Information about you: how we use it and who we share it with
Where does the University get your personal data from?
We obtain personal data about you from the following sources:
- From you, when you provide your contact details for open day activities, your application, when registering as a student with us or during your studies.
- From third party sources (e.g. UCAS, your funding body or other institutions involved in collaborative programmes). When we obtain personal data about you from third party sources, we will aim to ensure that the third party has lawful authority to provide us with your personal data.
Purposes for processing
The information you provide will be used by the University for the administration of your position as a student with us, including the use of our services such as residential services, lecture capture, attendance and engagement monitoring, pastoral support, library facilities and sports facilities.
We set out in table 1 (below) the purposes for which we will process your personal data in detail.
There are various legal bases for our use of your information. You will find the appropriate legal basis for each purpose of use against each category in table 1.
Here is a brief explanation of the grounds referred to under table 1:
- Consent – on specific occasions the University will only process certain data if you consent, e.g. on registration there are certain special categories of data that you only need to provide if you agree to their collection.
- Necessary for the performance of your student contract – on many occasions the University will process your data to enable it to meet its commitments to you, e.g. those relating to teaching and assessment.
- Necessary to comply with a legal obligation – the University has legal obligations to provide your personal data to others, e.g. the Higher Education Statistics Agency (HESA) or UK Visas and Immigration.
- For the purpose of protecting the vital interest of yourself or another – sometimes in extreme circumstances the University will have to release information to protect your interests or the interests of others, e.g. in medical emergencies.
- Processing necessary for the performance of a task carried in the public interest – the University is an educational establishment and in particular its educational activity is conducted in a public interest (including your interest and the interest of others).
- Processing is necessary for the purposes of the legitimate interest of the University or a third-party, subject to the overriding interests of the data subject – the University (and sometimes third parties) has a broad legitimate interest in activities that connect to the education of students. Subject to those legitimate interests not being overridden by the interests of students’ fundamental rights and freedoms, it will pursue those interests. A good example of this legitimate interest would be the University’s Alumni activities. Where “legitimate interest” is used it is generally in the interest of the University (or third party) in providing or supporting the provision of higher education to its students.
- Automated decision making necessary for performance of a contract – if the University needs to automate decisions relating to the services it is providing to you.
Special category data is personal data which is more sensitive, and so needs more protection. This data would include anything that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. To process these types of data additional legal bases are required:
- Processing special categories of data where you have given consent – the University will process certain sensitive information about you with your consent.
- Processing special categories of data where necessary for reasons of substantial public interest.
- Processing special categories of data in connection with legal claims.
Sharing your information
Every year we will send some of the information we hold about you to Higher Education Statistics Agency. HESA is the official source of data about UK universities and higher education colleges. This data collection includes the special category data of disability, ethnicity, sexual orientation, faith and belief and gender identity. Their student collection notice can be found here:
Information about medical students will be shared with National Health Service and the General Medical Council as part of their training and registration with accrediting bodies.
Student data will be used for statistical purposes to satisfy the University’s reporting obligations to accrediting bodies in an “aggregated” form, which means that your individual data will not be identifiable.
Information about Scottish and EU students will be shared with Scottish Funding Council for statistical purposes.
Information about non-EEA students will be shared with United Kingdom Visas and Immigration.
Information relating to research postgraduate students who are funded through external grants will be shared with J-es and will be used by research funders to conduct audits of the outcomes of their research funding.
Police forces within the United Kingdom can request information about a student’s contact details, programme and timetable that the University may share under the Data Protection Law. These requests are stored for six years. All requests are reviewed by the Head of Student Administration Services on a case by case basis.
Information about your matriculation will be shared with your funding body to verify that you have started your studies.
Data about your matriculation is shared with your funding bodies to verify that you have taken up your place and started your studies to allow the payment of your tuition fee.
Your data is shared with the Edinburgh University Students' Association is an autonomous, student-led, campaigning organisation, which provides services, representation and welfare support on behalf of its members – the University's students.
Schools share with Student Representatives the University student email address of the students they represent or facilitate alternative ways for representatives to contact all classmates.
The University is made up of many services and departments who collect, process and store your data in a variety of sub-systems to deliver their services. These local systems are part of the corporately-supported IT architecture which maintains a live service as well as copies of the live systems used for software development and testing. These development and testing systems will also contain your data and respect the University’s data retention periods.
Your usage of IT services will be recorded in usage logs and audit trails as part of the normal operation of the services. This information may be used to support your usage of systems, investigate information security or data integrity incidents, or provide evidence in disciplinary procedures. The data may also be used to understand usage and performance of IT systems.
It is in the legitimate interest of the University to use your data in this way to ensure that the services you interact with are secure and provide the best student experience possible.
The University uses 3rd parties to provide a number of IT Services (such as Office 365 Email via Microsoft). While your data will be used by 3rd parties to deliver these services the University retains control of your data as part of these arrangements, and the 3rd parties will not be allowed to use your data for any other purpose.
The University of Edinburgh is organisation which receives public funding. Collecting and analysing survey data allows us to demonstrate that we are adhering to quality standards set by Quality Assurance Agency for Higher Education and that we are offering a high quality learning and teaching experience to our students.
It is therefore in the University’s legitimate interest for us to take part in national surveys like National Student Survey, Postgraduate Taught Experience Survey and Postgraduate Research Experience Survey to allow us to understand how our students are experiencing their learning and teaching and to benchmark ourselves against other institutions to consider via league tables whether the experiences and patterns reported nationally are reflective of our own students’ experience.
This processing activity is important for the University as it provides a way of obtaining feedback on programmes, courses, teaching and facilities from a large sample of students.
Survey reporting is either carried out at aggregate level for quantitative data (statistical) where your individual data is not identifiable, and at an individual level for qualitative data (i.e. free text comments). Output is anonymised so that your data cannot be identified.
Automated decision making
We do not use profiling or automated decision-making processes. Some processes are semi-automated (such as anti-fraud data matching), but a human decision maker will always be involved before any decision is reached in relation to you.
Management information, research, and learning analytics
We may analyse data on students' admissions, enrolment and achievement, survey responses, attendance and engagement, and service utilisation data in order to support the University’s governance and management. This includes means that we will use students’ data to improve decision making and the student experience for future cohorts of students, including specific uses such as to: understand the relationship between pre-University qualifications and student achievement; support course and programme quality assurance; enhance the quality of the University's learning, teaching and assessment; widen access to and improve the experience of students from disadvantaged groups; enhance the University's student systems and support services; and to enable students' to reflect on their own learning by providing them with anonymised information regarding the patterns of learning of other students. While we will where possible use anonymised data for these purposes, in some cases we will use personal data where there is a legitimate interest in doing so. Where we use personal data for these purposes, we will ensure that any published information is anonymised. In the vast majority of cases analysis will be presented in aggregate, even if the underlying calculations depend upon matching data at individual level.
If you have any questions, please contact your school or the Data Protection Officer at DPO@ed.ac.uk.
Additional privacy statements
The University maintains several other privacy statements that are specific to services delivered.
Development and Alumni
Development and Alumni works with the academic community to engage alumni (former students) in the life of the University. We ensure that alumni are provided with an array of services and opportunities to connect with each other and the institution throughout their lifetime, and are inspired to support current students, teaching, research and capital projects at the University.
We use the personal data of alumni to provide services and opportunities, to promote the development of alumni networks around the world, to ensure our communications are timely and appropriate, to enable us to make better decisions, use our resources effectively and raise philanthropic gifts more efficiently.
We take appropriate steps to ensure that we only record and store personal data which is relevant, that we keep it securely, that it is accurate and up-to-date, and kept for an appropriate length of time.
Full details of how and why we use your data can be found in our privacy notice: www.ed.ac.uk/development-alumni/privacy
Other privacy statements
During your studies you may enter into some non-standard procedures that have their own privacy statements. A list of examples can be found below:
Special circumstances, Authorised Interruption of Studies, Leave of Absence, Concessions and Coursework, Extension requests: https://www.ed.ac.uk/files/atoms/files/specialcircumstancesaisconcessionsloaprivacynotice.pdf
Code of Conduct:
Use of your special category data in relation to the above procedures:
Edinburgh University Students’ Association
University Sport & Exercise
Applicant Privacy notice
The remainder of the privacy notice can be found at: https://edin.ac/privacy
Table 1: Uses of your data
"Retention period" refers to the number of academic years that your data will be held for after you complete your studies.
|Data category||Short description||Specific purpose||Legal basis||Retention period|
|Personal information about your identity||
The University of Edinburgh will use data about you to be able to identify you as an individual when at or interacting with the University.
Your name, title and gender will be accessible to university staff who will be supporting your studies while at university. Your photograph is part of your student record and can be found on your student card. This is used to confirm your identity when interacting with staff at the university.
Some courses may display identity on internal websites or wikis accessible to staff and students on course. Consult your course handbooks for more information.
|Task carried out in the public interest||In perpetuity; photographs 2 years|
|Reference numbers with external bodies, such as UCAS identification number, HESA, teaching union , nursing union and law society.||Task carried out in the public interest||In perpetuity|
|Contact information will be used to confirm you identity when required and used to contact you.||
Your home address, term time address, mobile phone number and personal email address are stored will be used to contact you with information relevant your studies throughout your time at university.
|Performance of contract||Duration of study|
After you complete your studies the university will retain your information in order to contact you in the future. More information about how the university will use your contact information can be found under the “Development and Alumni” section above
|Legitimate interest||In perpetuity|
All Scottish universities are required to determine fee status in accordance with regulations approved by the Scottish Parliament - the Education (Fees) (Scotland) Regulations 2011. Your tuition fee status and the level of tuition fee that you pay is determined by your nationality and the country in which you are ‘ordinarily resident’.
|Your country of domicile and nationality are used to calculate your fee status and resulting tuition fees. If the information provided during admissions cannot clearly define your fee status then you may be required to complete a Fee Status Questionnaire, which will ask you to for more information to identify your fee status. You may have to provide evidence of your place of birth, previous schools, copies of your passport and your parents’ passports.||Legal Obligation (the Education (Fees) (Scotland) Regulations 2011)||7 years|
The University, government agencies, research councils, charitable trusts and external bodies offer a number of scholarships, studentships and loans to help you pursue your ambitions. Applications for different scholarships can be submitted for review, but eligibility to scholarships may be limited to specific programmes and student nationalities.
The scholarship application process will use student nationality and programme of study data to ascertain eligibility for a specific scholarship. Upon application you will be asked to provide a personal statement. Successful applicants will receive an award letter detailing the terms and conditions of the scholarship.
The information may be shared with the scholarship provider.
|Performance of contract||
Successful applications - 7 years
Unsuccessful applications – 1 year
|Core academic data||
Your student record includes personal information and details about your academic record. This is used by the University to deliver learning and teaching and the many services provided by the University to support students listed in this document.
|The University maintains up-to-date records regarding your programme of study, mode of study, method of study, course enrolments, course work assignment submissions, periods of matriculation and absence to administer your teaching and your progression through your programme. This information may be discussed in meetings and recorded in minutes and notes. This information may be used to produce class lists.||Task carried out in the public interest.||10 years|
|Higher Education Achiement Report (HEAR)||
The Higher Education Achievement Report (HEAR) will provide a single comprehensive record of your achievements as a student at the University of Edinburgh.
The HEAR builds upon existing information incorporating an expanded academic transcript and the European Diploma Supplement. This will provide you with more detailed information about your learning and achievement than the traditional degree classification system alone, and will serve to support applications for employment and further studies.
Your HEAR will comprise the following sections:
1. Information about you which includes your name, date of birth, and student identification number.
2. Information about your qualification, degree title and subject, and awarding institution(s).
3. Information about the level of your qualification, level of study, duration of study, and entry requirements.
4. Information on the content of your studies and results gained: programme description/requirements (via a link to the degree specification document), and full academic transcript.
5. Information on the function of your qualification: access to further study, professional status.
6. Additional Information - this is the section that allows the University to confirm information relating to your wider achievements whilst a matriculated student such as academic prizes or Edinburgh University Students' Association elected office. A full list can be found here.
|Task carried out in the public interest.||In perpetuity|
|Student representation and ambassadors||Schools are expected to facilitate communication between Student Representatives and the students they represent.||
If your choose to become a student representative, Schools share your name and student email address with the students you represent, or they may facilitate alternative ways for you to contact all classmates.
This will be displayed on your Higher Education Achievement Report.
|Legitimate interest||In perpetuity|
Current students may be invited to take part in voluntary and paid opportunities to support student recruitment and widening participation.
|Information about your programme of study, identity and widening participation status may be used when identifying potential student ambassadors.||Legitimate interest||1 year|
|Concessions||To enable concessions to be permitted against various University regulations to an individual student's benefit.||
Any extension, degree transfer, leave of absence or interruption of studies allows a student to extend a prescribed period of study. In most cases concessions will only be granted in exceptional cases and with supporting documentation.
Detailed privacy notice can be found here.
|Task carried out in public interest||1 year|
|Personal Tutors||The Personal Tutor system will provide you with a named member of academic staff, your Personal Tutor, who will support you throughout your time at the University, giving you academic support and a route to pastoral support. You, as a Tutee, will work with your Personal Tutor to reflect on your academic performance, how this contributes to your aspirations and helps you to engage as a member of a community of learners.||
MyEd has a Personal Tutor channel for tracking the content of meetings with your Personal Tutor, and helping you and your Personal Tutor reflect on the progress and direction of your studies. This channel lets you, your Personal Tutor and other University staff record notes.
By default, all authorised University staff can view your notes. Authorised users will treat all recorded information appropriately and will limit disclosures to the minimum necessary.
However, with more confidential or sensitive information, access will be restricted and, in some cases, details are not recorded. If you wish, you can mark a particular note as confidential which will restrict its visibility to you, your Personal Tutor, the School's Senior Tutor, the School's Student Support Team, Academic Engagement officers, and the Dean of Students.
|Task carried out in the public interest||5 years|
|Card services||The University provides you with a University card for the following purposes: as a method of identification; to administer access to our services and facilities; to compile statistics; to maintain our information systems; to support engagement monitoring; and to support students' studies.||
Your University card will allow you to access areas of the University that are not open to the public or only available to specific students and staff.
You are required to supply a photograph which appears on your card and is included as part of your student record to allow staff to confirm your identify when supporting you. Data about your access to buildings is retained and used to support the management of the estate, and analyse student engagement. The University reserves the right to review this data as part of any misconduct investigations.
|Performance of contract||2 years|
|PG research review||The progress of postgraduate research students must be reviewed for each year of the programme. Progress is each year until thesis submission. This will form the basis for confirmation of degree registration, or permission to progress.||
The University provides an online annual progression monitoring system and requires Schools and supervisors to review students’ progress each year of full-time or part-time study for doctoral or MPhil degrees.
The review process recorded in the student record system may include: information about your previous year’s progress; a programme of work for the coming year including, where appropriate, a target thesis submission date; a review of the supervisory relationship; form the basis for the decision to confirm degree registration.
|Task carried out in the public interest||7 years|
|Graduation||Upon achieving an award, students are invited to attend a graduation ceremony. Registering attendance can be done via an online form.||Information about your student award and programme of study will be used to schedule graduation events, and this information will be used to ensure you attend the correct ceremony. When registering your attendance at graduation you can declare if you require any special assistance. This data is used to ensure that you receive any support you require during the graduation ceremony, and assist in the generation of the seating plan.||Performance of contract||1 year|
|Timetabling and Exams||Information regarding students’ course enrolments will be used to timetable classes and exams.||
Your course enrolments and any disability data will be used to timetable your course activities and exams, and provide you with a timetable. This data will also be aggregated and analysed to provide forecasting and modelling to help maximise and enhance the available teaching space in the University estate.
|Task carried out in the public interest||1 year|
|Library||Your information is used by the library service to allow you to make use of the services they provide.||
Data about your programme of study and contact information are used in the library to deliver their services.
Data is being used to allow patrons to borrow and request physical items from the library; to contact patrons about their borrowing and requesting transactions (e-mail); to contact graduating students who have lost library books or long overdue items and who have incurred a high amount of fines; to allow patrons to authenticate to ezproxy for download of electronic resources; to search and save local preferences on the library discovery interface (DiscoverEd).
If you have learning adjustments due to disability, the library may have a role in delivering this support, such as equipment for exams, access to study rooms, or special borrowing privileges. In this case, certain library staff will have access to your schedule of adjustments, and the local library system will be updated to record the support requirements, but not details of your disability.
|Performance of contract||2 years|
|Virtual Learning Environments (VLEs)||Virtual Learning Environments are online tools that allow staff and students to interact in support of their studies by providing a communications forums, document sharing and submitting assessments.||
Information about your identity, course enrolments and marks are shared with Learn for the use of learning and teaching staff to manage the teaching of courses
Your data will be used for the purpose of creating course spaces and user accounts within Learn to allow you to access online materials and teaching tools for your courses.
|Task carried out in public interest||Live data from student record; data not locally retained.|
|Disability Support||The Student Disability Service (SDS) is a service which supports disabled students. Its main focus is providing advice and support. It supports students with dyslexia, mental health issues and students on the autistic spectrum, as well as those who have physical and sensory impairments. It also works with the rest of the University to improve access in the widest sense.||
Details of your disability are collected at admissions and online registration. Collection of these sensitive or special categories of data is necessary for statistical research purposes to help public authority data controllers to meet their public sector equality duties under the Equality Act 2010.
The Student Disability Service will use this information to initially contact you to share information about the service and to invite you to meet and discuss any support requirements you may have.
This data will be included in the student data collection by the Higher Education Statistics Agency, described under the section “Sharing your information”.
|Legal Obligation (Equality Act 2010), as this is health data and considered "special category" personal data under the GDPR the further legal basis of 'Public interest based on law' applies.||Data regarding your disability will be held for following 5 academic years following a student’s completion.|
|All students are invited to contact the Student Disability Service if they require support. Upon contacting the service a case will be opened to arrange appointments with Service staff and maintain a history of correspondence. This is linked to your student record from which your disability information, programme of study, photograph and identity may be referenced.||Performance of contract||Data regarding your disability will be held for following 1 academic year following a student’s completion.|
|If you do require support a meeting will be arranged with a Disability Advisor, who will use medical evidence to assess the level of support you require and how the University can deliver it. Notes summarising meetings and details about medical evidence may be recorded with your case, and a ‘Schedule of adjustment’ created. This is a document that lists all learning adjustments to your programme of study which the University must reasonably provide. The advisor will create this with you and communicate it to staff in the University you have a relationship with, such as learning and teaching staff, student support officers, coordinators of adjustments in schools, the library and examinations team, and your personal tutor.|
You may also require a Support Assistant to provide support in classes, tutorials and laboratories and in the library. In this case a further meeting will be arranged with an advisor to create a ‘Needs Assessment’ and an application for funding. Information about your disability will be shared with your support assistants.
Support Assistants are employees of the University, and you are required to confirm time sheets submitted by support assistants to allow them to be paid for the time they spend with you. These records are used by our finance department to pay the support assistants, and may contain details of your support needs.
Confirmed timesheets are also used as evidence to recuperate funds from funding bodies and may include details of the support you receive.
|Legal Obligation (Tax Legislation table entries 3, 4, 5, 6)|
|Student appeals||An appeal is a request by a student for a decision to be reviewed in relation to course results, progression, degree classification, degree award, decisions of Student Discipline Officers or the Student Discipline Committee, decisions of Fitness to Practise Panels, or exclusion decisions.||
If you wish to appeal you must submit an appeal form stating the decision against which you are appealing, the date when you received notification of the decision, the grounds under which you are submitting your appeal, and any supporting documentation. The University will use this information to administer your appeal, and will where appropriate share it with members of the Student Appeal Committee and relevant staff in your School or elsewhere in the University.
Detailed privacy notice can be found here.
|Task carried out in Public Interest/Core Functions||5 years, up to 10 years for PhD appeals.|
|Student discipline||Where students are alleged to have not complied with the University’s Code of Student Conduct, or with other associated University policies and regulations, the University may deal with the allegations following the procedures of the Code of Student Conduct or other associated procedures (for example, Fitness to Practise, or academic misconduct).||
If you are suspected of having committed an offence, the University will gather information relating to the allegations (including information that you provide), and will share it with the relevant members of the University community, in line with the Code of Student Conduct or associated procedure
Detailed privacy notice can be found at here.
|Legal Obligation (Universities (Scotland) Act 1966 s.8 (1))||
5 years, unless a greater retention period is specified by a relevant professional body.
Student exclusions are recorded in perpetuity.
The University of Edinburgh provides Tier 4 visa sponsorship to remain in the UK during your studies. All non-EU/EEA/Swiss nationals will require permission to enter or remain in the UK.
Your nationality and country of birth are used to ascertain if a student requires a visa to study, and this is communicated to you during the admissions process.
|Legal Obligation (Part 3, Section A57B. In paragraphs A57A to A57H of the UK Immigration Rules )||10 years for students, 1 year for unsuccessful applicants.|
As a sponsor of student visas the University has a number of legal responsibilities, including monitoring your attendance. This involves reporting to the Home Office if you:
Tier 4 sponsorship is provided in the form of a Confirmation of Acceptance for Study (CAS). A CAS is an electronic document that confirms to the UK Home Office that the University of Edinburgh wishes to sponsor your migration to the UK for the purpose of study. This document will be created for you, and you can use this as part of your visa application.
|Legal Obligation (Part 3, Section A57B. In paragraphs A57A to A57H of the UK Immigration Rules )|
|You need to supply a copy of your visa and passport as the University is responsible for verifying these documents.||Legal Obligation (Part 3, Section A57B. In paragraphs A57A to A57H of the UK Immigration Rules )|
|The Academic Technology Approval Scheme (ATAS) is one of the UK government’s measures to prevent the spread of knowledge and skills used to develop weapons of mass destruction and associated technology. Applicants to certain science and technology programmes in the UK require you to have ATAS clearance and this must obtained before making a Tier 4 visa application.||Legal Obligation (Part 3, Section A57B. In paragraphs A57A to A57H of the UK Immigration Rules )|
|Student accommodation||Information about all applicants who have accepted offers is shared with accommodation services to allow them to apply for University-provided accommodation. This information includes your gender, country of domicile, contact information, declared disability, programme of study, and application decision.||
Your data is used:
Health-related data is used to assist in identifying students who may need adaptations to their accommodation, or specific types of equipment within their accommodation.
The full Accommodation, Catering and Events privacy can be round here.
|Performance of contract||6 years after leaving accommodation, unsuccessful applicants after 6 months.|
|This data is used for profiling, for marketing our accommodation for future years to students currently within our accommodation, and for marketing student-led events being held within our accommodation locations. This data is not used for any fundraising activities.||Consent|
|Careers||The Careers Service provides a wide range of services to employers including vacancy advertising, talks, events and workshops, as well as information, advice and support on recruiting our students.||The Careers Service receives student contact information, information about programme mode and method of study, current student status, and achieved awards.||Performance of contract||3 years|
Your disability and ethnicity data is also used to produce statistics on the number of students using the service, to ensure Equality and Diversity targets are being achieved.
|Performance of contract||3 years|
|Finance||Information about all applicants with unconditional offers and students is shared with Finance to allow academic student fees to be invoiced and payment collected.||
Finance also collect data in relation to payment of fees.
Your data is used:
The full Finance privacy notice can be found here.
|Performance of contract||7 years or longer if student fees remain unpaid|
|Emergency contact details||In case of emergency two emergency contacts can be added as part of the student record.||You are able to provide two emergency contacts in case of an emergency situation. Your emergency contacts will only be contacted in situations where you are unable to do so, or the university urgently needs to but has been unable to contact you.||
The storage of this data is in your ‘legitimate interest’.
Usage of this data is in your ‘vital Interest’.