Skip to main content

General Privacy Notice

Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in several ways, one of which is the publication of privacy notices. This privacy notice provides a general description of the broad range of processing activity; in addition, there are tailored privacy notices covering some specific processing activity.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance pages or contact

Email: info.access@durham.ac.uk

Information Governance Unit also coordinate responses to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact:

Andrew Ladd, email: info.access@durham.ac.uk

Why and how we use your data

You have the right to be provided with information about how and why we process your personal data. We will only process data where we have a lawful reason to do so. Our main reasons are as follows:

Lawful Basis Purpose of Processing
Contract

As part of agreements between us, we will process personal data for

  • Admission to the university, registration and support for your studies
  • Academic assessment and progression
  • Maintaining an academic record including qualifications
  • Providing access to services including IT, Library and other facilities
  • Providing ID for security purposes
  • Administration of payments such as fees
  • Providing reports to your sponsor (if any) including Student Loans Company
  • Administration of complaints, disciplinary processes and other similar processes
  • Provision of accommodation, catering and other services related to accommodating you
Public Task

We carry out a number of tasks in the public interest including

  • Research
  • Archiving
  • Diversity Monitoring
  • Managing public health risks
  • Managing risks related to public safety or concern to the local community (including reporting crime where we are not required to do so but it is in the public interest to do so)
Legal Obligation

We are a regulated body which means we are required to collect certain information including for

  • Compliance with tax and immigration requirements
  • Providing census and fee information
  • Supporting local authorities on fraud investigation, electoral registration and council tax collection
  • Reporting to the Office for Students and other regulators
  • Reporting crime (where we are required to do so)
Legitimate Interests

We will process data where it is in our legitimate interests to do so including

  • To improve the services we provide to you including organising events that may interest you.
  • To provide information to you about goods or services we offer
  • To support marketing and brand related activity (which may include collecting some data about brand from social media and that might incidentally include personal data).
  • Photographing and recording events around the University including seminars for both training and marketing purposes.

Where you have the choice to determine how your personal data will be used, we will ask you for consent. Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at anytime

In addition, we may provide you with a privacy notice in relation to specific uses of your data where this is appropriate. A privacy notice is a verbal or written statement that explains how we use personal data.

Special category data

Some of the information we collect is special category data (sometimes also known as sensitive personal data). We process personal data that relates to your health (such as your medical information for example to help support you), and any criminal convictions and offences (for reasons of safeguarding). If we use special category data, we will usually do so on the legal basis that it is in the wider public interest (for example in relation to research), to establish, take or defend any legal action or, in some cases, that we have your permission (consent).

How we collect your data

Most of the personal information we process is provided to us directly by you. Often this will be actively provided by you for example by you filing in a form. In other situations your data may be gathered with less active participation by you, for example we may record a Teams video call for business or research purposes, or capture device ID for technical reasons when connecting with the University network. You will be provided with notification of this.

We may also receive personal information indirectly:

  • For the purpose of student admissions and ongoing administration sources, include UCAS, funding bodies such as the Student Loans Company, US Loans, parents/guardians and schools/colleges.
  • For the purpose of support sources, include: medical, health care professionals, psychologists, psychiatrists or those providing you with evidence of your disability or mental health.
  • For the purpose of conducting research data set sources might include: data in the public domain including from the internet, data from domestic and international governmental bodies including Department for Health, Department for Education, local authorities, other Universities. We may also use research data we collected ourselves for one project for another research project.

When we obtain personal data about you from third party sources, we will look to ensure that the third party can lawfully provide us with your personal data.

We may also share information with the same set of organisations for the purposes mentioned above.

Data handling

Where we are processing data using common cloud-based services or platforms (examples might include: Google, Skype, Teams or Zoom) it is possible a transfer of data outside of the EEA or UK may take place. In such cases appropriate protections will be in place (such as contractual arrangements designed to protect data).

We will also anonymise data, where it does not interfere with the reason for us handling the data, as soon as possible. For example: research participant data in large scale surveys will usually be anonymised as soon as possible after collection.

 Research participant data will normally be anonymised if published however there will be some exceptions. Exceptions will be explained to participants where they apply for a particular project.

Retention

The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

Right of access

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of that data.

You can find out more about this right on the Subject Access Requests webpage. 

Right to rectification

If you believe that personal data we hold about you is inaccurate or incomplete, you have the right to request that it is corrected or completed.

Once we have considered your request, we will contact you to let you know the outcome.

Right to erasure

You can ask us to erase your personal data in certain circumstances, including where:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent (where consent is the lawful basis) and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data has been unlawfully processed
  • We are required to erase the data to comply with a legal obligation

Once we have considered your request, we will inform you of our decision.

Right to restrict processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it, but you need it to establish, exercise or defend a legal claim
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.

Right to data portability

Where processing is based on your consent or on a contract, and carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format.
You also have the right, where technically feasible, to request that we transfer this data directly to another organisation. This right only applies to personal data that you have provided to us.

Right to object

You have the right to object to the processing of your personal data where:

  • the processing is based on legitimate interests or public task
  • the processing is for direct marketing purposes

Once you have objected, we will assess whether we have compelling legitimate grounds to continue processing your data.

Rights in relation to automated decision-making

You have the right not to be subject to a decision based solely on automated processing (including profiling) where that decision produces legal effects or similarly significant effects on you, unless an exception applies.

Where such processing takes place, you have the right to:

  • obtain human intervention
  • express your point of view
  • contest the decision

Making a complaint

If you are dissatisfied with the way we process your personal data, we ask that you contact us at info.access@durham.ac.uk so that we can try and put things right. If you remain unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). 

The ICO can be contacted at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: +44 (0)303 123 1113

Website: Information Commissioner’s Office

(Updated July 2026)