) and the Essex Institute of Higher Education (formerly the Chelmer Institute – itself formed from the Mid-Essex Technical College and the Brentwood College of Education). At first, these colleges combined to become Anglia Polytechnic, and then Anglia Polytechnic University in 1992. We’ve been known as Anglia Ruskin University since 2005.

Please read the following privacy policy to understand how we use and protect the information obtained via the following online services:

  • any ARU website that links to this Privacy Policy
  • social media or official ARU content on other websites
  • mobile device applications (apps).

It also relates to us using any personal information that you provide by phone, SMS, email, in letters and other correspondence, and in person.

This Privacy Policy explains the following:

  • who we are
  • what personal data we may collect about you
  • where get your personal data from
  • how we will use personal data we collect about you
  • who we share your personal data with
  • how long we hold your personal data
  • the legal basis for processing your personal data
  • your rights regarding the personal data you provide to us
  • the use of cookies on our websites and how you can reject them

By providing us with your personal data and using our services, you agree to the collection and use of this information in accordance with the purposes described above in this privacy notice or as otherwise explained to you.

If you have any requests concerning this Privacy Policy, your personal information, or any queries with regard to our processing please contact dpo@aru.ac.uk.

What personal data will ARU collect about me and where does it come from?

 

Whenever we ask for your personal data we will always make sure that it is necessary to identify you from the data we collect. If we do need to identify you we will make sure that we only collect and use the minimum details we need for the specific purpose.

We may hold information relating to you from a number of sources. Primarily this will be information that you have chosen to give us directly. In some we will have been provided with your details by the company or institution you work for.

ARU also collects data about how you use ARU mobile apps, websites or other university-related online content, and the device(s) you use to access these services. This includes collecting unique online identifiers such as IP addresses, which are numbers that can uniquely identify a specific computer or other network device on the web. For more information, please see the section on cookies within this privacy notice.

We also undertake a number of commercial activities. When you become a customer for these activities we will keep the names and contact details of key employees in order to stay in touch and keep you informed. This may involve retaining emails between ARU and your company, maintaining a database record of how we have delivered our services and financial records which include delivery and invoicing contacts.

For our commercial activities we will normally obtain contact details directly from you when you sign-up to our services or from another contact in an organisation you may work for. Occasionally we may obtain your details from a third party but we will only contact you through data obtained in this way if you have consented to them sharing your details for marketing purposes.

How do we use your personal data?

 

Where you participate in our research projects, we use your personal data to inform those projects. In the final project report it is highly unlikely that you would be identifiable from the data. If we do need to identify you then we will explain why and what allows us to do so. Each research project will have its own specific Participant Information Sheet which gives you the necessary information about how your data will be used so that you can make a clear decision on whether you are happy to proceed. If you do participate we rely on our legal rights to process your data rather than under your consent, so you would not normally be able to withdraw your data after having provided it. However you do still have the legal right to challenge us over how we are using your data.

Where you work with us, either as an employee of a) a company who provides services to us or of b) an organisation or a professional body who engages with us, we will hold your details to allow us to continue those relationships effectively.

Who do we share your personal data with?

  

We share data on a considered and confidential basis, where appropriate, with:

  • Affiliated organisations and individuals which support and provide services to alumni and supporters, such as:
    • Third parties who we may use to assist with our activities which is always done under strict confidentiality and under contract

If an ARU commercial service holds your personal data this will not be shared with other commercial activities in ARU unless we believe that the activities are sufficiently similar. We may use third parties to deliver some aspects of our services and therefore may need to share your personal details with them. We will make you aware of who they are as part of providing you with information about the service and will always make sure that we have contracts in place with them that ensure high standards of confidentiality. Where we use third-party providers to process payments from you they will always be compliant with industry security standard PCI-DSS. If for some reason we decide to no longer provide our services and enter into an agreement with another organisation to transfer the ongoing operation of the services, where we are satisfied that they are complaint with Data Protection we may provide them with the details of our customers to enable them to continue to deliver your services.

How we protect your data

We ensure we have appropriate data sharing agreements in place before sharing your personal data.

We do not sell your personal data to third parties under any circumstances, or permit third parties to sell on the data we have shared with them.

We also facilitate communication between individual alumni, but in doing so we do not release personal contact details without prior permission.  This function is seen as an additional benefit to being included in the Alumni Network.  The Alumni Office will under no circumstances share your data with another member of the Alumni Network without your prior permission.

Your personal data will be held confidentially for as long as necessary to fulfil the purposes for which it was it collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Data will be retained in accordance with our Records Retention Schedule.

What is the legal basis for using your personal data?

 A: Survey Participants

Specific Purpose

Legal Basis

Obtaining information about your opinions or facts about you to inform our initiatives to improve engagement with local communities. The information we may ask for will vary across all of our surveys, but examples of data requested may include

  • Your name
  • Your contact details
  • Your address
  • Your opinions
  • Your experiences

Where we do not need to identify you, we do not need a legal basis. Where we do, the processing is necessary:

  • for the performance of a task carried out in the public interest helping communities to benefit from the activities of public authorities and/ or
  • under our legitimate interests in improving delivery of our services

Where we process Special Category data for these purposes, we do so because it is necessary in the substantial public interest.

B: Employees of Partner Organisations

Specific Purpose

Legal Basis

To allow us to communicate with you on matters relating to, but not limited to:

  • formal joint projects, initiatives, and research activities
  • networking, knowledge sharing, professional development and support
  • managing events relevant to our relationship such as conferences and other meetings (where you may choose to share information about accessibility or dietary requirements)
  • carrying out the obligations set out in agreements between us and your organisation

Verifying practitioner's registration with regulatory bodies and to facilitate audits with external auditors.

Processing is necessary

  • formal joint projects, initiatives, and research activities
  • networking, knowledge sharing, professional development and support

Where we process Special Category data for these purposes, we do so because it is necessary in the substantial public interest.

Processing is necessary

  • To perform a public task/ exercise official authority

C: Employees of Suppliers

Specific Purpose

Legal Basis

To allow us to communicate with you in support of using the services you provide to us

Processing is necessary:

  • for the legitimate purpose of communicating with suppliers of services and/ or
  • the performance of a contract or prior to entering into a contract

D: Keeping in Touch

Specific Purpose

Legal Basis

To allow us to hold your contact details so that we can communicate with you on matters where you have registered an interest in being informed about our activities.

Processing is done with your consent which you may withdraw at any time.

Keeping People Safe on our Premises

Specific Purpose

Legal Basis

Holding recorded footage of you obtained from CCTV cameras for preventing and detecting crime and the health and safety of users of our premises and supporting investigations into suspected breaches of our polices and regulations.

Processing is necessary:

for performance of a task carried out in the public interest namely:

  • the safety of users of our premises
  • prevent and detect damage incidents of damage to our property and the property of our students, staff and visitors
  • prevent and detect incidents of breaches of our policies and regulations

F: Governors

Specific Purpose

Legal Basis

Assessing applicants to be a member of the governing body against the ‘fit and proper’ persons test in accordance with the conditions of registration as a Higher Education institute regulated by the Office for Students (OfS)

Processing is necessary:

  • for performance of a task carried out in the public interest namely the efficient governance of the University

Publicising information about Governors in line with regulatory requirements, including informing the Office for Students (OfS)

Processing is necessary:

  • for performance of a task carried out in the public interest namely the efficient governance of the University

G: Commercial Customers

Specific Purpose

Legal Basis

Using your contact details to provide goods and services that you have requested from us.

Processing is necessary:

  • The performance of a contract or prior to entering into a contract

Keeping you informed about our goods or services that:

  • you are continuing to receive from us under contract or
  • are the same or similar to those you have previously requested from us

Processing is necessary:

  • The performance of a contract or prior to entering into a contract, or
  • Our legitimate interest in providing our commercial activities from which you can opt-out of receiving further contact

Contacting you regarding goods or services which you have not previously requested from us or are not similar to those previously requested.

Processing is undertaken only with your consent which you can withdraw at any time.

H: Events Broadcast and Recording

Specific Purpose

Legal Basis

Supporting participation in and access to events and learning opportunities to a broader number of participants through live-streaming the activity

Processing is necessary for:

  • The delivery of inclusive learning services under our public task
  • Supporting broad participation in partnership, networking and conference activities under our public task, or under contract (for commercial activity), or under our legitimate interests (where not commercial nor directly related to public task activity)
  • Promoting significant events for the University to a broad audience under our legitimate interests

Supporting participation in and access to events and learning opportunities for a broader number of participants through recording the activity

Processing is necessary:

  • The delivery of inclusive learning services under our public task
  • Professional development and the development of learning resources under our public task
  • Adding to our archival holdings recording significant events in the University’s history for posterity under our legitimate interest

Your rights under GDPR

 

Please read about your rights under Data Protection legislation. It is important to note that the ‘legal basis’ we rely on (above) to process your data determines which of your rights are available. You are not expected to know these details, it is our responsibility to understand how the law applies and to explain it to you when responding to a request from you. Our Rights guidance is an opportunity to provide you with information on how you can expect us to handle your requests.

The law provides for the following rights:

  • To be informed
  • To access your data
  • To rectify (change, update or correct) your data
  • To erase (remove, delete or destroy) your data
  • To restrict our use of your data
  • To data portability
  • To object
  • To not be subject to automated decision-making and profiling

To complain to the Information Commissioner’s Office (ICO): the ICO is the UK supervisory authority for data protection issues. For more information please visit the ICO website.

Information Security

 

ARU is committed to holding your data securely and uses information security best practice to transmit personal data. Data is held in accordance with the Corporate Information Security Policy . For example, your personal data is accessible only by those authorised and who have a business need for access. When shared with third parties, your personal data is shared with encryption or in password protected files.

Where we have given you (or where you have chosen) a password that enables you to access our systems, you are responsible for keeping this password confidential. You must not share passwords with anyone.

Although we maintain a number of safeguards, fraudulent email requests are occasionally delivered to staff and students. We will never ask for your username or password by email. Any message that does so should be treated as a potential breach of security, no matter how legitimate it may appear. If you are in any doubt, do nothing until you have spoken to a member of the IT Services Customer Support Team.

ARU have put in place procedures to deal with any suspected data security incident and will notify you and any applicable regulator where we are required to do so. If you have any concerns that personal data has been compromised please contact