Finance Privacy Notice

Your data and privacy

About this notice

This privacy notice provides information about how the University collects and uses your personal information in relation its financial processes and procedures. It explains why we hold this information, what we do with it, how long we keep it for and if we share it with third parties.

About you

This privacy notice uses “you” to mean any individual about whom we collect and hold personal data, including staff, students, pensioners, customers, suppliers, alumni, funders, sponsors, parents or other stakeholders engaged with the University’s financial processes and procedures.

What information may we collect about you?

We may collect, store and use the following categories of personal data:

  • your details including name, title, addresses, telephone numbers, personal  e-mail addresses, signature 
  • financial data, including bank account details, payment information, purpose of payment, debit/credit card information
  • other relevant personal information. For example, if you are booking a place at a conference or event, the conference organisers may ask you to provide other relevant information e.g. details of any dietary requirements or allergies
  • customer feedback. We may carry out customer research by providing customers with access to feedback questionnaires. Although this feedback is anonymous, the questionnaires provide the opportunity for free text comments, in which a customer may supply personally identifiable information about themselves, other customers or members of staff
  • IP address in relation to online payments made to the University
  • information needed to confirm employment status, including national insurance number, UTR  
  • personal information supplied as part of the procurement process

Sensitive personal data where consent is given in relation to :

  • an insurance claim or other legal matter
  • collection of income due to the University
  • a procurement process

How is your personal data collected?

Information you give to us.

You may give us your personal data through the information collected about you in order to make a payment to you, take a payment from you, respond to an email relating to an enquiry etc.  

Information transferred from third parties

Your personal data may be shared by third parties for the purposes of administering and managing finance.  

How we will use the information about you?

If you have made a payment to the University or received a payment from the University or been involved with a procurement tender, you will have supplied information about yourself (your “personal data”).  Your personal data will be used by the University to administer its financial processes, protect against fraud and manage its finances.

We need to hold personal data for the following reasons:

  • manage the payment processes between you and the University
  • maintain accurate and up-to-date records
  • event administration
  • report information to the University’s insurers in respect of accidents or incidents
    • disclosures of sensitive personal data in this context would only be made where explicit consent has been obtained, disclosure is in the substantial public interest, or where necessary for the establishment, exercise or defence of a legal claim.
  • administer the repayment of debts, where recovery attempts have proved unsuccessful.
    • we may use external agents of the University including (but not limited to) solicitors, debt recovery agents, tribunals and Courts
  • collect payments from externally hosted IT services
  • process any complaint you submit
  • to detect, investigate and prevent crime including fraud
  • for research and statistical purposes
  • maintain or develop systems and processes
  • meet legislative, statutory, contractual and audit requirements
  • improve service levels
  • as part of the procurement process

What is the legal basis for processing your personal data?

We must have a legal basis for processing your personal data (and special categories of your personal data). The legal basis for processing personal data is set out in data protection legislation. Some of the above basis for processing will overlap with others, so there may be several grounds which justify us using your personal data.

We will process your personal data based on the consent that you have provided to us e.g. for the purposes of making an insurance claim.

We also have legal obligations to hold personal data, for example we must provide payment information to HMRC. We may therefore use your personal data to fulfil these obligations.

We may also process your data on the basis of our legitimate interests i.e. for administrative purposes, management information or statistical analysis purposes.

As we process special category data, we must also identify a special category condition for processing. We process special category data where we have your explicit consent.

Third Parties

The University will use one or more external companies to process information about you on the University’s behalf. The University remains responsible for the information and will ensure it is kept securely.

Your personal data may be shared by and/or among the Joint Controllers for the purposes for administering payment processes. 

Who we share your information with Why we share your information
Financial Institutions including Brokers, Banks, Building Societies, BACS and other related payment service providers To make or receive payments from you
Contracted Third Parties To help deliver our service, we may share you personal data with external bodies subject to data sharing agreements which include data protection safeguards e.g. external auditors, document scanning service providers, software providers, bank detail validation
eMail service providers To contact you
External agents of the University including (but not limited to) solicitors, debt recovery agents, tribunals and Courts To recover monies due to the University
Funders/Sponsors e.g.  United Kingdom Research and Innovation ("UKRI"), European Union, Charities, Commerical Sponsors To verify funder terms and conditions have been met
Government agencies related to High Education including The Scottish Funding Council ("SFC"), The Office for Students ("OfS"), Student Loans Company ("SLC"), Student Awards Agency for Scotland ("SAAS"), Universities UK (UUK), and the Higher Education Statistics Agency ("HESA") For the purposes of carrying out statutory functions relating to the funding of education and for statistical analysis. These agencies should not identify individuals in any published results.
HMRC To verify details or to provide information in relation to payments made
Insurers, brokers. solicitors For the provision of information relevant to insurance claims
Third-party payroll service providers, benefits providers, pension administration To support financial administration and payments made to individuals

You should check the privacy policies of the relevant Joint Controller and the organisations mentioned above (available on their websites) in order to fully understand how they will process your data.

Storage of your personal data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Our website may, from time to time, contain links to and from websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet, and any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security measures to try to prevent unauthorised access.

Further information about the University’s Data Protection and Information Security policies can be found by clicking on the links below.

Data Retention

We will retain your personal data for as long as it is necessary to fulfil the purposes for which we collected it, including satisfying any legal, accounting, reporting or statutory requirements.

Data Retention Periods

Automated processing and profiling

We do not use profiling or automated decision-making processes. Some processes are semi-automated (such as anti-fraud data matching) but a human decision maker will always be involved before any decision is reached in relation to you.

Changes to this privacy notice

Please check back frequently to see any updates or changes to this Notice.


Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to Finance Department, Charles Stewart House, 9-16 Chambers Street, Edinburgh, EH1 1HT. You can also email as at:

This privacy statement is continued at: