Skip to main content

Website Privacy Notice

1. Data Controller

University of Newcastle upon Tyne (“we”, “our”, “us”, “The University”) processes personal data in accordance with our obligations under the General Data Protection Regulations (‘GDPR’). It is a registered Data Controller (Registration Number Z5470161) with the Information Commissioner’s Office (‘ICO’). This is the supervisory authority responsible for the oversight and enforcement of Data Protection Legislation within the United Kingdom.

2. How is your personal data collected?

We use different methods to collect data from and about you, including through:

  • digital forms, and surveys, for the purpose of providing information about the University, course, your enquiry, or event that you have registered for
  • correspondence with us by face to face, phone, email, live chat, social media or otherwise
  • interaction with our websites, where we may automatically collect data about your device, IP address, and browsing patterns. We collect this by using opt-in cookies.
  • our emails making use of ‘clear image’ pixels for tracking. You can disable email open rate tracking by setting your server to receive plain text email.
3. What personal data is collected?
  • You may provide us with personal data directly when you use any of our online enquiry forms, including identification and contact details such as your name, title, date of birth, age, gender, photographic images, correspondence address, email address, phone number, emergency contact details.
  • IP address, browsing patterns and device information when browsing the website if you opt into analytics cookies.
4. Where we get your personal data and for what purpose?

We will only use collect and use your personal data when the law allows us to.  Most commonly we will use your personal data in the following circumstances:

  • Where you consented to the processing.
  • Where it necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Type of data explained:

Type of Data

Description

Communications

Data e.g. your preferences, your responses to questions that are used to help facilitate communication between you and the University.

Identity

Data used to identify you, e.g. first name, address etc.

Contact

Data used to contact you e.g. email, telephone, mobile number.

Profile

Data used to profile for you research purposes or to enhance our communications with you.

Purpose/Activity

Type of Data

Lawful basis for processing including basis of legitimate interest

We would also like to use your details you have consented to provide us to contact you in the future about events, activities, and other general information about studying with us. 

Communications, Contact

Consent

To provide personalised content on our website or other communications platforms.

Communications

Consent

We process data for internal reporting, monitoring, and research as part of our public tasks. This may also include Public interest archiving, scientific and historical research or statistical analysis including equality and diversity monitoring

Identity

Public Task

Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages.

Communications, Profile

Legitimate Interests

Enhancing our service; to meet our interests of understanding who our prospective students and contacts are and to enhance the journey towards making an application.

Profile

Legitimate Interests

Providing statistics for management and business intelligence reports on the effectiveness of an event and or communications activity.

Profile

Legitimate Interests

Photographs, video, and audio may be taken at events for use in marketing materials, including on our website and on social media. Where you are not the subject of the image, i.e. if it is a “group” or “crowd” photograph, we may use such images without requiring your consent, however, where you are the subject, you will be asked to provide explicit consent to use the image. 

Profile

Legitimate Interests

Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages.

Profile, Communication

Legitimate Interests

We track email open and click through rates, user’s browser and device, IP address and location to review communications for reporting purposes and to ensure the University does not spam disengaged contacts.

Profile

Legitimate Interests

Where the University believes it is necessary to protect the life of you or another person, the University will use the vital interests lawful basis to process your personal data, and this may include sharing with a third party. E.g. if you are admitted to a hospital A & E department after a serious accident and you are incapable of providing consent the University may share relevant personal data with the NHS or emergency services.

Profile, Communication

Vital Interests

We process some data because there is a legal obligation to (e.g. UKVI) or because we are required to provide equality monitoring statistics.

Identity, profile

Legal Obligation

 4.1 Health and wellbeing-related enquiries

Our lawful basis for processing your personal data and special category data under GDPR.

  • We have a legal obligation to process your data necessary for the purposes of arranging disability-related support and reasonable adjustments.
  • Where we identify a vulnerability, we will process your data necessary for the purposes of taking reasonable steps to safeguard your wellbeing. We will in most circumstances seek your explicit consent but there may be occasions where processing is necessary to comply with a legal obligation and in the performance of a task in the public interest.
  • We will seek explicit consent for the purposes of processing your data necessary for the provision of counselling/therapeutic support.
  • We will carry out a task in public interest where you have given permission to your funding body to share your data with us for the purposes of assessing financial supports including bursaries.
  • We will seek your explicit consent to process your data necessary for the purposes of assessing financial supports such as hardship.
  • Where we identify a vulnerability affecting vital interests we will report this to appropriate health care professionals or to the Police.
  • On rare occasions, where it is suspected there is involvement in criminal activities we are required by law to report this to the Police.
5. Where do we securely process and store your personal data?

5.1 Within the UK and EEA

All personal data is processed by Newcastle University staff based in the UK. However, for the purposes of IT hosting and maintenance this information is located on servers within the EEA. 

5.2 Outside the UK and EEA

The following systems and purposes are exceptions where data is located on servers not based within the EEA to facilitate specific operational purposes, e.g. event registration and specific CRM systems for managing, processing your personal data:

  • VFairs - We will share your data with the company who are hosting online virtual events on our behalf. The company is called VFairs and they will hold your data in the USA using Amazon Web Services. By using the event platform you are also signing up to VFairs privacy policy: https://www.vfairs.com/privacy-policy/ They will retain all personal data they hold on our behalf until 31 May 2023, at which point the data will be deleted. This is to facilitate users taking advantage of the "always on" function.
  • HubSpot - We use forms created by HubSpot. HubSpot’s product infrastructure is hosted on Amazon Web Services (AWS) in the United States East region. HubSpot leverages the Google Cloud Platform (GCP) in the EU (Frankfurt, Germany region) to support the processing of local customer data that is critical to its customers' businesses.

These solutions provide high levels of physical and network security and well as hosting provider vendor diversity. HubSpot’s AWS cloud server instances reside in US locations; GCP cloud instances reside in Germany. Both providers maintain an audited security program.

Where processing takes place with an external third party, processing takes place under an appropriate agreement outlining their responsibilities to ensure that processing is compliant with the Data Protection legislation and verified to be secure.

 5.3 Payment processing

Where applicable, any credit/debit card details provided will be stored in full compliance with PCI-DSS requirements.

6. Sharing your personal data with third parties

Your personal information will only be disclosed to third parties where we have an appropriate lawful basis to do so, which may include the following:

Any other disclosures that may be required, but not listed above will only ever be in accordance with your rights and the requirements of the GDPR.

When it is necessary to share your data with organisations outside of the EEA, we will ensure that appropriate safeguards are in place to protect your personal data.

7. How long we hold personal data?

Personal data is retained for as long as it is required to fulfil the purpose for which is it held and then to fulfil any legal requirements.

Any information we use for marketing purposes will be kept by us until you notify us that you no longer wish to receive this information. To withdraw or amend your contact methods at any time:

  • click the link at the bottom of an email from us
  • contact us on email, [email protected]


We will endeavour to action this within 2 working days.

8. How we store your information?

We have appropriate security measures in place to protect personal data. They take account of the nature of the data and the harm that might be caused if it were lost. These security measures will be tested regularly, assessed, and evaluated. We'll ensure they maintain an appropriate level of security for personal data.

Personal data will be accessible only to those people who need to use it as part of their work. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action. In some cases, it could be considered as gross misconduct. In serious cases it could also be a criminal offence.

We will provide prompt and effective notification to the relevant supervisory authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations that result from a breach.

9. Your rights under GDPR

Under the GDPR, you have a number of rights in relation to the processing of your personal information. Each may apply to differing degrees’ dependent upon the nature of the processing and the legal basis for it. You have the right to:

  • be informed as to how we use your data (via this privacy notice)
  • request access (a copy) of the personal information that we hold about you.
  • correct inaccurate or incomplete data
  • request that we stop sending you direct marketing communications. 
  • in certain circumstances, you may have the right to:
    • ask to have your data ‘erased
    • request is to restrict the processing of your personal data 
    • request that data you provided electronically to us be returned in as a data file
    • object to certain processing of your personal data by us 

In some cases, there may be specific exemptions as to why we aren’t able to comply with some of the above. Where this is the case, we will explain the reasons why. 

In order to exercise any of the above rights, visit our Access Your Personal Data page

10. Further information

If you would like to discuss this further, please contact us on [email protected]

Visit our Data Protection website if you would like:

  • more information about how we manage personal data more generally, including your rights under law
  • the contact details of the University’s Data Protection Officer
11. Lodging a complaint with the Information Commissioners Officer (ICO)

If you are unhappy with our use or storage of your data, you have the right to complain to the Information Commissioner's Office (ICO) about this. Please see the ICO website for more details of how to complain.