Record of Processing Activities - University of Derby
Registration Number: Z859984X
Date Registered: 24 May 2004
Registration Expires: 23 May 2025
Data Controller: University of Derby
Address: Kedleston Road, Derby, DE22 1GB
Other Names: Buxton & Leek College, Buxton College, Leek College
The University of Derby is a public authority under the Freedom of Information Act 2000
This register entry describes, in very general terms, the personal data being processed by: the University of Derby
Nature of Work: University
The University is organised into 4 academic colleges (College of Health, Psychology and Social Care, College of Science & Engineering, College of Arts, Humanities and Education and College of Business Law and Social Science) in addition there is further education provision through our Buxton and Leek College. These colleges are supported by Central Professional Services (FE Skills and Registry, Legal, Governance and Assurance Services, Digital Solutions, & Systems, Finance and People & Culture, Estates).
The Record of Processing Activity (ROPA) details the categories of data subjects and personal data that we process, as well as the purpose of the processing along with any recipients the personal data may be shared.
Description of Processing
The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.
Purposes for processing information
The University processes personal data for several purposes including:
- Providing education and support services to our students
- Staff administration
- Safeguarding the health and safety of our staff, students and third parties
- Management and administration of University research
- Financial purposes
- Data security and integrity management
- Statutory returns and other legal obligations
- The prevention and detection of crime
- Marketing and event promotion
- Alumni engagement management
- Fundraising and donation management
- Contractor management and commercial activities to our clients
- CCTV systems (including visual data) to monitor and for the purposes of security and the prevention and detection of crime
Categories of data subjects
As a result, the University processes the personal data of:
- Students
- Staff and contracted personnel
- Prospective staff
- Unsuccessful applicants (staff)
- Unsuccessful applicants (students)
- Volunteers
- Former staff
- Prospective students
- Alumni
- Former students (withdrawn or discontinued)
- External Third Parties
- Donors and friends of the University
- Exchange students (incoming)
- Visitors
- Individuals captured by CCTV images
- Landlords, tenants
- Parents, guardians, and carers of students
- Contractors
- Industry/Business contacts
- Suppliers of goods and services
- Complainants and enquirers
- Authors, publishers, and other creators
- Persons who may be the subject of enquiry
- Third parties participating in course work
- Health, welfare, and social organisations
Categories of personal data
Categories of personal data processed by the University include:
- Biographical and family details
- Lifestyle and social circumstances
- Visual images, personal appearance, and behaviour
- Contact information
- Next of kin and emergency contact information
- Survey/feedback information
- Student record, attendance, and academic data
- Employment record and data
- Financial details
- Contract record information – including external third parties
- Misconduct, disciplinary and grievances investigations and outcomes
- Qualifications and professional memberships information
- Consent record information
- Health and disability data
- Criminal proceedings and conviction information (offences and alleged offences and sentences)
- Equality information
- Vetting and barring checks
- Information held in order to publish university publications
Sensitive Data
It must be noted that University also processes sensitive data, this may include:
- Racial or ethnic origins
- Trade union membership
- Religious or other similar beliefs
- Physical or mental health details
- Sexual life
- Offences and alleged offences
- Criminal proceedings, outcomes, and sentences
Recipients of personal data
In certain circumstances, the University must share personal data with a third party if this is required by law or because it otherwise deems it to be necessary to achieve a specified purpose. The University of Manchester complies with the UK General Data Protection Regulation and the Data Protection Act 2018 when disclosing personal data.
The types/categories of recipients for personal data are:
- Suppliers and service providers, including for the administration of travel and insurance
- New and previous employers
- Regulatory bodies including the Office for Students (OfS)
- UCAS
- Third party statistical agencies, including HESA
- Governmental bodies including UKVI, ESFA, Ofsted and DSA
- Local Councils
- Student Loan Company (SLC)
- Financial organisations, Debt collection agencies, Fraud prevention agencies
- Awarding bodies
- Work experience or other placement providers
- Accommodation providers
- Student support – providers
- Parents, guardians, and carers
- Auditors
- Police, prison, probation, and court services
- Students’ Union
- Landlords
- Legal representatives
- International agents
- Research councils
- Consultants and professional advisors
- Auditors
- Trade unions and staff association
Transfers of data to a third country
The University has relationships with institutions and agencies outside of the UK which encourage and facilitate international learning and research. Where we transfer personal data outside of the UK as part of these relationships, we ensure appropriate contracts or other safeguards are in place.
Retention of data
The University retains personal data in line with our records retention schedule. The retention schedule can be located through our SharePoint.
Statement of exempt processing
This data controller also processes personal data which is exempt from notification.
Information regarding our technical and organisational security measures
Under the data protection legislation, the University has a general obligation to implement technical and organisational security measures to show we have considered and integrated data protection into our processing activities, examples of our measures include:
- Pseudonymisation, i.e. using personal data in a way that minimises the opportunity for identifying individuals e.g. by using ID codes
- Encryption
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing
To find out more...
Please read our Data Protection Policy.
Find out more about our privacy notices
Data Protection Officer: James Fussell (dpo@derby.ac.uk).
Further information is available from the Information Commissioner’s Office register
Need advice?
You can contact us at gdpr@derby.ac.uk