Skip to main content

Privacy Notice - Researchers

Part 1: Generic Privacy Notice Information

Durham University has a responsibility under data protection legislation to provide individuals with information about how we process their personal data. We do this in a number of ways, one of which is the publication of privacy notices. Organisations variously call them a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we collect your data
  • How it will be used
  • Who it will be shared with

We will also explain what rights you have to control how we use your information and how to inform us about your wishes. Durham University will make the Privacy Notice available via the website and at the point we request personal data.

Our privacy notices comprise two parts – a generic part (i.e. common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact Information Governance Unit:


Information Governance Unit also coordinates responses to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:

Andrew Ladd, email: 

Your rights in relation to your personal data

Privacy notices and/or consent

You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.

Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.

Accessing your personal data

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage.

Right to rectification

If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.

Once we have determined what we are going to do, we will contact you to let you know.

Right to erasure

You can ask us to erase your personal data in any of the following circumstances:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • The personal data have to be erased for compliance with a legal obligation
  • The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites).

Once we have determined whether we will erase the personal data, we will contact you to let you know.

Right to restriction of processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.


The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

Making a complaint

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: Information Commissioner’s Office

Part 2 - Tailored Privacy Notice - Researchers

Researchers: Type(s) of personal data collected and held by the University and method of collection

RIS will collect, store and use the following categories of personal data;

  • Contact details; name, title, correspondence details
  • Employment information required by funders; salary information, employer and CVs
  • Application outcomes

Where explicitly required by funders and as part of application criteria RIS will collect and process special category data for and on behalf of the University. 

Data may be provided directly to RIS, for example as part of a funding application or contract, or staff may access relevant data stored in other University systems, e.g. HR.

Researchers: Lawful Basis

Durham University staff: Collection and use of personal data is carried out as performance of the employment contract and as a legitimate business interest of the University. 

Non-Durham University staff: Collection and use of personal data from individuals who are not University staff (including students) is carried out as a legitimate business interest of the University.

Researchers: How personal data is stored

Durham University Staff: Data will be stored in the University’s proprietary Research Management & Information Systems and associated archives. HR data will be stored in a range of different places, predominantly in HR but some employment data will be stored in your department or other departments of the University. HR data is stored securely and will only be accessed by colleagues with a legitimate interest in accessing your data. 

Non-Durham University staff: Personal data of collaborators, partners, funders and subcontractors is stored in the University’s proprietary Research Management & Information Systems and associated archives. Access to personal data is restricted to those members of staff who have a requirement to access the data, and is controlled through password protection and user security profiles. All University employees that are given access to personal data receive mandatory Data Protection training and have a contractual responsibility to maintain confidentiality.

Researchers: How personal data is processed

RIS collects and processes personal data from its research community and potential collaborators and partners in order to:

  • apply for, enter into and manage grants, research agreements, business partnerships and other funding opportunities
  • plan and develop research strategy
  • management information purposes e.g. strategic planning
  • provide expert advice and guidance
  • organise / promote events and build / maintain networks
  • deliver institutional returns
  • fulfil contractual or statutory obligations to funding bodies
  • Data within the University's Research Management & Information System (Worktribe) may be processed by academic staff, departmental administration staff or some Professional Support Services staff, for the purposes of applying for or managing research grants or other project funding. Those with a legitimate need to prepare costs for internal and external funding may access HR salary data via a lookup functionality.

RIS does not use solely automated decision-making processes, including profiling.

Researchers: Who the University shares data with:

RIS will share your data with funders, collaborators and subcontractors as necessary for the purposes outlined under ‘D) How personal data is processed’. RIS will only ever share the minimum required data for the purpose.

Durham University staff: The University has a statutory requirement to disclose employee personal data to the Higher Education Funding Council for England (HEFCE) and the Higher Education Statistics Agency (HESA) and/or their nominees/successors. 

The University will only transfer data outside the EEA when satisfied that both the party which handles the data and the country it is processing in provide adequate safeguards.

Researchers: How long personal data is held by the University

RIS will only retain your data for as long as necessary to fulfil the purposes we collected it for which includes satisfying any legal, accounting or reporting requirements. The University's Records Retention Schedule (Section 20: Human Resources) outlines how long we will keep your data.

Researchers: How to object to the processing of your personal data

Data is held on the basis of legitimate interest. Although there is no formal requirement for RIS to agree a request to withdraw data, it will accommodate requests where doing so does not adversely affect its function or ability to deliver e.g. on contractual obligation. If you have any concerns regarding the processing of your personal data, or you wish to request withdrawal of your data from the project, please contact

Researchers: Visitors to our websites/webpages

When someone visits we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Researchers: Use of Cookies

A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. Durham University also make use of the Google Analytics service to understand how you navigate around our site.

Durham University do not use cookies to collect personal information about you.

Researchers: Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Researchers: Changes to this privacy notice

We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.

Researchers: Further Information