Privacy Policy

Your privacy, your rights – data protection at DMU

This page tells you how DMU uses personal information and how you can expect us to use your information if:

you study with us
you work for us
you partner with us
you do business with us, or
you are a member of the public who uses our facilities or services

We process personal information needed to deliver our official functions of education and academic research. We also process personal information about members of the public who use our facilities or services. You can find out more about the personal information we process in each area by clicking on the links below:

Education
Academic research
Use of our facilities and services

We never share personal data with third parties for commercial purposes.

You can find out more about how we protect your privacy by selecting any of the below topics. If you have any queries, please get in touch at dataprotection@dmu.ac.uk

Education

The table below shows what personal information we collect and hold about students and why, who we may share it with and the lawful basis for general processing

Students	What personal information we collect	Why we collect it	Who we may share it with	Lawful basis
Prospective students	Your contact details	To send you our prospectus and supplementary information related to your enquiry.	UCAS	Public Task
Students who apply for a place	Your contact details (name, address, phone number(s), email, date of birth, gender, ethnicity, religion, relevant health or disability information, next of kin, details of your previous education and qualifications, financial information, ID/passport, visa or immigration information if you are a non-UK citizen. For regulated courses, we will check for criminal offences.	Verification checks, service planning, equalities monitoring. If you are not a UK citizen, we need confirmation of your immigration status. For regulated courses, DBS clearance is required.	UCAS, Student union (DSU) Student Loan Company (SLC) Work placement employer(s) regulatory bodies. Educational Partners	Public Task
Enrolled/current students	In addition to the above, we hold information about your course, classes and attendance, exam results, placements, accommodation. You will be given a student number which our staff will use to identify you.	For educational purposes, student support, extracurricular activities, work placements, volunteering.	As above, plus by law DMU must provide information, including special category data, to the Higher Education Statistics Agency (HESA). Details of HESA’s collection notices can be found HERE	Public Task Legal Obligation
	Course information, placement, results data	For accreditation and registration purposes	Accreditation/registration bodies	Public Task
	Attendance and results/progress data	Sponsor requirement	Sponsors (official funding bodies) Sponsors (overseas) Sponsors (employer)	Public Task Legitimate Interests Legitimate Interests
Students who have graduated from DMU (alumni)	Your degree details, your next employment, education or training.	To provide a reference for you if you ask us to.	Employers	Public Task
		By law, DMU must provide information to the Higher Education Statistics Agency (HESA).	HESA	Legal Obligation
		Marketing information, including details about alumni events.	N/A	Legitimate Interests
		Fundraising	N/A	Consent

The table below shows what personal information we process for staff recruitment, for our current and past staff, what the information is used for, who we may share it with, and the lawful basis for general processing

Staff	What personal informatoin we collect	Why we collect it	Who may we share it with	Lawful basis
Prospective staff	Contact details, education, qualifications and work history, date of birth, ethnicity, religion, health, disability.	Application and recruitment purposes, equalities monitoring	Previous employers	Public Task
Current staff	As above, job title, hours and pay, training undertaken whilst at DMU, sickness and holiday information.	Performance and development, payroll and budget, occupational health	Future/prospective employers Accreditation Bodies /Apprenticeship Partners (including tendering process) Mortgage lenders upon request Occupatoinal health provider	Consent Public Task Consent Public Task
Current staff	Health condition and disabilities	Occupational health, workplace assessment	N/A	Public Task
Past staff	Above information from the staff record.	For reference purposes, evidence for financial purposes.	Employers	Public Task

Academic research

The table below shows what personal information we may collect and use for research purposes and the lawful basis for general processing

Public	What information we collect	Purpose	Lawful basis (general processing)
Volunteers for research	Your contact details and other information, depending on the nature and purpose of the research.	Interventional research, i.e. when you are involved and have agreed to take part in the research.	Public Task
General public	Dependent upon nature and purpose of the research (data is de- identified).	Observational research, for example, for statistical processing	Public Task

Use of our facilities and services

The table below shows what personal information we collect about people who use or hire our facilities or services

Service	What personal information we process	Lawful basis
Library	Contact details and borrowing information	Legitimate Interests
Leisure Centre	Contact details, date of birth, medical information	Legitimate Interests
Venue hire	Contact details	Contract
Business/external organisations	Contact details, educational information	Contract or Legitimate Interests

Data protection and privacy laws

The main laws are the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). We also adhere to the duty of confidence and the Human Rights Act (Article 8).

For electronic communications, including email and cookies, we comply with the Privacy and Electronic Communications Regulations (PECR).

Sensitive information

The GDPR defines some types of information as special category data because it is more sensitive. We must have an additional lawful basis to process special category data.

For educational purposes:

The lawful basis we rely on is ‘substantial public interest on the basis of union or member state law’.

For academic research:

All our research is done in the public interest, therefore, where our research involves special category data, we will rely on one of the public interest lawful bases to process special category data, in addition to the lawful basis of ‘public task’ for general processing.

For some courses, we need to know about criminal offences (including spent convictions) because the course includes a placement working directly with children or vulnerable adults. We will comply with Schedule 1 of the Data Protection Act 2018 and the Rehabilitation of Offenders Act (Exceptions) Order 1975.

Your rights

The GDPR gives you rights over how your personal information is used:

The right to be informed – we must tell you how we process your personal information.
The right of access – you can ask to see what personal information we hold about you. This is called a Subject Access Request (SAR).
The right of rectification – where information about you is inaccurate, you can ask us to correct it.
The right to erasure – in some circumstances, or where DMU has no compelling reason to retain your personal information, you can request deletion of that information.
The right to restrict processing – in some circumstances, you can ask us to restrict the processing of your personal data. This right, where it applies, also allows you to ask us to retain your personal information but not to use it.
The right to data portability – in some circumstances, you can request a copy of the personal data you have provided to us in a machine-readable form, so you can transfer it to another organisation for a similar purpose.
Right to object – where there is no legal obligation for DMU to process your data, you can object to us processing your personal information.
Rights in relation to automated decisions and profiling – where computers make decisions about you, including automated profiling, you have a right to challenge the decision or ask for a human to check an automated decision.

To discuss any of these rights, please contact dataprotection@dmu.ac.uk and let us know how we can help.

DMU is the data controller

DMU is the data controller. This means that we determine the purpose of the processing and are responsible for the adequate protection of personal information.

All our staff are appropriately trained and understand their responsibilities for protecting personal data.

When we purchase services or support from a third party, or outsource a service or function to a third party, we remain the data controller, and our suppliers and service providers must adhere to our contract terms and conditions, which include data protection and information security requirements.

How to make a Subject Access Request

You can make a Subject Access Request (SAR) to find out what information DMU holds about you. We will respond to your request within one calendar month.

To make a SAR, please either email us at dataprotection@dmu.ac.uk or complete and submit our online SAR form.

There is not normally a fee for a SAR, but if your request is involves an excessive amount of information, we may charge an administration fee. We will let you know beforehand if we intend to apply an administration fee.

To help us locate your information, please include with your request your name (and any other names you have been known by, if relevant), the period for which the information relates (the calendar year(s), or academic year(s) for students), your date of birth, your address at the time, and your DMU identification number (if relevant). We will send the information to you by email.

Before we can disclose any information to you, we will need to see evidence of your identity. We ask for photo ID if possible. Please include either a copy of your passport (showing your photo, name, date of birth and signature), or a copy of your driving licence (UK or EEA photo card driving licence).

If you do not have either of the above, please send us a copy of your original birth certificate.

If you don’t have any of the above documents, please send us two documents from the below list. These must be addressed to you and cannot both be bank statements or from the same utility company.

Utility bill
Council tax bill
Bank statement
Old style driving licence
Official notification letter from either the DWP or HMRC

You can ask someone else to make a SAR on your behalf. We will need to see evidence that the person making the request is entitled to act on your behalf and they will also need to provide us with evidence of your identity.

How to complain

If you have any concerns or wish to complain about a data protection issue, please contact our Data Protection Officer at DPO@dmu.ac.uk

If you are dissatisfied with the way DMU has handled your complaint, you have a right to complain to the Information Commissioner’s Office at ICO.org.uk

Social media

We use information posted publicly on social media to so we can make information available where it may be relevant or of interest. We never attempt to access private social media accounts.

If you raise a query or a complaint through DMU’s social media, we’ll of course have a record of your user name. We will only use this to resolve your query or complaint and to improve your user experience with the university.

How to report a data protection incident

Please let us know about any data protection or information security incident as soon as possible, by writing to us at dataprotection@DMU.ac.uk

Please include:

your contact details
the nature of incident
the date and time of incident
how the incident was discovered
the type of information (and number of records if known)
the circumstances of the incident

DMU Data Protection Policy

Read our Data Protection Policy.

Further information

Lawful bases for processing (ICO)

Special category data (ICO)

Criminal offence data (ICO)

Guide to PECR (ICO)