Under data protection laws there are six different lawful grounds for an organisation to process data. These are explained below along with examples of when each lawful basis would be applied to the processing of your data:

If you are a student ‘for the performance of a contract (or negotiations entering into a contract)’ applies to personal data that we process for the purposes of administering and delivering your course of study and related activities or services that support delivery of your course or your studies, such as careers support, events or other opportunities. This applies for much of the data we collect when you apply for a course of study, through to your graduation. If you are a member of staff, ‘for the performance of a contract (or negotiations entering into a contract’) applies to almost all circumstances regarding the personal data you provide. (An example of an exception to this is if you consent to completing the equal opportunities form as part of the application process.)

‘For the performance of a public task in the public interest’ applies to where we use your personal data to meet our obligations or duties, or to exercise our powers, as a public authority, or to support the functions of other authorities that have a public task defined within law or statute. Examples of this would include our obligation to share data with the Higher Education Statistics Authority (HESA), Ofsted, professional bodies, auditors, assessors or other external regulators, to support safeguarding and crime prevention measures etc. Where allowable we would first anonymise the data.

‘Vital interests’ means ‘to protect life’. This applies, for example, where we share your personal information with the emergency services or security, our hall tutors, our accommodation service providers and welfare teams if there is significant and credible evidence to suggest that you, or someone else may be in danger.

‘Legal obligations’ applies to where we are ordered by a court of law to disclose information or to meet financial reporting obligations.

We apply ‘legitimate interests’ where we judge the use of the personal data to be within our legitimate interests (or the legitimate interests of another party) and where we do not deem this be a privacy intrusive or a risk to your own rights and freedoms. This is where the use of data poses no risks to individuals and is for the purposes of improving services or investigating technical issues (such as the work of IT Services).

‘Consent’ applies when you have given us your freely given, informed, specific consent. You have the right to withdraw that consent at any time. An example may be where you have given us consent to discuss your circumstances with a representative or family member or where you wish to receive some types of communications from us after you have completed your studies.

Related articles:

Bring Your Own Device (BYOD) Policy
Data Breach Reporting Procedure
Data Protection General Information
Data Protection Glossary
Data Protection Policy
Email Procedures regarding Data Protection
Encrypting and Decrypting files and folders using 7-Zip
General Conditions of Use of Computing and Network Facilities
Information Classification Table
Procedure for Responding to a Data Subject Access Request
Virus Management Policy
Wireless Networking Policy