Data Protection

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Some examples of Personal Data:

• a name and surname
• a home address
• an email address such as name.surname@company.com
• an identification card number
• an Internet Protocol (IP) address

Some examples of data not considered to be Personal Data:

• a company registration number
• an email address such as info@company.com
• anonymised data

Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data.

What is GDPR special category data and how do the rules differ for processing that information?

GDPR Special Category Data

GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects

GDPR special category data includes the following information:

• Race and ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade union memberships
• Biometric data used to identify an individual
• Genetic data
• Health data
• Data related to sexual preferences, sex life, and/or sexual orientation.

Because these data elements are particularly sensitive, an organisation must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. If special category data are collected, stored, processed, or transmitted data controllers must ensure that additional protections are put in place to ensure that information is appropriately safeguarded.

Why do we process Special category data?

We process Special Categories of Personal Data for the following purposes (this list is not exhaustive):

(a) assessing an employee’s fitness to work
(b) complying with health and safety obligations
(c) complying with the Equality Act 2010
(d) checking applicants’ and employees’ right to work in the UK
(e) verifying that candidates are suitable for employment or continued employment

UWTSD has developed a data protection policy to ensure all staff, students and anybody associated with the University understands their rights and responsibilities under the legislation

Description of processing

The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.

Reasons/purposes for processing information

We process personal information to enable us to provide education and support services to our students and staff; advertising and promoting the university and the services we offer; publication of the university magazine and alumni relations, undertaking research and fundraising; managing our accounts and records and providing commercial activities to our clients. We also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.

Type/classes of information processed

We process information relevant to the above reasons/purposes. This may include:

• personal details
• family details
• lifestyle and social circumstances
• education details and student records
• education and employment details
• financial details
• disciplinary and attendance records
• vetting checks;
• goods or services provided
• visual images, personal appearance and behaviour
• information held in order to publish university publications

We also process sensitive classes of information that may include:

• racial or ethnic origin
• trade union membership
• religious or other similar beliefs
• physical or mental health details
• sexual life
• offences and alleged offences
• criminal proceedings, outcomes and sentences

Who the information is processed about

We process personal information about:

• students
• employees, contracted personnel
• suppliers, professional advisers and consultants
• business contacts
• landlords, tenants
• complainants, enquirers
• donors and friends of the University
• authors, publishers and other creators
• persons who may be the subject of enquiry
• third parties participating in course work
• health, welfare and social organisations
• friends of the University
• individuals captured by CCTV images

Who the information may be shared with

We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

• family, associates and representatives of the person whose personal data we are processing
• current, past or prospective employers
• healthcare, social and welfare organisations
• educators and examining bodies
• suppliers and service providers
• student union
• financial organisations
• debt collection and tracing agencies
• auditors
• police forces, security organisations
• courts and tribunals
• prison and probation services
• legal representatives
• local and central government
• consultants and professional advisers
• trade union and staff associations
• survey and research organisations
• press and the media
• voluntary and charitable organisations
• landlords

Transfers

It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.

Statement of exempt processing

This data controller also processes personal data which is exempt from notification.

Making a Subject Access Request

To make an application to access the data that UWTSD holds on you, please complete the attached Subject Access Request Form

Data Protection Statement For Alumni

We want to stay in touch with you and keep your personal information in accordance with your wishes.  As an alumni/ae of the University or its predecessor institutions, the legal basis of why we hold your data is out of mutual “legitimate interest”.

All data is held securely and appropriately by University of Wales Trinity Saint David (UWTSD). We will use your information to keep you up-to-date with news from our campus, including research, educational activities and courses, events, alumni activities, and opportunities to support our fundraising and volunteering programmes.  Your data may contribute to relevant surveys, inform Higher Education reporting requirements, and support other aspects of our charitable mission.

We want to ensure that the information you receive from us is relevant and is welcomed.  Depending on your contact preferences, you will receive communications on the type of activities listed above via post, email, telephone, SMS text messages, and via our social media channels.  We will pay attention to your responses, including e-tracking to see if you open our emails and Google Analytics to understand more about visits to our website so that we can provide the most relevant information for you.

From time to time we may undertake research and analysis using publicly available sources in addition to the information that you provide us. This work helps us to better focus our engagement to reach out to alumni that we have lost contact with, and to maintain the quality of the data held (for example, keeping address details up to date via the Post Office National Change of Address database).

The type of information that we may collect and attach to your data record includes professional activities and details of existing connections with the University.

We will never sell your personal data or share it for non UWTSD activities. Unless you tell us otherwise, your data may be made available to our academic and administrative departments within the University. Data will only be shared with third parties who are agents of University projects and where there are appropriate controls in place to safeguard your information. This may include mailing houses or external surveying companies working on behalf of such organisations as the Higher Education Statistics Agency (HESA) or University funding bodies. If you decide to donate to the University, you can choose whether to give anonymously or be recognised

You have the right to change your contact preferences or object to the use of your data for any of the above purposes by contacting: alumni@uwtsd.ac.uk