Privacy statements
Privacy statements relating to services provided by IT Infrastructure.
The management of IT Infrastructure generates audit logs and some of these may contain personal information.
The University uses external companies to provide some IT services and it may be necessary to give them access to some of this information to enable resolution of any problems around access and/or functionality. In the course of this, they may only use the parts of the information necessary to maintain the proper working of a particular service and within the terms of specific contracts entered into.
We will not share your data with any third party unless and when there is a legal obligation to do so.
We use these logs to ensure the correction functioning of IT services, to maintain their security, to provide information and data to aid with capacity management, to respond to support requests and to comply with the law.
The information that may be logged as a result of interactions with University IT services comprises the following:
- Personal name
- Email addresses
- Phone numbers
- Subjects of emails sent or delivered
- IP addresses and names of computers or devices involved with accessing our services or of those servers that your information may flow through e.g. email delivery servers
- University username if one is assigned to you
- Numeric identifiers needed for some IT services to operate that are unique to your account or to the transaction
- Membership of access control groups defining what parts of the University you may be associated with, courses you may be enrolled on and other groups defined to control access to services
- Dates and times
- Text descriptions of the transaction or associated error messages
Some processes are automated and some are semi-automated (such as anti-fraud data matching to detect compromised accounts) but for these a human decision maker will always be involved before any decision is reached in relation to you.
Logs may be processed prior to 14 months or retained for shorter periods if there is no requirement to keep the information for longer. After 14 months logs may be retained for further purposes but all personal information will either be stripped from the log or anonymised/pseudonymised to remove the personal information.
Data controller and contact details
For data collected under this privacy notice, the University of Edinburgh (the “University”) is the Data Controller (as that term is defined in the EU General Data Protection Regulation (Regulation (EU) 2016/679), registered with the Information Commissioner’s Office, Registration Number Z6426984.
You can contact our Data Protection Officer at dpo@ed.ac.uk. Our data protection policy is on our website.
Mandatory data sharing
In addition to the primary purposes, we may also legally obliged to share certain data with other public bodies and will do so where the law requires this; we will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and proportionate.
Transfers outside the EEA
The University will only transfer data to countries outside the EEA when satisfied that both the party which handles the data and the country it is processing it in provide adequate safeguards for personal privacy. Details of such transfers and safeguards are on our website.
Your rights
You have the right to request access to, copies of and rectification or erasure of personal data held by the University and can request that we restrict processing or object to processing as well as the right to data portability (i.e. the right to ask us to put your data into a format that it can be transferred easily to a different organisation). If you wish to make use of one of these rights, please email your local contact. If we have asked for your consent in order to process your personal data you can withdraw this consent in whole or part at any time. To withdraw consent, please email your local contact, who will explain the consequences of doing so in any particular case and initiate proceedings for withdrawing consent.
Complaints
If you are unhappy with the way we have processed your personal data you have the right to complain to the Information Commissioner’s Office at casework@ico.org.uk but we ask that you raise the issue with our Data Protection Officer first.
More information on the University of Edinburgh's use of cookies and your privacy
For more information about the university's use of cookies and your privacy, please see the University Website.