Purpose of this Notice
This Notice explains how the University through its Research & Innovation teams, Departments, Schools and Faculties will collect and use your personal data for research and innovation development activities.
Please see below more information on the activities covered by this Notice.
Throughout this Notice, "University" "we", "our" and "us" refers to the University of Leeds. "you" and "your" refers to all other individuals involved in research and innovation activity.
We are the data controller for personal data that we process about you.
Change in the law
Until 24 May 2018 we processed your personal data in accordance with the Data Protection Act 1998 (or DPA for short). Since 25 May 2018, we are processing your personal data in accordance with the General Data Protection Regulations (or GDPR for short).
This Notice complies with requirements under both DPA and GDPR.
Changes to this Notice
We are likely to make changes to this Notice on an ongoing basis.
You can obtain the current version of this Notice by emailing firstname.lastname@example.org.
If there is anything you are unclear about, please email email@example.com. We will be happy to answer any queries you may have concerning this Notice or the way in which we process your personal data.
Where does the University get your personal data from?
We obtain personal data regarding you from the following sources:
Data you provided when you:
Third party sources
Categories of personal data being processed
We will collect and process personal data about you.
Personal data may contain "sensitive personal data" as described under the DPA and "special categories of data" as described under the GDPR. Such "sensitive personal data" or "special categories of data" is information about your racial or ethnic origin, religious beliefs or other beliefs, physical or mental health or, in relation to DPA only, other conditions and information concerning any criminal offences or criminal proceedings. This data would only be used if (i) you have directly provided it yourself (with your consent), for example during one-to-one conversations with our representatives or collected for event management purposes e.g. for assessing access requirements arising from a disability or (ii) it has been sourced from information that we believe you have clearly made public, for example details of patrons/trustees/supporters on charity/society websites.
The data we may process includes:
As with most websites certain actions you take will be recorded anonymously as cookies by the University's websites. Please see the University website for further information on Cookies.
The purposes for which we process your personal data
We will use your data to help us manage our relationship with you. Please see the "Communications" section for information on the communication that we may have with you. We may also process your personal data for the following purposes:
Keeping your data up to date
We will update the data we hold on you from time to time. For example, if you provide us with new contact details or change your details on websites managed by the University or social media sites such as LinkedIn. We will respond to any request for your data to be updated.
If you would like your data to be updated please email firstname.lastname@example.org.
We may update your contact details by using third party sources/services such as Royal Mail NCOA (National Change of Address). We also use these services to check if there are people we should no longer contact (for example, if someone has died). Where third parties provide these services to us they are only allowed to use your data in accordance with the strict instructions of the University. The third party is required to hold the data confidentially and securely and will not use your data in any other way. Your data will only be kept for as long as necessary and will then be destroyed.
If you prefer for us not to use third party sources to update your data, please email email@example.com.
Who can see your data?
Your data is held securely within the University. Access is strictly controlled and staff receive training on data protection.
In addition to third parties helping us keep your data up to date, in order to boost functionality and efficiency, we may employ IT experts from outside of the University to aid with the development of our systems. They may have access to information which is necessary to complete the specific task for which they are appointed. These experts will provide their services in accordance with the strict instructions of the University. In particular they must respect confidentiality and to the extent they do need to temporarily hold any data, that data must be held securely, strictly used only for the agreed purpose, kept for only as long as necessary and then destroyed.
We will not sell or share your data to third parties for their commercial purposes.
We will from time to time communicate with you by email, post and telephone to pursue the purposes mentioned above. In particular we regularly communicate with people for the following purposes:
If you prefer not to have your personal data used for any or all of the above purposes, please email firstname.lastname@example.org.
If the telephone number we have for you is registered with the Telephone Preference Service (TPS) we would only contact you on that number for administrative purposes unless you have given us permission to contact you on this number for other purposes.
If you are unsuccessful in unsubscribing from our communications and/or remain concerned, please contact our Data Protection Officer (see later contact details).
Sharing your data involving other countries
Sometimes to achieve the purposes for which we are processing your personal data we may need to share your personal data with other organisations based within the European Union or if outside the European Union based in countries that have comparable levels of protection.
When it is necessary to share your data with organisations outside of the European Union, we will ensure that there are appropriate safeguards in place.
Generally the University will look to retain personal data until a relationship no longer exists or the individual asks us to remove it from our records. We will routinely remind you of your right to have us remove your personal data.
If you decide that you no longer wish to receive communication from the University please be aware that we still need to retain a minimal amount of personal data so that we can keep a record that you have asked us not to contact you.
Your rights as a data subject
Under GDPR you have the right to:
Please see https://ico.org.uk for further information on the above rights. You may also contact the Data Protection Officer for further information.
You have a right to complain to the Information Commissioner's Office about the way in which we process your personal data. Please see https://ico.org.uk.
Legal basis for processing your data under GDPR
GDPR is a new law and it has not yet been applied to circumstances similar in context to our research and innovation partners. The extent of lawful grounds for processing data has yet to be fully understood. As legal views mature the University may change its views on its legal basis for processing.
The University will sometimes process your data based upon your consent.
The University will also be processing data often on the basis that it is necessary to enable it to meet its contractual commitments to you.
Sometimes the University will be processing your data because you have clearly made it publicly available.
Finally, the University believes that its activities are necessary for the purposes of the legitimate interest of the University and other third parties. These interests are not overridden by the interests and fundamental rights or the freedoms of the data subjects concerned. Legitimate interests of the University and third parties focus around supporting educational activities and ongoing developmental activities for University alumni and others.
It is recognised that some of the above grounds will overlap and that the University could rely on multiple grounds justifying its lawful processing.
Concerns and contact details
If you have any concerns with regard to the way your personal data is being processed or have a query with regard to this Notice, please email email@example.com.
Our general postal address is University of Leeds, Leeds LS2 9JT, UK.
Our postal address for data protection issues is University of Leeds, Room 11.37 Worsley Building, Leeds, LS2 9JT.
Our data controller registration number provided by the Information Commissioner's Office is Z553814X.
Last updated: 09/10/2018