Information about you: how we use it and who we share it with
Where does the University get your personal data from?
We obtain personal data about you from the following sources:
- From you, when you provide your contact details for open day activities, your application, when registering as a student with us or during your studies.
- From third party sources (e.g. UCAS, your funding body or other institutions involved in collaborative programmes). When we obtain personal data about you from third party sources, we will aim to ensure that the third party has lawful authority to provide us with your personal data.
Purposes for processing
The information you provide will be used by the University for the administration of your position as a student with us, including the use of our services such as residential services, lecture capture, attendance and engagement monitoring, pastoral support, library facilities and sports facilities.
We set out in table 1 (below) the purposes for which we will process your personal data in detail.
There are various legal bases for our use of your information. You will find the appropriate legal basis for each purpose of use against each category in table 1.
Here is a brief explanation of the grounds referred to under table 1:
- Consent – on specific occasions the University will only process certain data if you consent, e.g. on registration there are certain special categories of data that you only need to provide if you agree to their collection.
- Necessary for the performance of your student contract – on many occasions the University will process your data to enable it to meet its commitments to you, e.g. those relating to teaching and assessment.
- Necessary to comply with a legal obligation – the University has legal obligations to provide your personal data to others, e.g. the Higher Education Statistics Agency (HESA) or UK Visas and Immigration.
- For the purpose of protecting the vital interest of yourself or another – sometimes in extreme circumstances the University will have to release information to protect your interests or the interests of others, e.g. in medical emergencies.
- Processing necessary for the performance of a task carried in the public interest – the University is an educational establishment and in particular its educational activity is conducted in a public interest (including your interest and the interest of others).
- Processing is necessary for the purposes of the legitimate interest of the University or a third-party, subject to the overriding interests of the data subject – the University (and sometimes third parties) has a broad legitimate interest in activities that connect to the education of students. Subject to those legitimate interests not being overridden by the interests of students’ fundamental rights and freedoms, it will pursue those interests. A good example of this legitimate interest would be the University’s Alumni activities. Where “legitimate interest” is used it is generally in the interest of the University (or third party) in providing or supporting the provision of higher education to its students.
- Automated decision making necessary for performance of a contract – if the University needs to automate decisions relating to the services it is providing to you.
Special category data is personal data which is more sensitive, and so needs more protection. This data would include anything that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. To process these types of data additional legal bases are required:
- Processing special categories of data where you have given consent – the University will process certain sensitive information about you with your consent.
- Processing special categories of data where necessary for reasons of substantial public interest.
- Processing special categories of data in connection with legal claims.
Sharing your information
Every year we will send some of the information we hold about you to Higher Education Statistics Agency. HESA is the official source of data about UK universities and higher education colleges. This data collection includes the special category data of disability, ethnicity, sexual orientation, faith and belief and gender identity. Their student collection notice can be found here:
Information about medical students will be shared with National Health Service and the General Medical Council as part of their training and registration with accrediting bodies. (Legal basis: ‘task carried out in the public interest’)
Student data will be used for statistical purposes to satisfy the University’s reporting obligations to accrediting bodies in an “aggregated” form, which means that your individual data will not be identifiable.
Information about Scottish and EU students will be shared with Scottish Funding Council for statistical purposes.
Information about non-EEA students will be shared with United Kingdom Visas and Immigration. (Legal basis: ‘legal obligation’)
Information relating to research postgraduate students who are funded through external grants will be shared with J-es and will be used by research funders to conduct audits of the outcomes of their research funding. (Legal basis: ‘performance of contract’)
Police forces within the United Kingdom can request information about a student’s contact details, programme and timetable that the University may share under the Data Protection Law. These requests are stored for six years. All requests are reviewed by the Head of Student Administration Services on a case by case basis. (Legal basis: ‘task carried out in the public interest’)
Data about your matriculation is shared with your funding bodies to verify that you have taken up your place and started your studies to allow the payment of your tuition fee. (Legal basis: ‘performance of contract’)
Your data is shared with the Edinburgh University Students' Association is an autonomous, student-led, campaigning organisation, which provides services, representation and welfare support on behalf of its members – the University's students. (Legal basis: ‘legal obligation’)
Schools share with Student Representatives the University student email address of the students they represent or facilitate alternative ways for representatives to contact all classmates. (Legal basis: ‘legitimate interest’)
Information about your studies may be shared with placement providers. (Legal basis: ‘performance of contract’)
The Protecting Vulnerable Groups (PVG) Scheme application form which is completed by a successful applicant for a degree programme which requires PVG Scheme membership and which is given to the University of Edinburgh for verification and countersignature, will be passed to Disclosure Scotland once the form has been countersigned. (Legal basis: ‘legal obligation’)
If you choose to accept a work or study placement with an external partner that is arranged by the University, relevant information about your identity, programme of studies and contact information may be shared with the external partner.
Information about students may be used to enforce the Conflict of Interest policy which is designed to ensure that the university’s students and staff are provided with an environment in which they can excel and thrive. The full policy can be found here: Conflict of Interest (ed.ac.uk).
We may pass your personal data to other parties who process data on our behalf. Where we do this, a written contract will be put in place between the University and the service provider to set out the purposes for which the information can be used and the security measures that must be in place. This contract will ensure that the service provider agrees never to use your data for any additional purpose not set out in the agreement with the University. Categories of recipients of personal data include mailing houses to send our publications.
If you write to us in Gaelic, we may be using a third party translator to translate your message into English and our response back into Gaelic.
Ma sgrìobhas sibh litir no post-d thugainn sa Ghàidhlig, tha e comasach gun cleachd sinn eadar-theangair airson do theachdaireachd eadar-theangachadh bhon Ghàidhlig gu Beurla agus freagairt air ais dhan a’ Ghàidhlig.
The University is made up of many services and departments who collect, process and store your data in a variety of sub-systems to deliver their services. These local systems are part of the corporately-supported IT architecture which maintains a live service as well as copies of the live systems used for software development and testing. These development and testing systems will also contain your data and respect the University’s data retention periods.
Your usage of IT services will be recorded in usage logs and audit trails as part of the normal operation of the services. This information may be used to support your usage of systems, investigate information security or data integrity incidents, or provide evidence in disciplinary procedures. The data may also be used to understand usage and performance of IT systems.
It is in the legitimate interest of the University to use your data in this way to ensure that the services you interact with are secure and provide the best student experience possible.
The University uses 3rd parties to provide a number of IT Services (such as Office 365 Email via Microsoft). While your data will be used by 3rd parties to deliver these services the University retains control of your data as part of these arrangements, and the 3rd parties will not be allowed to use your data for any other purpose.
The University of Edinburgh is organisation which receives public funding. Collecting and analysing survey data allows us to demonstrate that we are adhering to quality standards set by Quality Assurance Agency for Higher Education and that we are offering a high quality learning and teaching experience to our students.
It is therefore in the University’s legitimate interest for us to take part in national surveys like National Student Survey, Postgraduate Taught Experience Survey and Postgraduate Research Experience Survey to allow us to understand how our students are experiencing their learning and teaching and to benchmark ourselves against other institutions to consider via league tables whether the experiences and patterns reported nationally are reflective of our own students’ experience.
This processing activity is important for the University as it provides a way of obtaining feedback on programmes, courses, teaching and facilities from a large sample of students. For national surveys, this processing activity may include sending data securely to an external sub-processor.
Survey reporting is either carried out at aggregate level for quantitative data (statistical) where your individual data is not identifiable, and at an individual level for qualitative data (i.e. free text comments). Output is anonymised so that your data cannot be identified.
Automated decision making
We do not use profiling or automated decision-making processes. Some processes are semi-automated (such as anti-fraud data matching), but a human decision maker will always be involved before any decision is reached in relation to you.
Management information, research, and learning analytics
We may analyse data on students' admissions, enrolment and achievement, survey responses, attendance and engagement, and service utilisation data in order to support the University’s governance and management. This includes means that we will use students’ data to improve decision making and the student experience for future cohorts of students, including specific uses such as to: understand the relationship between pre-University qualifications and student achievement; support course and programme quality assurance; enhance the quality of the University's learning, teaching and assessment; widen access to and improve the experience of students from disadvantaged groups; enhance the University's student systems and support services; and to enable students' to reflect on their own learning by providing them with anonymised information regarding the patterns of learning of other students. While we will where possible use anonymised data for these purposes, in some cases we will use personal data where there is a legitimate interest in doing so. Where we use personal data for these purposes, we will ensure that any published information is anonymised. In the vast majority of cases analysis will be presented in aggregate, even if the underlying calculations depend upon matching data at individual level.
If you have any questions, please contact your school or the Data Protection Officer at DPO@ed.ac.uk.
Additional privacy statements
The University maintains several other privacy statements that are specific to services delivered.
Development and Alumni
Development and Alumni works with the academic community to engage alumni (former students) in the life of the University. We ensure that alumni are provided with an array of services and opportunities to connect with each other and the institution throughout their lifetime, and are inspired to support current students, teaching, research and capital projects at the University.
We use the personal data of alumni to provide services and opportunities, to promote the development of alumni networks around the world, to ensure our communications are timely and appropriate, to enable us to make better decisions, use our resources effectively and raise philanthropic gifts more efficiently.
We take appropriate steps to ensure that we only record and store personal data which is relevant, that we keep it securely, that it is accurate and up-to-date, and kept for an appropriate length of time.
Full details of how and why we use your data can be found in our privacy notice: www.ed.ac.uk/development-alumni/privacy
Other privacy statements
During your studies you may enter into some non-standard procedures that have their own privacy statements. A list of examples can be found below:
Special circumstances, Authorised Interruption of Studies, Leave of Absence, Concessions and Coursework, Extension requests:
Privacy Statement for Student Wellbeing Service
Covid 19 test and protect privacy notice
Code of Conduct:
Use of your special category data in relation to the above procedures:
Edinburgh University Students’ Association
University Sport & Exercise
Applicant Privacy notice
The remainder of the privacy notice can be found at: https://edin.ac/privacy
Table 1: Uses of your data can be found here: