1. Introduction to St Anne's College Privacy Notice
St Anne’s College privacy notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we will store and handle that data, and keep it safe. St Anne’s College is committed to protecting the privacy and security of personal data.
The notice explains how we use data internally, how we share it, how long we keep it and what your legal rights are in relation to it.
It is likely that we will need to update our Privacy Notices from time to time. We will notify you of any significant changes, but you are welcome to come back and check it whenever you wish.
For the parts of your personal data that you supply to us to us, the notices also explain the basis on which you are required or requested to provide the information. For the parts of your personal data that we generate about you, or that we receive from others, it explains the source of the data.
There are some instances where we process your personal data on the basis of your consent. The privacy notice sets out the categories and purposes of data where your consent is needed.
This privacy notice relates to the following areas:
- current students
- current staff and office holders
- alumnae and donors
- archives (which explains what data we hold in our archive)
- nursery attendees and their parents/guardians
- conference guests of the College
- contractors and service providers to the College
- security, maintenance and health and safety (including how we use CCTV)
- website and cookies (including how we monitor use of our website)
- IT systems (including how we monitor internet and email usage)
The Development and Alumnae relations privacy notice (including details of our fundraising activities) can be viewed here.
2. What is your personal data and how does the law regulate our use of it?
“Personal data” is information relating to you as a living, identifiable individual. We refer to this as “your data”. It can include information such as your name, contact details, education history and other information about you that we may process.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it.
Data protection law requires St Anne’s College (“us” or “we”), as data controller for your data:
- To process your data in a lawful, fair and transparent way;
- To only collect your data for explicit and legitimate purposes;
- To only collect data that is relevant, and limited to the purpose(s) we have told you about;
- To ensure that your data is accurate and up to date;
- To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
- To ensure that appropriate security measures are used to protect your data.
3. What is St Anne’s College?
St Anne’s College can trace its origins to 1878 and the foundation of the Society of Oxford Home-Students. It is a registered charity and was established as a College of the University of Oxford by Royal Charter in 1952.
4. What personal data we hold about you and how we use it
We may hold and use a range of data about you at different stages of our relationship with you. We might receive this data from you; we might create it ourselves, or we might receive it from someone else (for example if someone provides us with a reference about you).
Categories of data that we collect, store and use include (but are not limited to):
- Contact details that you provide to us, including names, addresses and telephone numbers.
- Financial information when required including your details of bank/building society account numbers, sort codes, invoicing and outstanding payments (including payment information such as credit card or banking payment information) for facilities and services provided by the College at your request.
- Health information, including any medical conditions - we may use health information provided by you so we can make reasonable adjustments to improve the service we are able to offer you (e.g. seating or access at an event, dietary requirements, provision of disabled parking, or allocation of accommodation).
- Photographs, audio and video recording (which will only be used with your permission)
- To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, and any search terms you entered.
- Equality monitoring data.
- Copies of passports, right to work documents, visas and other immigration data.
- Records about staff recruitment, including application paperwork, details of qualifications, references (including names and contact details of referees), requests for special arrangements, communications regarding our decisions, and relevant committee and panel reports.
- Details of any relevant criminal convictions or charges that we ask you to declare to us, either when you apply to us, or during your membership of the College. Relevant criminal convictions or charges are those that indicate you might pose an unacceptable risk to students or staff. Further, your role at the College may require that we conduct a Disclosure and Barring Service check, which will provide us with details of any relevant criminal convictions and/or cautions that you have received.
- Computing and email information, including login information for our IT systems, IP address(es), equipment allocated to you and records of network access.
- Joint appointment contract details.
Further categories of data that we hold are set out in our Records of Processing Activity (available on request).
5. Data that you provide to us and the possible consequences of you not providing it
Most data that you provide to us is processed by us in order that we, and you, can each fulfil our contractual obligations and/or comply with obligations imposed by law. For example (but not limited to):
- Financial information, as listed above, must be provided to enable us to pay you in accordance with the contract between us.
- Copies of attendee passports and/or birth certificates are collected on enrolment, as proof of attendee identity and age, and are further required to confirm entitlement to state-funded childcare provision (College nursery).
- Copies of your passport, right to work, and visa information will be collected by us at the time of your application or appointment, and at the point of any change or renewal of immigration status, to enable us to comply with UK Immigration and Visa requirements. We may be required by law to retain that data, along with related information (such as your application paperwork, short-lists and selection committee papers), even where you are not appointed, until a certain point after the person appointed ceases to be employed by St Anne’s College.
- If the relevant role requires regular interactions with children or vulnerable adult, we are required by law to carry out a Disclosure and Barring Service check in relation to you. In accordance with section 124 of the Police Act 1997, DBS certificate information is only passed to those who are authorised to receive it in the course of their duties and, in line with the DBS code of practice, is not kept by St Anne’s College for any longer than is necessary.
- You have a contractual obligation to inform us of relevant conflicts of interest affecting your involvement in College management and decision-making. Failure to do so may undermine the reputation and integrity of the College, and may have legal implications.
In a number of instances, the data you provide will be a necessary or contractual requirement, and if you do not provide the information that we ask for, we may not be able to complete the action or transaction required. In some cases we may not be able to provide you with certain services; in other cases, this could result in disciplinary action or the termination of your contract.
Some data that you give to us is provided on a wholly voluntary basis – you have a choice whether to do so. Examples include:
- Disability and health condition information, which you may choose to provide to us in order that we can take this information into account when considering whether to make a reasonable adjustment.
- Dietary requirements
- Equality monitoring data, which is requested by the College as part of the equality monitoring that we undertake pursuant to our legal obligations under the Equality Act 2010.
6. Other sources of your data
Apart from the data that you provide to us, we may also process data about you from a range of sources. These include (but are not limited to):
- Data that we generate about you, such as when communicating with you or processing an application (staff and prospective students);
- Your previous educational establishments and/or employers if they provide references to us;
- These could also include from our staff, students, the University of Oxford, donors to our archives or other third parties.
- Data about you that we generate about you, or that we receive from a third party (for example banks who provide us with your details when payments are made or received by St Anne’s College, the University of Oxford, Google Analytics and Speedybooker.com.
- Fellow members of College, family members, friends, visitors to College and other contacts who may provide us with information about you if and when they contact us, or vice versa.
- Apart from the data that you provide to us, we may also generate data about you, for example if you use a St Anne’s College fob to access premises, the St Anne’s College access control system will generate a log of your attendance.
- Information that we generate in the course of operating the College’s IT systems, or which we obtain from third party suppliers, for example telephone records provided by suppliers of telephone systems.
- The University of Oxford, which operates a number of systems that Colleges have access to, for example, systems that allow College to access your teaching allocation records and schedules.
Our Record of Processing Activity (available on request) indicates the sources of each of the various categories of data that we process.
Whenever you use a website, mobile application or other Internet service, certain information is created and recorded automatically. The same is true for our website(s), being those with URLs in the domain st-annes.ox.ac.uk
In addition to the data we gather via web forms placed on our site (the handling of which will be governed by the relevant data protection notice covering the circumstances and context), we collect and generate a variety of data via our website(s).
Categories of data that we collect, store and use include (but are not limited to):
- Log data: Whenever you use our website, our servers automatically record information (“log data”) regarding that access, including:
- Any data sent by your browser or mobile app to enable you to access the site.
- Location data of users (if provided by the connecting device).
- Internet Protocol (IP) address of the connecting device or other unique device identifiers.
- Browser type and setting for the connecting device.
- The date and time of access.
- Details of any attempts to log on to closed systems.
- Crash data.
- Cookie data: We may use “cookies” (small text files sent by your computer each time you visit our website, unique to your visit or your browser) or similar technologies to record additional information. Our cookies record information including:
- Language preferences.
- Contents of online ‘shopping baskets’ (where relevant).
- For further information on the cookies we use and the data each collects, please see our Cookie notice.
Most data collected is statistical data about our users' browsing actions and patterns, and does not identify any individual. However, there may be occasions where browsing patterns are connected to IP addresses or location data such that the data as a whole is personal data.
Whether we collect some of the above information often depends on your device type and settings. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider
8. The lawful basis on which we process your data
The law requires that we provide you with information about the lawful basis on which we process your personal data, and for what purpose(s).
Most commonly, we will process your data on the following lawful grounds:
- Where it is necessary to perform the contract we have entered into with you;
- Where it is necessary to take steps at your request prior to entering a contract;
- Where it is necessary to comply with a legal obligation;
- Where it is necessary for the performance of a task in the public interest;
- Where it is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.
We may also use your personal information, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on the basis of your consent. Where you are aged under 18, we may ask your parent or guardian for their consent also.
The data we hold will generally have been obtained for other purposes originally and the law permits St Anne’s College to retain lawfully obtained data for the purposes of archiving in the public interest, for historical or scientific research purposes or for statistical purposes. The law provides further safeguards that such processing must (a) not be likely to cause substantial damage or substantial distress to you or another individual; and/or (b) must not be carried out for the purposes of measures or decisions with respect to you or another individual, unless the purposes for which the processing is necessary include the purposes of approved medical research.
In addition, the College (or a third party such as researchers or donors of archive material) will typically also have a legitimate interest in processing data for such purposes, provided your interests and fundamental rights do not override those interests.
Data that you provide to us and the possible consequences of you not providing it
The data that we collect via our website in the course of your accessing it, is provided by you on a voluntary basis. If you elect to adjust your browser settings to reject cookies, it may affect your experience in using the site, in the event that any blocked cookies support functionality.
9. How we apply further protection in the case of “Special Categories” of personal data
"Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
The Special Categories of personal data consist of data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership.
They also consist of the processing of:
- genetic data;
- biometric data for the purpose of uniquely identifying someone;
- data concerning health;
- data concerning someone's sex life or sexual orientation.
We may process special categories of personal information in the following circumstances:
- With your explicit written consent; or
- Where it is necessary in the substantial public interest, and further conditions are met, or:
- for the exercise of a function conferred on St Anne’s College or anyone else by an enactment or rule of law; or
- for equal opportunities monitoring;
- Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law.
We have in place appropriate policy documents and/or other safeguards which we are required by law to maintain when processing such data.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
Criminal convictions and allegations of criminal activity
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
10. Details of our processing activities, including our lawful basis for processing
We have prepared a details table (available on request) setting out the processing activities that we undertake, the source of the data, the reasons why we process it, how long we keep it and the lawful basis we rely on.
The table includes detailed information about how and why we process various categories of data, including but not limited to:
- In the case of prospective students , for the purpose of administering your application, we will process various information on the lawful basis that we have a legitimate interest in receiving, considering and administering applications from prospective students including:
- details of which courses you are applying for,
- your application, including your contact details, personal statement, predicted grades and education history
- any written work or tests you submit, and our assessment of that work or tests.
- ‘Contextual” data such relating to information we can access about your school and postcode, and whether you have been in the care system. Further information about this process is contained here.
- Bank and other payment details, where we need to reimburse you, or where you provide such details to us when making a payment. We both have a legitimate interest in processing such data for this purpose.
- Details of any relevant criminal convictions, allegations or charges that we ask you to declare to us either when you apply to us, or whilst you are a student, or which are reported to us, and of any Disclosure and Barring Service checks that we request. Relevant criminal convictions or charges are those that indicate an applicant or student might pose an unacceptable risk to other students or staff.
- Student files including dates of attendance, course of study and outcome of their studies, results of College examinations ("collections"), University examinations, and College and University assessments, awards, scholarships and prizes conferred, applications (e.g. UCAS forms and references), academic and disciplinary records. These files may include information about a former student’s personal life including their health, family circumstances, ethnicity, sexuality, political opinions, religious or philosophical beliefs, criminal convictions or allegations, gender, background, family circumstances and/or financial circumstances. St Anne’s College has a legitimate interest in processing such data for the purposes of research and its archive in the public interest.
- CCTV monitoring that St Anne’s College undertakes to help provide safety and security on St Anne’s College premises, and to assist with the prevention of crime and other unlawful activity. St Anne’s College may take disciplinary action if a safety or security incident involves a breach of staff or student disciplinary policies, and/or report safety/security incidents to the police if the incident involves an apparent criminal offence. Monitoring for such purposes may only be carried out in accordance with the St Anne’s College’s and Oxford University CCTV policy which includes safeguards to ensure that individual privacy is respected appropriately
- IT monitoring that may occur including, subject to certain safeguards, email content, internet use and/or telephone records for the purpose of ensuring that such services are not used for unlawful purposes, or otherwise breach the College’s and University’s IT and telephone regulations and policies]. The lawful basis for such processing is that St Anne’s College has a legitimate interest in maintaining the integrity of its systems, to investigate misuse and in taking action to prevent misuse recurring.
11. How we share your data
We do not, and will not, sell your data to third parties. We will only share it with third parties external to the collegiate University, if we are allowed or required to do so by law. This includes for example:
- where we are required to report information about students that are subject to visa controls to UK Visas and Immigration;
- where we are required to report information to the University of Oxford in order for it to fulfil its obligations to report information to the Higher Education Statistics Agency or its successor body in order to comply with regulatory obligations;
- where we decide to report alleged criminal misconduct to the police;
It also includes disclosures where the third party is an agent or service provider appointed by St Anne’s College to enable us to operate effectively, provided we are satisfied that appropriate safeguards have been put in place to ensure adequate levels of security for your data.
Examples of bodies to whom we are required by law to disclose certain data include, but are not limited to those listed in this PDF.
Examples of bodies to whom we may voluntarily disclose data, in appropriate circumstances, include but are not limited to those listed in this PDF.
Where information is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose.
All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies, and are only permitted to process your personal data for specific purposes in accordance with our instructions. We do not allow our third party providers to use your personal data for their own purposes
12. Transfers of your data outside of the European Economic Area (EEA)
Although most of the information we collect, store and process stays within the UK, some information may be transferred to countries outside of the European Economic Area (EEA). This may occur if, for example, one of our third-party partners’ servers are located in a country outside of the EEA. This may also occur where staff in our international offices access DARS, our shared relationship-management system.
Transfers outside of the EEA will only take place if one of the following applies:
- the country receiving the data is considered by the EU to provide an adequate level of data protection
- the organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield
- the transfer is governed by approved contractual clauses
- the transfer has your consent
- the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract
- the transfer is necessary for the performance of a contract with another person, which is in your interests
- the transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent
- the transfer is necessary for the exercise of legal claims
- the transfer is necessary for important reasons of public interest
13. Automated decision-making
We do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.
14. How long we keep your data
We retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, accounting or reporting requirements. If your data is being processed for the purposes of archiving and historical research, we will keep it until the data is no longer required for this purpose. In practice, this means your data is likely to be retained permanently.
Details of expected retention periods for the different categories of your personal information that we hold are set out in our Record of Processing Activity (available on request).
Retention periods may increase as a result of legislative changes, e.g. an increase in limitation periods for legal claims would mean that St Anne’s College is required to retain certain categories of personal data for longer. Any such changes will be reflected in updated versions of our Record of Processing Activity.
If there are legal proceedings, a regulatory, disciplinary or criminal investigation, suspected criminal activity, or relevant requests under data protection or freedom of information legislation, it may be necessary for us to suspend the deletion of data until the proceedings, investigation or request have been fully disposed of.
Please note that we may keep anonymised statistical data indefinitely, but you cannot be identified from such data.
15. Your legal rights over your data
Subject to certain conditions and exception set out in UK data protection law, you have:
- The right to request access to a copy of your data, as well as to be informed of various information about how your data is being used;
- The right to have any inaccuracies in your data corrected, which may include the right to have any incomplete data completed;
- The right to have your personal data erased in certain circumstances;
- The right to have the processing of your data suspended, for example if you want us to establish the accuracy of the data we are processing.
- The right to receive a copy of data you have provided to us, and have that transmitted to another data controller (for example, another University or College).
- The right to object to any direct marketing (for example, email marketing or phone calls) by us, and to require us to stop such marketing.
- The right to object to the processing of your information if we are relying on a “legitimate interest” for the processing or where the processing is necessary for the performance of a task carried out in the public interest. The lawful basis for any particular processing activity we carry out is set out in our detailed table of processing activities (available on request).
- The right to object to any automated decision-making about you which produces legal effects or otherwise significantly affects you.
- Where the lawful basis for processing your data is consent, you have the right to withdraw your consent at any time. This will not affect the validity of any lawful processing of your data up until the time when you withdrew your consent. You may withdraw your consent by contacting us at St Anne’s College, 56 Woodstock Road, Oxford OX2 6HS, Tel no 01865 274800 email: email@example.com
- Some of your rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. However, where you have consented to the processing, you can withdraw your consent at any time by emailing the relevant department. In this event, we will stop the processing as soon as we can. If you choose to withdraw consent it will not invalidate past processing.
If you have a general query or wish to change the way in which your data is used, please contact firstname.lastname@example.org.
If you are dissatisfied with the way we have used your information, please contact Clear Core Limited t/a ClearComm, Devonshire House, 60 Goswell Road, London EC1M 7AD; Email: email@example.com. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/concerns/
17. Future changes to this privacy notice
This privacy notice was last updated on 24 May 2018.
We reserve the right to update this privacy notice at any time. Any changes to this privacy notice will be posted to this page.
Version control: V1.0 (May 2018)