1. Introduction to St Anne’s College Privacy Notice
St Anne’s College privacy notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we will store and handle that data, and keep it safe. St Anne’s College is committed to protecting the privacy and security of personal data.
The notice explains how we use data internally, how we share it, how long we keep it and what your legal rights are in relation to it.
It is likely that we will need to update our Privacy Notices from time to time. We will notify you of any significant changes, but you are welcome to come back and check it whenever you wish.
For the parts of your personal data that you supply to us to us, the notices also explain the basis on which you are required or requested to provide the information. For the parts of your personal data that we generate about you, or that we receive from others, it explains the source of the data.
There are some instances where we process your personal data on the basis of your consent. The privacy notice sets out the categories and purposes of data where your consent is needed.
This privacy notice relates to the following areas:
The Development and Alumnae relations privacy notice (including details of our fundraising activities) can be viewed here.
“Personal data” is information relating to you as a living, identifiable individual. We refer to this as “your data”. It can include information such as your name, contact details, education history and other information about you that we may process.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it.
Data protection law requires St Anne’s College (“us” or “we”), as data controller for your data:
St Anne’s College can trace its origins to 1878 and the foundation of the Society of Oxford Home-Students. It is a registered charity and was established as a College of the University of Oxford by Royal Charter in 1952.
We may hold and use a range of data about you at different stages of our relationship with you. We might receive this data from you; we might create it ourselves, or we might receive it from someone else (for example if someone provides us with a reference about you).
Categories of data that we collect, store and use include (but are not limited to):
Further categories of data that we hold are set out in our Records of Processing Activity (available on request).
Most data that you provide to us is processed by us in order that we, and you, can each fulfil our contractual obligations and/or comply with obligations imposed by law. For example (but not limited to):
In a number of instances, the data you provide will be a necessary or contractual requirement, and if you do not provide the information that we ask for, we may not be able to complete the action or transaction required. In some cases we may not be able to provide you with certain services; in other cases, this could result in disciplinary action or the termination of your contract.
Some data that you give to us is provided on a wholly voluntary basis – you have a choice whether to do so. Examples include:
Apart from the data that you provide to us, we may also process data about you from a range of sources. These include (but are not limited to):
Our Record of Processing Activity (available on request) indicates the sources of each of the various categories of data that we process.
Whenever you use a website, mobile application or other Internet service, certain information is created and recorded automatically. The same is true for our website(s), being those with URLs in the domain st-annes.ox.ac.uk
In addition to the data we gather via web forms placed on our site (the handling of which will be governed by the relevant data protection notice covering the circumstances and context), we collect and generate a variety of data via our website(s).
Categories of data that we collect, store and use include (but are not limited to):
Most data collected is statistical data about our users’ browsing actions and patterns, and does not identify any individual. However, there may be occasions where browsing patterns are connected to IP addresses or location data such that the data as a whole is personal data.
Whether we collect some of the above information often depends on your device type and settings. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider
The law requires that we provide you with information about the lawful basis on which we process your personal data, and for what purpose(s).
Most commonly, we will process your data on the following lawful grounds:
We may also use your personal information, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on the basis of your consent. Where you are aged under 18, we may ask your parent or guardian for their consent also.
The data we hold will generally have been obtained for other purposes originally and the law permits St Anne’s College to retain lawfully obtained data for the purposes of archiving in the public interest, for historical or scientific research purposes or for statistical purposes. The law provides further safeguards that such processing must (a) not be likely to cause substantial damage or substantial distress to you or another individual; and/or (b) must not be carried out for the purposes of measures or decisions with respect to you or another individual, unless the purposes for which the processing is necessary include the purposes of approved medical research.
In addition, the College (or a third party such as researchers or donors of archive material) will typically also have a legitimate interest in processing data for such purposes, provided your interests and fundamental rights do not override those interests.
Data that you provide to us and the possible consequences of you not providing it
The data that we collect via our website in the course of your accessing it, is provided by you on a voluntary basis. If you elect to adjust your browser settings to reject cookies, it may affect your experience in using the site, in the event that any blocked cookies support functionality.
“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
The Special Categories of personal data consist of data revealing:
They also consist of the processing of:
We may process special categories of personal information in the following circumstances:
We have in place appropriate policy documents and/or other safeguards which we are required by law to maintain when processing such data.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Criminal convictions and allegations of criminal activity
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
We have prepared a details table (available on request) setting out the processing activities that we undertake, the source of the data, the reasons why we process it, how long we keep it and the lawful basis we rely on.
The table includes detailed information about how and why we process various categories of data, including but not limited to:
We do not, and will not, sell your data to third parties. We will only share it with third parties external to the collegiate University, if we are allowed or required to do so by law. This includes for example:
It also includes disclosures where the third party is an agent or service provider appointed by St Anne’s College to enable us to operate effectively, provided we are satisfied that appropriate safeguards have been put in place to ensure adequate levels of security for your data.
Examples of bodies to whom we are required by law to disclose certain data include, but are not limited to those listed in this PDF.
Examples of bodies to whom we may voluntarily disclose data, in appropriate circumstances, include but are not limited to those listed in this PDF.
Where information is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose.
All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies, and are only permitted to process your personal data for specific purposes in accordance with our instructions. We do not allow our third party providers to use your personal data for their own purposes
Although most of the information we collect, store and process stays within the UK, some information may be transferred to countries outside of the European Economic Area (EEA). This may occur if, for example, one of our third-party partners’ servers are located in a country outside of the EEA. This may also occur where staff in our international offices access DARS, our shared relationship-management system.
Transfers outside of the EEA will only take place if one of the following applies:
We do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.
We retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, accounting or reporting requirements. If your data is being processed for the purposes of archiving and historical research, we will keep it until the data is no longer required for this purpose. In practice, this means your data is likely to be retained permanently.
Details of expected retention periods for the different categories of your personal information that we hold are set out in our Record of Processing Activity (available on request).
Retention periods may increase as a result of legislative changes, e.g. an increase in limitation periods for legal claims would mean that St Anne’s College is required to retain certain categories of personal data for longer. Any such changes will be reflected in updated versions of our Record of Processing Activity.
If there are legal proceedings, a regulatory, disciplinary or criminal investigation, suspected criminal activity, or relevant requests under data protection or freedom of information legislation, it may be necessary for us to suspend the deletion of data until the proceedings, investigation or request have been fully disposed of.
Please note that we may keep anonymised statistical data indefinitely, but you cannot be identified from such data.
Subject to certain conditions and exception set out in UK data protection law, you have:
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. However, where you have consented to the processing, you can withdraw your consent at any time by emailing the relevant department. In this event, we will stop the processing as soon as we can. If you choose to withdraw consent it will not invalidate past processing.
If you have a general query or wish to change the way in which your data is used, please contact email@example.com.
If you are dissatisfied with the way we have used your information, please contact the College Data Protection Officer, Simon Buchanan at Clear Core Limited t/a ClearComm, Devonshire House, 60 Goswell Road, London EC1M 7AD; Email: firstname.lastname@example.org. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Tel: 0303 123 1113
This privacy notice was last updated on 10 June 2019.
We reserve the right to update this privacy notice at any time. Any changes to this privacy notice will be posted to this page.
Version control: V1.2 (June 2019)