Privacy Notice for Visitor Registration

This privacy notice explains what personal information the University holds about visitors. It explains why we hold this information, what we do with it, how long we keep it for and if we share it with third parties.

This privacy notice explains what personal information the University holds about you. It explains why we hold this information, what we do with it, how long we keep it for and if we share it with third parties.

For the purposes of this document and IT services you are classed as a visitor, a generic term which covers all users of IT services who are not on the staff payroll or applicants, students or alumni recorded in the systems of record for those users. The term does not necessarily imply that you are a visitor in the sense in general usage and includes many temporary or contractor staff, professors emeritus, employees of associated organisations, contractors and other types of people who require access to University IT services.

What information do we hold and why?

We collect and use your personal data for a number of purposes, but primarily in order to provide IT services that support your relationship with the University. The main pieces of information we hold are your personal details (name, address, email address, University provided email address if relevant) in order to provide you with services.

We also use individual visitor information to help us understand the make-up of the community we serve.  We use it to generate reports and to help us to make decisions which will impact visitors and the services you use.

The table below describes in full the information we hold, what we need it for, where we get it from and who we share it with.  It also explains the basis we can legally rely on to request and retain information about you. If you have a may be a specific contract (for instance if you are employed by the University as a contractor or via an agency) then that will be the basis or otherwise our legitimate interest in the provision of services if you have a different relationship with the University.

Use of your information

We will keep your personal data no longer than is necessary, your name and other identifying information will be retained for 7 years after the end of your engagement with the University so your account can be reactivated when you return.

We do not use profiling or automated decision-making processes.  This means that a human decision maker will be involved in every decision made about you.

General information about the University’s approach to data protection and to your rights can be found here. 

Where do we get your information?

Your information is provided via the department that sponsors your visit and authorises your use of University IT services. Please contact your department for more information.

IT Systems

The university is made up of many services and departments who collect, process and store your data in a variety of sub-systems to deliver their services. These local systems are part of the corporately-supported IT architecture which maintains a live service as well as copies of the live systems used for software development and testing. These development and testing systems will also contain your data and respect the University’s data retention periods. 

Your usage of IT services will be recorded in usage logs and audit trails as part of the normal operation of the services. This information may be used to support your usage of systems, investigate information security or data integrity incidents, or provide evidence in disciplinary procedures. The data may also be used to understand usage and performance of IT systems.

It is in the legitimate interest of the University to use your data in this way to ensure that the services you interact with are secure and provide the best (student) experience possible.

The University uses 3^rd parties to provide a number of IT Services (such as Office 365 Email via Microsoft). While your data will be used by 3^rd parties to deliver these services the University retains control of your data as part of these arrangements, and the 3^rd parties will not be allowed to use your data for any other purpose.

Contact

If you have any questions, please contact your school Data Protection Champion.

If you write to us in Gaelic, we may be using a third party translator to translate your message into English and our response back into Gaelic.

Ma sgrìobhas sibh litir no post-d thugainn sa Ghàidhlig, tha e comasach gun cleachd sinn eadar-theangair airson do theachdaireachd eadar-theangachadh bhon Ghàidhlig gu Beurla agus freagairt air ais dhan a’ Ghàidhlig.

Additional privacy statements

The University maintains several other privacy statements that are specific to services delivered.

Information that we will process

The legal basis for processing will be determined on whether you have a contract with the Universtiy.

Information that we may process depending on your circumstances

As well as the information listed above there is other information that we may process depending on the nature of your relationship with the University

Please check with the person sponsoring your visit or the Data Protection champion for that area of the University if you have any queries.

Data controller and contact details

For data collected under this privacy notice, the University of Edinburgh (the “University”) is the Data Controller (as that term is defined in the EU General Data Protection Regulation (Regulation (EU) 2016/679), registered with the Information Commissioner’s Office, Registration Number Z6426984.

The University's Data Protection Officer can be contacted at:

Our data protection policy is on our website.

University data protection policy

Data sharing

In addition to the primary purposes, we are also legally obliged to share certain data with other public bodies such as HMRC and will do so where the law requires this; we will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and proportionate. 

Transfers outside the European Economic Area

The University will only transfer data to countries outside the EEA when satisfied that both the party which handles the data and the country it is processing it in provide adequate safeguards for personal privacy. Details of such transfers and safeguards are on our website.

Your rights

You have the right to request access to, copies of and rectification or (in some cases) erasure of personal data held by the University and can request that we restrict processing or object to processing as well as (in some cases) the right to data portability (i.e. the right to ask us to put your data into a format that it can be transferred easily to a different organisation). If you wish to make use of one of these rights, please email your local contact.

If we have asked for your consent in order to process your personal data you can withdraw this consent in whole or part at any time. To withdraw consent, please email your local contact, who will explain the consequences of doing so in any particular case and initiate proceedings for withdrawing consent. 

Complaints

If you are unhappy with the way we have processed your personal data you have the right to complain to the Information Commissioner’s Office (ICO), but we ask that you raise the issue with our Data Protection Officer first.

For information about reporting a concern to the ICO see their website:

ICO guidance on reporting a data protection concern