Privacy Notices

The University of Derby uses your personal data to provide you with University services, to deliver its responsibilities as a higher education provider, and to monitor and improve its performance. The University is registered with the Information Commissioner’s Office (ICO), registration number Z859984X.

If you have any questions about how your personal data is used, you can contact our Data Protection Officer at:

Legal, Governance & Assurance Services
University of Derby
Kedleston Road
Derby
DE22 1GB

Email: gdpr@derby.ac.uk.

This section applies to all individuals whose personal data is processed by the University.

More detailed privacy notices for specific groups (such as students, staff, applicants, alumni and research participants) are available in the sections below on this page.

1. Delivering and Supporting University Services 

This includes delivering academic, professional, administrative, commercial and support services; managing access to systems and facilities; providing wellbeing, safeguarding, and community support.

2. Managing financial operations

We process your data to administer financial transactions, including payments, funding, grants, payroll, invoices and benefits.
If you do not provide necessary financial information, we may be unable to make or receive payments.

3. Communications, engagement and consultation

Where you have provided consent, we may use your data to communicate with you about University activities, events, surveys, campaigns or service improvements. You may withdraw consent at any time.

4. Meeting statutory and regulatory obligations

We process personal data where required by law, including obligations relating to equality, diversity, safeguarding, immigration, tax, health and safety, and statutory reporting.

5. Legal duties and information sharing

We may share your data with government departments, regulatory bodies, local authorities, funding bodies, sector agencies or law enforcement where required by law or necessary for our public task functions.

6. Alumni relations, development and community engagement

We use data to administer alumni services, maintain contact with graduates, offer networking opportunities, and support fundraising and development activities.

7. Equality, diversity and inclusion monitoring

We process “protected characteristic” data to conduct equal opportunities monitoring, equality impact assessments, and to ensure compliance with equality legislation.

8. Research, analysis and improvement

We process personal data to support academic research, evaluation projects, service improvement, internal analytics and statutory reporting, applying the safeguards required by data protection law.

Please note the detailed Privacy Notices (lower on this page) are currently being updated to reflect Data Use and Access Act 2025 (DUAA). The General pages and overview have been updated. Any queries, please contact gdpr@derby.ac.uk

1. Our Lawful Bases for Processing Personal Data – Article 6 UK GDPR

Our legal basis for collecting and using personal information depends on the type of data involved and the context in which we collect it. The University relies on a range of lawful bases under the UK GDPR to carry out its functions.

Consent – Article 6 (1)(a)

We will process certain types of personal data only where you have given clear consent for us to do so. You may withdraw consent at any time.

Performance of a Contract – Article 6 (1)(b)

We process personal data when it is necessary to enter into, or perform, a contract with you. This may include providing services, managing employment, or administering programmes and activities you are engaged in.

Legal Obligation – Article 6 (1)(c)

We process data where required to comply with the law. This may include obligations to government departments, regulators, funding bodies or other statutory authorities.

Vital Interests – Article 6 (1)(d)

In rare and emergency situations, we may process or share data to protect the life or safety of you or another individual.

Public Task – Article 6 (1)(e)

Much of the University’s work is carried out as part of our public‑interest functions, including teaching, research, safeguarding, regulatory reporting, and wider activities that support our educational, research and community missions.

Legitimate Interests – Article 6 (1)(f)

We may process personal data where it is necessary for our legitimate interests or those of a third party, provided these interests are not overridden by your rights and freedoms. Examples include service improvement, security, and alumni engagement.

Recognised Legitimate Interests - Article 6 (11) (introduced by the Data (Use and Access) Act 2025)

Processing for specific purposes defined in legislation (such as safeguarding, preventing or investigating crime, responding to emergencies, protecting national/public security, or sharing information with public bodies carrying out official duties). Used only where necessary, proportionate, and with appropriate safeguards. (Defined in UK GDPR Annex 1, inserted by the Data (Use and Access) Act 2025.)

2. Processing Special Category Data (Article 9 UK GDPR)

We may need to process Special category data. This type of data is more sensitive and includes information about:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade‑union membership
• health
• sex life or sexual orientation
• genetic or biometric data (for identification)

We only process special category data where one of the Article 9 conditions applies, including:

Explicit Consent — Article 9 (2)(a)

Where you have given clear, explicit consent.

Employment, Social Protection and HR Obligations — Article 9 (2)(b)

Where necessary for employment, equality, or health and safety duties.

Vital Interests — Article 9 (2)(c)

Where necessary to protect someone’s life.

Not‑for‑Profit Bodies — Article 9 (2)(d)

Where processing is required for legitimate activities.

Data Made Public — Article 9 (2)(e)

Where you have clearly made the data public yourself.

Legal Claims — Article 9 (2)(f)

Where necessary for establishing or defending legal claims.

Substantial Public Interest — Article 9 (2)(g)

Includes safeguarding, equality duties and preventing unlawful acts (as defined in DPA 2018 Schedule 1).

Health or Social Care — Article 9 (2)(h)

Includes occupational health, wellbeing support and referrals.

Research, Archiving & Statistics — Article 9 (2)(j)

Processed under strict safeguards and ethical principles.

We process special category data only when strictly necessary and with appropriate safeguards.

3. Criminal offence data – Article 10, Data Protection Act 2018 

We may process information about criminal convictions or offences where this is necessary for specific University roles, activities or requirements (for example, safeguarding checks, fitness‑to‑practise requirements, or where an enhanced DBS check is needed).

This type of data is handled under Article 10 UK GDPR and the relevant conditions in Schedule 1 of the Data Protection Act 2018, and is always subject to strict safeguards and limited access.

Direct Collection

Sharing Within the University

We may share information internally with relevant University departments and services where this is required for teaching, support, administration, employment or operational purposes.

Sharing With External Organisations

We may also share information with trusted external organisations, such as:

• government departments and regulators
• sector bodies involved in admissions, funding or accreditation
• partner institutions, placement providers or collaborators
• service providers who support University systems, facilities or operations
• health, wellbeing or safeguarding partners, where required to protect individuals
• law enforcement or other authorities, where necessary to comply with the law

Student and staff data will also be submitted to HESA (the Higher Education Statistics Agency).

Please view the HESA Student and Staff Collection Notice for further information - HESA Student and Staff Collection Notice.

How We Protect Your Data When Sharing

Where we share your information, we ensure that only what is necessary is shared, that it is shared securely, and that appropriate safeguards or agreements are in place.

We keep personal information only for as long as it is needed for the purposes for which it was collected, or as required by law, regulation or good practice.

When data is no longer needed, it is securely deleted or disposed of in line with our established procedures.

Data protection law gives you a number of rights over your personal information. These rights apply to everyone whose data the University processes.

Right of Access

You can ask for a copy of the personal data we hold about you. This is known as a Subject Access Request.
More information is available on the University’s Subject Access webpage.

Right to Rectification and Erasure

You can ask us to correct any personal data that is inaccurate or incomplete.
In some circumstances, you may also ask us to delete your information when it is no longer needed for the purpose it was collected.

Right to Restrict Processing

You can ask us to temporarily stop using your data if you believe it is inaccurate or if you are contesting how we are using it.

Right to Data Portability

You may request your data in a portable format so that you can reuse it or provide it to another organisation.

Right to Withdraw Consent

If we process your personal data based on your consent, you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.

How to Exercise Your Rights

Please see our dedicated Individual Rights webpage for more information on how to exercise your right.

You can also make a request or ask us questions about your rights by contacting: gdpr@derby.ac.uk

We will respond in line with our obligations under data protection law.

Where the University transfers your personal data to an organisation outside the UK (for example when using international Cloud services), we ensure that appropriate safeguards are in place to protect your information. These may include approved data‑transfer mechanisms, contractual protections, or reliance on the UK’s adequacy decisions.

The Data (Use and Access) Act 2025 updates how the UK assesses whether another country provides adequate data protection. We will only transfer your data internationally where these updated requirements are met and where your information continues to be protected.

You can ask us for more information about international transfers or the safeguards we use.

In some cases, we may not be able to share full contract details if they contain confidential or commercially sensitive information, but we will provide as much information as we are able to.

The University may use automated tools or analytics to help support our teaching, services and systems. However, we do not make decisions about you that are based only on automated processing or that have a legal or significant impact on you.

If automated processes are used to support decision‑making, a member of staff will always be involved.

Please note that the University is currently reviewing and updating its records of automated tools or analytics to ensure they remain accurate and that we continue to meet the requirements of data protection legislation, including updates introduced by the Data (Use and Access) Act 2025.