This notice sets out how we deal with the personal information of our students, visitors to our websites, attendees at our events and subscribers to our newsletter.
This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.
Identity of the Data Controller
The ESRC Wales Doctoral Training Partnership (DTP) is a consortium training social scientists across Wales; it is a collaboration between Aberystwyth University, Bangor University, Cardiff Metropolitan University, the University of Gloucestershire, and Swansea University. The lead institution is Cardiff University.
As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with Data Protection legislation. In order to carry out its functions and obligations in respect to the operation of the ESRC Wales DTP, it is necessary for the University to collect, store, analyse and sometimes disclose your personal data.
The University is registered as a Data Controller with the Information Commissioner’s Office (ICO) to process personal data. Reg no Z6549747.
What personal information do we collect about you?
The following gives an indication of the types of information which are currently collected and processed:
- your name
- disability and access requirements
- dietary requirements or other medical information
- your employment status and, for students, funding source
- your research interests
For students and prospective students
- details of your qualifications achieved and currently being undertaken
- any student photograph
- your date of birth
- your nationality
- equality of opportunity monitoring data which will include sensitive categories of data for (eg ethnicity, religion, sexual orientation)
- details of your academic record including qualifications, skills, experience and educational and employment history
- details of your examination and assessment results during your time at the University
This personal data includes categories of data classed as ‘special categories’ such as that collected for equality of opportunity monitoring such as ethnicity, religious beliefs or sexual orientation.
We collect this information in a variety of ways. For example, data might be collected through the application process or through interviews, meetings or our forms on our website.
We will also hold information supplied by third parties such as references.
What is our legal basis for processing your personal data?
There are a number of legal ways in which we can process your data, the most relevant of which are set out below:
|(1)||When you apply to the ESRC Wales DTP for funding, an award, or to take part in an event, we will be required to collect, store, use and otherwise process information about you for any purposes connected with teaching, support, research, administration, your health and safety and for other reasons deemed necessary for the purpose of entering into or for the performance of your contractual agreement. See GDPR Article 6(1)(b)|
|(2)||We will obtain consent from you in order to provide you with updates and information beyond those purposes described in (1) above GDPR Article 6(1)(a).|
|(3)||Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests – but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate interests. See GDPR Article 6(1)(f).|
|(4)||Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University (see GDPR Article 6(1)(e)) and for statistical and research purposes.|
|(5)||Processing is necessary for compliance with a legal obligation to which the Data Controller is subject|
|(6)||Processing of Special Categories data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (see GDPR Article 9(2)(j))|
Sharing information with others
We may share your relevant personal data with external organisations.
|Other institutions within the ESRC Wales DTP||Where you are registered at one of the other institutions within the ESRC Wales DTP, in accordance with the terms of the contract|
|Funding bodies||To fulfil the terms of bodies providing the funding for awards, primarily the Economic and Social Research Council (ESRC).|
|Sponsors where a contract exists with you.||In accordance with the terms of the contract (which could include, for example, student organised internships)|
|Potential employers or providers of education whom you have approached.||To confirm your qualifications.|
Any other disclosures that the University makes will be in accordance with Data Protection law and your interests will always be considered.
We use a range of third party service providers to enhance our website and our email newsletter.
For what purposes will your information be used?
The purposes and related legal basis (number in brackets) under which Cardiff University may process your personal data, (although given the complexity of the relationships that the University has with its students, this is not exhaustive):
- administration (1)
- to provide you with information and updates (1,2)
- the production and, as appropriate, distribution of research and educational materials (4)
- internal and external auditing purposes (5)
- meeting health and safety obligations and equality of opportunity monitoring obligations (5,6)
- carrying out statutory duties to provide information to external agencies (see ‘Disclosures’ for further details)
- providing information via our email newsletter and other relevant bulletins (
- from time-to-time, other activities that fall within the pursuit of the University’s legitimate business and do not infringe your rights and freedoms (3)
How long your information will be held
Cardiff University will retain your personal information in line with the University Records Management Policy and Records Retention Schedules.
Security of your information
Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant personal data will be authorised to do so. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more by referring to the University Information Security Policies.
Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with data protection legislation.
Your data protection rights
Under Data Protection legislation you have a number of rights such as a right to request a copy of your personal data held by the University. To find out more about your rights and how you can exercise them, please see the University web page on your data protection rights.
Do we transfer information outside the European Economic Area (EEA)?
Generally, information you provide to us is stored on the University’s secure servers, or on our cloud based systems which are located within the EEA. However, there are times when we do need to store information outside the EEA. If we transfer your information outside the EEA, we will take steps to ensure that appropriate security measures are taken to protect your privacy rights. This could be by imposing contractual obligations on the recipient of your personal information, or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection. For example, we would ensure that a supplier based in the USA has signed up to “Privacy Shield”. Technical measures such as encryption will also be considered.
How to raise a query, concern or complaint
If you still have queries, concerns or wish to raise a complaint details of how you can contact the University data protection officer and Information Commissioner’s Office are available on the University Data protection page.
Updated: May 2018