The General Data Protection Regulation (GDPR) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.
The University takes its obligations under the GDPR very seriously and will always ensure personal data is collected, handled, stored and shared in a secure manner. The University’s Data Protection Policy can be accessed here.
The following statement will outline what personal data we collect from prospective students (individuals who have made an enquiry or application to study a course with us but who have not yet enrolled), how we use it and who we share it with. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office, the regulator for data protection in the UK.
The University’s official contact details are:
Data Protection Officer
Tel: +44 (0)20 8411 5555
How and why does the University use your personal data?
- When you express an interest in attending Middlesex University, we use your personal data in order to resolve any queries you have and to provide you information about the University and the course(s) you are interested in. This allows you to make an informed choice about whether you wish to apply and enrol with us.
- When you contact us with an enquiry, we create a record in our enquiry management system so that you don’t need to repeat details from previous communications if you have a further query. This also means we can improve the information we provide you.
- We use information collected to tailor our communications with you, and ensure they are as personalised and targeted as possible, so you find them relevant and beneficial. These communications raise awareness of the areas which may impact your choice of university, such as our courses, facilities and services and of logistical steps you need to take when applying to us. We also use digital tracking tools to monitor the impact of these communications and allow further improvements – for example email tracking to record when an email we send to you has been opened, or you have clicked a particular link.
- We use tracking cookies and conversion pixels to show you information about Middlesex over the Google Content Network and via social networks. This means you may see an advert for us as a result of visiting our website. We also use custom audiences based on the email addresses of prospective and current students. This allows us to present information about studying at Middlesex to you through Facebook and Instagram, and to identify people with similar interests who may also find it useful. Your personally identifiable information is not used by any remarketing service other than to present you relevant and targeted information about us. Further details on this are provided in our cookies policy.
- We undertake statistical analysis and market research using the information we collect. This enables us to understand the effectiveness of the activities we undertake at all stages of the prospective student journey, services we provide, and to improve the products Middlesex University offers. This may include qualitative market research and surveys. We also use external website analytics services to analyse how users are engaging with our website, allowing us to further optimise the site and the information provided on it.
How does the University collect your personal data?
The University collects personal information from you both directly and indirectly.
Occasions when information is collected directly include:
- From email / telephone queries, completion of an online Ask a question form or when you make a query through or request further information via a messaging service or social media
- When you request a publication or document, such as a prospectus
- When you complete a form requesting more information from the University, either online or at an event, subscribing to email marketing communications
- When you book to attend an event
- When you make an application to one of our courses
We collect information indirectly:
- Through third-party lead generation providers who have gained your consent to capture your data regarding your preferences for undertaking university study
- Via education specialists (agents) where you have expressed an interest in studying at Middlesex
- Through partner institutions where you have expressed an interest in studying at Middlesex or are making an application to study at the University via an articulation agreement
- In common with most websites, our website automatically logs certain information. Further details on this are provided in our cookies policy.
What personal data does the University collect?
The University collects personal data from you at two stages. The volume and nature of the personal data collected is outlined below:
- Initial email / telephone enquiry or form submission:
- name and address
- contact details (telephone number, email address)
- subject / area of interest / year of entry
- topics of interest, such as student life and accommodation (optional)
- preference on accommodation or whether you will commute to Middlesex (optional)
- Details from application forms:
- name and address
- contact details (telephone number, email address)
- age / date of birth
- nationality and country of residence
- academic history (where applicants have studied)
- qualification history (what grades applicants have achieved)
- academic references (including personal statement and predictive grades)
- ethnic origin
- disability declaration
- criminal conviction declaration
Sharing of personal data
The University collects and uses your personal information to operate and deliver any services you have requested. The University may share data with contracted partners to ensure we can provide these services. The companies with which we work are committed to ensuring information is managed in line with the requirements of data protection law. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.
The University may disclose personal information in the following circumstances:
- If we use a mailing house or external company to facilitate the communication with you via email, postal mail, telephone or text message.
- To help us perform statistical analysis to understand effectiveness of the activities we undertake and tailor these accordingly.
- If we enlist the help of a market research company or consultant to undertake research on our behalf, in order to optimise and personalise the experience for those enquiring and applying to Middlesex University and the products and services it offers.
- If you are an international prospective student, any details you provide us will be passed to one of our Middlesex regional offices or third-party agents who will handle your enquiry and/or application. The location and contact details of the regional office will depend on the country you have told us you reside in. You can find further information about our regional offices and our third-party agents on the relevant country pages on our website.
How long does the University keep personal data?
The University takes its obligations under the GDPR seriously in terms of not holding on to personal data for any longer than is necessary. The University has a retention schedule in place for the different categories of data it holds.
Prospective students who do not apply for a course: we will hold your data for a maximum of two years from the month you intended to start your course. For example: if you told us you wanted to start in September 2018 and then did not update your details with us, we would delete your data in September 2020.
Prospective students who apply for a course but then do not enrol: we will hold your data for a maximum of three years from the month you intended to start your course. For example: if you applied to start in September 2018 and then did not enrol, we would delete your data in September 2021.
Under the GDPR you have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require that we cease processing your personal data if the processing is causing you damage or distress;
- to require us not to send you marketing communications;
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data;
- to require us to restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;
- to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply.
To exercise any of the above rights please get in contact with the University’s Data Protection Officer using the contact details provided at the start of this notice.
You also have the right to complain to the UK Regulator the Information Commissioner’s Office (ICO) if you believe you request has not been dealt with properly or you have a complaint to raise against the University for any other data protection related issue. A complaint can be raised via the ICO’s website.
You also have the right to withdraw consent from the processing of your personal data by the University at any time, if your consent was sought initially to use your personal data.