Website Privacy Notice
1. Data Controller
University of Newcastle upon Tyne (“we”, “our”, “us”, “The University”) processes personal data in accordance with our obligations under the General Data Protection Regulations (‘GDPR’). It is a registered Data Controller (Registration Number Z5470161) with the Information Commissioner’s Office (‘ICO’). This is the supervisory authority responsible for the oversight and enforcement of Data Protection Legislation within the United Kingdom.
2. How is your personal data collected?
We use different methods to collect data from and about you, including through:
- digital forms, and surveys, for the purpose of providing information about the University, course, your enquiry, or event that you have registered for
- correspondence with us by face to face, phone, email, live chat, social media or otherwise
- interaction with our websites, where we may automatically collect data about your device, IP address, and browsing patterns. We collect this by using opt-in cookies.
- our emails making use of ‘clear image’ pixels for tracking. You can disable email open rate tracking by setting your server to receive plain text email.
3. What personal data is collected?
- You may provide us with personal data directly when you use any of our online enquiry forms, including identification and contact details such as your name, title, date of birth, age, gender, photographic images, correspondence address, email address, phone number, emergency contact details.
- IP address, browsing patterns and device information when browsing the website if you opt into analytics cookies.
4. Where we get your personal data and for what purpose?
We will only use collect and use your personal data when the law allows us to. Most commonly we will use your personal data in the following circumstances:
- Where you consented to the processing.
- Where it necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Type of data explained:
Type of Data |
Description |
Communications |
Data e.g. your preferences, your responses to questions that are used to help facilitate communication between you and the University. |
Identity |
Data used to identify you, e.g. first name, address etc. |
Contact |
Data used to contact you e.g. email, telephone, mobile number. |
Profile |
Data used to profile for you research purposes or to enhance our communications with you. |
Purpose/Activity |
Type of Data |
Lawful basis for processing including basis of legitimate interest |
We would also like to use your details you have consented to provide us to contact you in the future about events, activities, and other general information about studying with us. |
Communications, Contact |
Consent |
To provide personalised content on our website or other communications platforms. |
Communications |
Consent |
We process data for internal reporting, monitoring, and research as part of our public tasks. This may also include Public interest archiving, scientific and historical research or statistical analysis including equality and diversity monitoring |
Identity |
Public Task |
Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages. |
Communications, Profile |
Legitimate Interests |
Enhancing our service; to meet our interests of understanding who our prospective students and contacts are and to enhance the journey towards making an application. |
Profile |
Legitimate Interests |
Providing statistics for management and business intelligence reports on the effectiveness of an event and or communications activity. |
Profile |
Legitimate Interests |
Photographs, video, and audio may be taken at events for use in marketing materials, including on our website and on social media. Where you are not the subject of the image, i.e. if it is a “group” or “crowd” photograph, we may use such images without requiring your consent, however, where you are the subject, you will be asked to provide explicit consent to use the image. |
Profile |
Legitimate Interests |
Anonymising and sharing with social media platforms to see if the adverts have been successful (you cannot be identified) and to serve you or similar audiences with more relevant messages. |
Profile, Communication |
Legitimate Interests |
We track email open and click through rates, user’s browser and device, IP address and location to review communications for reporting purposes and to ensure the University does not spam disengaged contacts. |
Profile |
Legitimate Interests |
Where the University believes it is necessary to protect the life of you or another person, the University will use the vital interests lawful basis to process your personal data, and this may include sharing with a third party. E.g. if you are admitted to a hospital A & E department after a serious accident and you are incapable of providing consent the University may share relevant personal data with the NHS or emergency services. |
Profile, Communication |
Vital Interests |
We process some data because there is a legal obligation to (e.g. UKVI) or because we are required to provide equality monitoring statistics. |
Identity, profile |
Legal Obligation |
4.1 Health and wellbeing-related enquiries
Our lawful basis for processing your personal data and special category data under GDPR.
- We have a legal obligation to process your data necessary for the purposes of arranging disability-related support and reasonable adjustments.
- Where we identify a vulnerability, we will process your data necessary for the purposes of taking reasonable steps to safeguard your wellbeing. We will in most circumstances seek your explicit consent but there may be occasions where processing is necessary to comply with a legal obligation and in the performance of a task in the public interest.
- We will seek explicit consent for the purposes of processing your data necessary for the provision of counselling/therapeutic support.
- We will carry out a task in public interest where you have given permission to your funding body to share your data with us for the purposes of assessing financial supports including bursaries.
- We will seek your explicit consent to process your data necessary for the purposes of assessing financial supports such as hardship.
- Where we identify a vulnerability affecting vital interests we will report this to appropriate health care professionals or to the Police.
- On rare occasions, where it is suspected there is involvement in criminal activities we are required by law to report this to the Police.
5. Where do we securely process and store your personal data?
5.1 Within the UK and EEA
All personal data is processed by Newcastle University staff based in the UK. However, for the purposes of IT hosting and maintenance this information is located on servers within the EEA.
5.2 Outside the UK and EEA
The following systems and purposes are exceptions where data is located on servers not based within the EEA to facilitate specific operational purposes, e.g. event registration and specific CRM systems for managing, processing your personal data:
- VFairs - We will share your data with the company who are hosting online virtual events on our behalf. The company is called VFairs and they will hold your data in the USA using Amazon Web Services. By using the event platform you are also signing up to VFairs privacy policy: https://www.vfairs.com/privacy-policy/ They will retain all personal data they hold on our behalf until 31 May 2023, at which point the data will be deleted. This is to facilitate users taking advantage of the "always on" function.
- HubSpot - We use forms created by HubSpot. HubSpot’s product infrastructure is hosted on Amazon Web Services (AWS) in the United States East region. HubSpot leverages the Google Cloud Platform (GCP) in the EU (Frankfurt, Germany region) to support the processing of local customer data that is critical to its customers' businesses.
These solutions provide high levels of physical and network security and well as hosting provider vendor diversity. HubSpot’s AWS cloud server instances reside in US locations; GCP cloud instances reside in Germany. Both providers maintain an audited security program.
Where processing takes place with an external third party, processing takes place under an appropriate agreement outlining their responsibilities to ensure that processing is compliant with the Data Protection legislation and verified to be secure.
5.3 Payment processing
Where applicable, any credit/debit card details provided will be stored in full compliance with PCI-DSS requirements.
6. Sharing your personal data with third parties
Your personal information will only be disclosed to third parties where we have an appropriate lawful basis to do so, which may include the following:
- With third parties who securely process data on our behalf in order to facilitate our relationship with you, such as software service providers providing externally hosted software solutions e.g. VFairs.
- If you participate in outreach activity, your data will be stored on the Higher Education Access Tracker (HEAT) database. It's used to monitor and evaluate outreach and widening participation effectiveness. How we process data in relation to this can be found on this privacy notice.
- If you participate the PARTNERS Programme activity, your data will be stored on the Higher Education Access Tracker (HEAT) database. HEAT is used to monitor and evaluate the PARTNERS Programme effectiveness. How we process data in relation to this can be found on this privacy notice.
- With the Higher Education bodies such as:
- Universities and Colleges Admissions Service (UCAS) - see privacy notice
- The Higher Education Statistics Agency (HESA) - see privacy notice
- The Office for Students (OfS) - see privacy notice
- Health Education England (HEE) - see privacy notice
- The Education Skills Funding Agency/Learning Record Service - see privacy notice
- The Higher Education Funding Council for England (HEFCE) - see privacy notice
- The UK Research Councils - see privacy notice
- IT service providers (e.g. the provision of University email services; recruitment and customer relationship management services).
Any other disclosures that may be required, but not listed above will only ever be in accordance with your rights and the requirements of the GDPR.
When it is necessary to share your data with organisations outside of the EEA, we will ensure that appropriate safeguards are in place to protect your personal data.
7. How long we hold personal data?
Personal data is retained for as long as it is required to fulfil the purpose for which is it held and then to fulfil any legal requirements.
Any information we use for marketing purposes will be kept by us until you notify us that you no longer wish to receive this information. To withdraw or amend your contact methods at any time:
- click the link at the bottom of an email from us
- contact us on email, [email protected]
We will endeavour to action this within 2 working days.
8. How we store your information?
We have appropriate security measures in place to protect personal data. They take account of the nature of the data and the harm that might be caused if it were lost. These security measures will be tested regularly, assessed, and evaluated. We'll ensure they maintain an appropriate level of security for personal data.
Personal data will be accessible only to those people who need to use it as part of their work. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action. In some cases, it could be considered as gross misconduct. In serious cases it could also be a criminal offence.
We will provide prompt and effective notification to the relevant supervisory authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations that result from a breach.
9. Your rights under GDPR
Under the GDPR, you have a number of rights in relation to the processing of your personal information. Each may apply to differing degrees’ dependent upon the nature of the processing and the legal basis for it. You have the right to:
- be informed as to how we use your data (via this privacy notice)
- request access (a copy) of the personal information that we hold about you.
- correct inaccurate or incomplete data
- request that we stop sending you direct marketing communications.
- in certain circumstances, you may have the right to:
- ask to have your data ‘erased
- request is to restrict the processing of your personal data
- request that data you provided electronically to us be returned in as a data file
- object to certain processing of your personal data by us
In some cases, there may be specific exemptions as to why we aren’t able to comply with some of the above. Where this is the case, we will explain the reasons why.
In order to exercise any of the above rights, visit our Access Your Personal Data page
10. Further information
If you would like to discuss this further, please contact us on [email protected].
Visit our Data Protection website if you would like:
- more information about how we manage personal data more generally, including your rights under law
- the contact details of the University’s Data Protection Officer
11. Lodging a complaint with the Information Commissioners Officer (ICO)
If you are unhappy with our use or storage of your data, you have the right to complain to the Information Commissioner's Office (ICO) about this. Please see the ICO website for more details of how to complain.