what do you need to know? what do you need to know?

This page provides some general information that we need to tell you about whenever we collect personal data from you, or obtain your information from another source. We will always give you specific information about why we require your personal data and how we will use it, see for example our student or staff privacy notices. 

To help you understand more about our use of your data, we’ve also included some additional information on security and the potential legal basis for processing personal data.

This page was last updated in December 2017.

further information further information

WHO WE ARE

The University of East Anglia is a Data Controller. This means that we determine why and how personal data will be collected and used, either alone, or jointly with others. 

Our handling of personal data is regulated by the Information Commissioner’s Office (ICO). Our registration number is Z8964916. See our ICO register entry

CONTACT US

You can contact the University’s data protection team by emailing dataprotection@uea.ac.uk or calling +44 (0)1603 59 2431 / 1143

Under the General Data Protection Regulation (GDPR), the University is required to employ a Data Protection Officer. The responsibilities of the DPO are outlined in Articles 37-9.

YOUR RIGHTS

UK data protection law gives people a range of privacy rights. These are:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling

Click on the links to find out more, or contact the Data Protection Officer (see above).

ACCESS TO YOUR INFORMATION

You may request a copy of your personal data held by the University. See the Requests for personal information web page. 

COMPLAINTS OR CONCERNS

If you have any complaint or concern relating to how the University has handled your personal data, you can contact the Data Protection Officer in the first instance. The Information Commissioner’s Office has published guidance on raising a concern with an organisation.

You can also contact the Information Commissioner’s Office directly.

SECURITY OF YOUR INFORMATION

When we use personal information we are required to take appropriate technical and organisational measures to protect that information from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Our obligations extend from the point we collect the information up to, and including, the time of its destruction. 

All UEA staff are required to complete data protection training to ensure they are aware of the need to secure the personal data they use at work, including paper documents. The University’s Information Security Policy and Conditions of Computer Use set out how digitally-held information must be used and secured. Additionally, where we rely on an external organisation to handle UEA personal data on our behalf, we need to have a written agreement in place which sets out how data will be kept secure. We will tell you if your information is being shared with a third party in this way.

GDPR requires UEA to record the technical and organisational security measures for all personal data we process. This work is ongoing, but if you require information on the security of your personal data, contact dataprotection@uea.ac.uk in the first instance.

WHERE IS YOUR INFORMATION KEPT?

Your personal data will normally be stored by the University on campus, in either paper or digital format. Data will only be held offsite where we have a contract with the organisation providing that storage, which will usually be part of a wider service. An example of offsite data storage is Office 365.

Occasionally, these service providers are based, or store their information, outside of the UK. If we transfer or store information outside the European Economic Area the University must ensure that additional steps are taken to protect your information. In these cases we will either: ensure our contract with the organisation includes specific clauses approved by the EU; ensure that the transfer is to a country deemed to provide an adequate level of protection for your data; ensure a lawful derogation applies; or, where the data will be held in the US, ensure the company is Privacy Shield certified.

HOW LONG WE KEEP YOUR INFORMATION

We will keep your personal data only as long as is necessary for the purpose(s) for which it was collected, and in accordance with the University’s Records Retention Schedules. Data will be securely destroyed when no longer required. Note that some information about former students will be held indefinitely – see Alumni privacy notice for further details.

ABOUT 'LEGITIMATE INTERESTS'

The University will, where appropriate and allowed by law, rely on ‘legitimate interests’ as a lawful basis for handling personal data. If we’ve told you that our use of your personal data is required for either the University’s or another body’s legitimate interests, here’s a bit more detail about what that means.

In this case, ‘Legitimate Interests’ means the interests of the University in how we conduct and manage our activities. For example, we have a legitimate interest in successfully attracting and enrolling students. It may also refer to the interest of a third party organisation, or the person whose data we are processing.

We might refer to legitimate interests when we want to use your information in a way that we believe will benefit the University and the services we provide, however, we cannot do something we think is in our legitimate interests if it causes undue harm to the person whose information we are using. We need to make sure we get the balance right in all cases, and will let you know what our use of your data will mean for you. 

You have the right to object to any processing of your personal data which has been undertaken in the legitimate interests of the University or other party. See Complaints section above for details. Please note that if you object we may not be able to carry out these activities for your benefit.

CONSENT FOR HANDLING PERSONAL DATA

The University will also occasionally seek your consent to use your personal data in specified ways. If you have provided consent, or are considering doing so, you should be aware that the University will always aim to apply the standards set in the ICO checklists.If we haven’t met that standard, let us know

Where our use of your data is based on your consent, you have the right to withdraw that consent at any time. See Complaints section above for details of who to contact.

WEBSITE

Our website privacy statement explains how data may be gathered about users of the University’s website.

The University’s privacy notices do not cover the links within the UEA site which link to other websites. We suggest you read the privacy statements on other websites you visit.