The General Data Protection Regulation (GDPR) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.
The University takes its obligations under the GDPR very seriously and will always ensure personal data is collected, handled, stored and shared in a secure manner. The University’s Data Protection Policy can be accessed here.
The following statement will outline what personal data we collect, how we use it and who we share it with. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office, the regulator for data protection in the UK.
The University’s official contact details are:
Data Protection Officer
Tel: +44 (0)20 8411 5555
How does the University collect your personal data?
We primarily collect your personal data through the information you submit via the UCAS application portal or other relevant recruitment processes.
We also ask for additional personal data during our enrolment process as we require additional information about you when you actually become a student at Middlesex.
Some University support services also require you to provide your personal data in order for them to be able to deliver additional services. The data needed and the justification as to why will be provided to you at the point you access the service(s).
What personal data does the University collect?
The University collects personal data from students at various stages. The volume and nature of the personal data collected is outlined below:
- Details from application forms:
- name and address
- contact details (telephone number, email address)
- age / date of birth
- nationality and country of residence
- educational records to date
- academic references (including personal statement and predictive grades)
- disability declaration
- criminal conviction declaration
- Further data collected at enrolment or updated during a student’s time at the University:
- Home address and next of kin
- Term-time address
- Entry and other qualifications
- Demographic information
- Funding, bursary and fee related information
- Information needed to provide services in relation to disability, wellbeing or any other type of pastoral support
- Course and stage details
- Attendance, progress and current status
- Assessment results
- Photograph for identification badge
- For students undertaking courses in nursing, social work and midwifery a DBS Clearance and a full occupational health check will be completed to allow a student to commence a placement
- Data collected for statutory monitoring and reporting purposes:
- Religious belief
- Parental occupation and education
- Sexual orientation
- Ethnic origin
- Data collected from international students on a Tier 4 (or similar) visa to meet UK Visa and Immigration requirements:
- passport details
- visa lifecycle details
- data to evidence attendance on course of study
Additional personal data may be collected by the University where relevant in relation to placements, professional body requirements, extenuating circumstances applications, appeals/complaints/disciplinary cases and any further optional student services.
How and why does the University use personal data?
The primary purposes we process information about current students include:
- to enable us to administer student-related functions from original applications through to graduation and to provide alumni services;
- to plan and account for the use of the services provided;
- to produce information including statistics for relevant external agencies such as the Higher Education Statistical Agency (HESA) and the Office for Students (OfS) which allocates funds to the University on the basis of student numbers;
- to enable University staff to communicate with students;
- to monitor academic progress over the period of enrolment towards completion of a qualification;
- to carry out assessment, authorise award of qualifications and verification of awarded qualifications post-study;
- to administer student related policies and procedures including appeals, complaints, academic misconduct and general conduct and discipline;
- to provide student support services, including financial, pastoral, sporting, employability and IT/learning resources;
- To issue communications on student benefits and opportunities and university activities or events organised for students;
- to comply with immigration compliance checks in relation to sponsored migrants;
- to ensure all eligible students have access to University accommodation;
- to monitor, develop and update University systems to ensure they continue to operate effectively and securely;
- to monitor equality and diversity objectives within the University;
- To undertake surveys, market research and statistical analysis to improve the student experience. This is done both to assess your learning experience but also your wider student experience at Middlesex University.
Finally, the University processes personal data as part of research activity. This is done in line with the University's Code of Practice for Research, which includes meeting the requirements of current data protection legislation.
Sharing of personal data
The University is required to share personal data with certain other organisations in order to meet statutory requirements or to provide services to students. Sharing will always be undertaken in line with the requirements of data protection law, using the relevant legal basis as defined by the GDPR and other data protection legislation. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.
The information below outlines the key partners with whom the University shares personal data with on a periodic basis:
- Middlesex University Students’ Union in order for the administration of the Union and its clubs/societies, administration of elections and student representation and communication to students to promote Union services and events. For further information please see the MDXSU privacy notice;
- The University has two overseas campuses in Dubai and Mauritius which are both outside of the European Economic Area (EEA) and personal data will need to be shared with these campuses for student/staff administration and research activity;
- Professional and Funding Bodies:
- Validation of registrations and awards; and
- Approval of funding applications.
- National/Local Government Departments and other public bodies:
- Higher Education Statistics Agency (HESA) to produce a variety of statistical reports about higher education that are required to be published in the public interest;
- Skills Funding Agency in order to make them aware who enrolled apprenticeships students are and subsequently the academic progress those students are making;
- UK Immigration agencies to ensure compliance with the conditions attached to student visas;
- the Student Loans Company in connection with grants, fees, loans and bursaries;
- the courts, the police and other organisations with a crime prevention or law enforcement function (subject to meeting the conditions of relevant legislation);
- The NHS for the purpose of coordinating student placement activity for nursing and midwifery students; and
- Local authorities for the purposes of assessing and collecting council tax.
- Other individuals / organisations:
- External examiners for examination, assessment and moderation purposes;
- International recruitment consultants, agents and Middlesex regional offices (for relevant international students);
- Housing providers for students;
- The University’s insurers and legal advisers for the purpose of providing insurance cover or in the event of a claim;
- The Office Of The Independent Adjudicator to review student complaints;
- Employers who request a reference from the University (for relevant students).
- IPSOS-MORI and JISC online surveys for inclusion in the National Student Survey (NSS), Postgraduate Taught Experience Survey (PTES) and the Postgraduate Research Experience Survey (PRES).
How long does the University keep personal data?
The University takes its obligations under the GDPR seriously in terms of not holding onto personal data for any longer than is necessary. The University has a retention schedule in place for the different categories of data it holds.
In some cases, there are good reasons as to why the University needs to retain data about students for a significant period of time. The most important reasons are outlined below:
- in order that student awards can be verified in the long-term;
- to produce transcripts and references;
- for alumni services and ongoing relations with the University;
- for careers and employability services;
- to deal with complaints, appeals and disciplinary cases;
- for statutory reporting purposes and in order to complete statutory surveys such as the Destination of Leavers from Higher Education Surveys and Graduate Outcomes;
Under the GDPR you have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require that we cease processing your personal data if the processing is causing you damage or distress;
- to require us not to send you marketing communications.
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data;
- to require us to restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
- to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply.
To exercise any of the above rights please get in contact with the University’s Data Protection Officer using the contact details provided at the start of this notice.
You also have the right to complain to the UK Regulator the Information Commissioner’s Office (ICO) if you believe your request has not been dealt with properly or you have a complaint to raise against the University for any other data protection related issue. A complaint can be raised via the ICO’s website.
You also have the right to withdraw consent from the processing of your personal data by the University at any time, if your consent was sought initially to use your personal data.
All students who handle personal information of which the University is responsible for must follow the requirements of the Data Protection Policy and other relevant guidance issued by the University.