The Information Governance Board is responsible for ensuring the University complies with the laws and regulations relating to data.
Information governance encompasses more than traditional records management, it promotes a framework that brings together all the requirements, standards and best practice that apply to the handling of information to ensure legal compliance. It incorporates information security and protection, compliance, data governance, electronic discovery, risk management, privacy, retention and archiving, business operations and management, data audits, analytics, IT management, finance and other key areas.
Edge Hill University (“we”, “us”) regard your privacy as important and comply with the principles of the current and changing Data Protection legislation. This policy provides an overview of how your data may be collected and how it is retained. Please note, some departments inside of the University may collect and use data differently. These departments will have a departmental Privacy Notice explaining these practices on their webpage.
What information do we collect?
When you visit and use our website we may collect data or ask you to provide certain data, including personal data. ‘Personal data’ is any data relating to an identified or identifiable individual. The personal data we collect might include information that you give to us including your name, date of birth, address, and email address. There is also data that is automatically collected when you use the site. This is not collected to identify you, but collected so we can find ways to improve our website and identify how many users visit the site. Examples of the data that is automatically collected include IP address, domain name, language, and information regarding what pages are accessed at particular times.
Examples of when information is gathered include:
- signing up for newsletters
- requesting a prospectus
- registering for open days
- staff or students who use our portal
Who is the information shared with?
When you provide us with your personal data, we will only use it for the reason you provided. This data will not be shared with a third party unless you are informed that this will happen and you agree. The University may disclose appropriate personal data, including sensitive personal data, to third parties, where there is legitimate need or obligation, during or after your period of study. Such disclosure is subject to procedures to ensure the identity and legitimacy of such agencies.
The University will also use your data, together with data about other current and former students, to carry out statistical analysis in relation to its student population or for historical or research purposes (but not to make decisions about you).
The University is sometimes required to take part in surveys or research conducted by or on behalf of Government departments, executive agencies, non-departmental public bodies or higher education bodies relating to individuals who have graduated from or left the University. If so, your contact details will be shared with the organisation carrying out the survey or research on behalf of the University.
Data controllers must be able to demonstrate they are complying with the data protection principles and other requirements of the GDPR. It is essential therefore that researchers document any policies or procedures they adopt in order to comply with data protection requirements. Similarly, if relying on consent as the legal basis for processing, you must be able to demonstrate that the individual has consented by maintaining a record of when consent was obtained, how it was given and what the individual has been told at the time of consent. To promote accountability, a record of processing activities should be maintained as they will be subject to inspection by the ICO in the event of any security breach. These records must detail the following:
- Category of data subject: from whom the data has been collected.
- Category of personal data: what type of data has been collected.
- Category of recipients: what other parties the data is shared with, if applicable.
- Details of any transfers to a third country: relevant to transfers outside the EU.
- Time limit for erasure (if applicable).
- General description of security measures.
The Data Protection Act 2018 supplements the GDPR by stipulating that the requirement for appropriate safeguards will not be met if the processing is likely to cause substantial damage or substantial distress to a data subject if it forms the basis for decisions or measure relating to a particular individual. This condition does not apply to intervention medical research that has been approved by a NHS Ethics Committee.
If a researcher is using a third party to collect or process personal data on their behalf (a ‘data processor’), they must have a written agreement with the third party. Researchers should seek advice from the Research Office with respect to all such agreements. In all instances, researchers should be able to demonstrate that they have proactively addressed the data protection implications of their projects, ensuring compliance with the requirements for accountability and privacy by design.
How do we use the information we collect?
The personal information you give to us, is used to send marketing communications such as newsletters or information regarding open days and events. If you have requested a prospectus, the personal information such as address, is used to complete the request.
The information automatically collected when using the site (listed above) is used to:
- review and improve the design of the website
- monitor and analyse the utilisation of the website
- monitor and analyse the usage for our own demographical research purposes
Access to your personal data
You have the right to request copies of data held about you by the University. If you no longer want us to use your data, or wish to amend the type of communications you receive, then you can opt out at any time via the unsubscribe link included in every email.
Changes to this policy
This privacy statement applies to all University websites that link to this page. Please note that some sites related to the University may collect and use data differently. These sites will have a local privacy notice explaining these practices. If the user leaves a University website and visits a website operated by a third party, Edge Hill University cannot be held responsible for the protection and privacy of any information that users provide when visiting such third-party websites. Accordingly, users should exercise caution and review the privacy statement applicable to the website in question.