Privacy Notice for Students

Your personal data is obtained from you: 

• when you attend open days
• through the application process online or paper forms, email or telephone
• during registration or when you update your details
• throughout the period you are studying with us
• when you interact with specific student or other services or attend events
• when you make a hardship funding application
• when you bring an academic appeal or extenuating circumstances request
• after you leave (as ‘alumni’), for example when you attend an event, donate, join a society or update your details
• when you complete surveys or provide us with feedback.

It is also obtained from other sources:

• via your University Common Application Scheme (UCAS) application or LawCAB (Central Applications Board Limited) when you name the University of Kent as one of your choices
• for students applying for the International Foundation Pathways Programme, from  third parties such as Oxford International Education and Travel Limited and its subsidiaries and agencies based worldwide to facilitate your verification and application process and assess your credentials
• former schools and higher education institutions
• referees
• your student record (attainment, awards and certificates) or our student record system (Kent Vision) or other University case management or record systems
• your Kent ONE card when you use it to enter and exit any building across campus
• from university staff, students or members of the public
• our recruitment representatives or agents and partners (particularly if you are an international student on the Pathways Programme)
• the Kent Student’s Union or your union representative (if applicable)
• our partners (universities, charities or other organisations we work with)
• government departments (including the Home Office’s UK Visas and Immigration (UKVI); Foreign, Commonwealth and Development Office (FCDO) in relation to ATAS clearance; DVLA (to retrieve registered keeper contact details if your car is parked on campus in contravention of our car parking terms & conditions) or online checking tools (such as the Office for Financial Sanctions (OFSI) lists).
• from organisations who provide students and graduates with work and volunteer placements or who provide mentoring
• from funding bodies (such as your Disabled Students’ Allowances (DSA) award letter or sponsor (if applicable)
• from your doctor, assessor or Solicitor (if you have requested they provide information to us)
• law enforcement or other agencies (the Police, Courts, social workers or counsellors) (if applicable)
• your parents, caregivers, friends or next of kin if they report concerns about you. 

We also collect and generate additional information about you, such as: 

• during lectures, tutorials and in connection with your attendance
• about your accommodation
• when we create records such as meeting notes when you access support services
• your participation in University services and activities.

The University collects information about you in the course of providing services as a higher education institution (HEI) to you as a current or former student.  This includes the details you provide us with when you apply to study with us, when you enrol and as you progress through your course.  

We collect and process your personal information for a number of reasons on the following grounds, referred to in law as our ‘lawful bases’ under UK GDPR:

• where necessary for the performance of a task carried out in the public interest or in the exercise of official authority -Article 6(1)(e): This relates to personal data processed for purposes connected with teaching, support, research, administration, and with the operation of the university as a higher education institution.
• our contract with you – Article 6(1)(b): This relates to processing of your personal data for purposes connected to any contract we have with you. For example your student or accommodation contract.
• a legal obligation – Article 6(1)(c): We are required to process your personal data in order to comply with our legal obligations. For example when we have to comply with health and safety obligations.
• to protect your vital interests or those of another person – Article 6 (1)(d):  We will process your data in an emergency where it is necessary to do so to protect a life.
• the purpose of our legitimate interests or those of a third party Article 6(1)(f) (unless those interests are overridden by your interests, rights or freedoms and only where this is not processing within our core public teaching and research tasks): For example, our fundraising activities, where the processing relates to the safety and security of our IT systems, staff and students and buildings; or where it is in the interests of insurers or the Police in carrying out investigations following an incident on campus.  Our legitimate interests are provided in more detail below and we will rely on this basis where you would reasonably expect the particular use of your personal data (including where we are following a published policy or process)
• where you have given your consent for one or more specific purposes- Article 6(1)(a): Where no other lawful bases apply and for limited processing purposes (such as where you have signed up or agreed that a particular service may send you emails about promotional events and where you can easily withdraw your consent, for example by unsubscribing).

Our public task basis is underpinned by our statutory obligations for example, under the Higher Education Act 2004 (which establishes the legal framework for reviewing student complaints); the Equality Act 2010 (which requires us to make reasonable adjustments and carry out equalities monitoring); and the Higher Education and Research Act 2017 (in particular the requirement to comply with the regulatory framework in section 75 and the conditions imposed by the Office for Students). 

In many cases we have a statutory or contractual basis to process your personal data  and if we do not receive this personal data, we may not be able to process your request, enquiry, or application; facilitate your event booking; or provide you relevant educational or ancillary services. 

As we also use your special category data, we must identify a further basis for processing that data. This will be because the processing is necessary:

• for reasons of substantial public interest (as defined within the Data Protection Act 2018)– Article 9(2)(g). 

Our substantial public interest reason(s) are:

◦ our statutory purposes

◦ equality of opportunity or treatment (statistical monitoring to comply with the law)

◦ prevention or detection of an unlawful act (without your consent so as not to prejudice those purposes)

◦ safeguarding of children or of individuals at risk

◦ fraud prevention

or

• it is for archiving in the public interest, for scientific or historical research purposes or for statistical purposes with a basis in law – Article 9(2)(j) where we do so we will ensure we comply with Article 89(1) UK GDPR and section 19 DPA 18.
• to protect your vital interests or those of another where you are physically or legally incapable of giving consent – Article 9(2)(c)
• where you have manifestly made the data public – Article 9(2)(e)
• it is necessary for us to establish, exercise or defend legal claims (or where courts are acting in their judicial capacity) – Article 9(2)(f)
• where none of the lawful bases above apply and it relates to very specific processing 
  or is related to a singular or ‘one-off’ processing activity for which you have given your explicit consent -Article 9(2)(a)

Less commonly, special category data will be processed where necessary for:

• employment, social security and social protection purposes – Article 9(2)(b)
• reasons of preventative or occupational health medicine, the provision of health or social care or treatment or systems management (by someone with professional secrecy obligations) – Article 9(2)(h)

As we also use your criminal offence data, we additionally rely on the corresponding conditions in 
Schedule 1  of the Data Protection Act 2018.

We have a Special Category and Criminal Offence Data ‘Appropriate Policy Document’ in place throughout the time that we use your data and for 6 months after we cease to use it. 

Occasionally the University will, if appropriate, legitimate and necessary, rely on relevant exemptions to UK GDPR provisions as are allowed under the Data Protection Act 2018 (in relation to crime and taxation, management forecasts, negotiations, confidential references, exam scripts and exam marks and the special purposes (academic publication)).

We will use your data to carry out our functions and activities as a University and Higher Education institution and Public body and to provide services to you as an applicant, and as a current or former student.   Our objective is to ensure an excellent educational experience both curricular and extra curricular whilst protecting your privacy by abiding by data protection legislation. 

We will use your personal data to fulfil our contracted commitments with you and as stated in our Student Charter and Regulations and would be unable to facilitate your studies and experience at Kent without it.

We perform tasks in the public interest as part of our role of being a teaching and research institution. We will use your information in a safe and protected manner to monitor, enable and evaluate the management of the University and the services it provides. This includes monitoring and reporting on student attendance and engagement in line with our Student Attendance and Engagement Policy.

The University Charter sets out that ‘the objects of the University are to advance education and disseminate knowledge by teaching, scholarship and research for the public benefit’ (paragraph 3). This underpins the University’s use of student personal data for research and evaluation in the public interest under the UK GDPR lawful basis ‘task in the public interest.’ Academic researchers follow research ethics policies and procedures designed to ensure compliance with regulations and legislation that govern the conduct of research, including data protection law.

We also process your personal data for the administration and delivery of your student contract during your time with us, including accommodation, sports, library and IT services.  Further details are set out below, together with the lawful basis for the processing of each..

Purposes and lawful basis

Internal teams (on a need-to-know basis)

Where necessary we will share your personal data internally to other departments within the University as is relevant, proportionate and necessary for the purpose (for example on application your information is shared with relevant staff involved in admissions and student recruitment across the University; finance; our insurance office; and (if applicable) the immigration compliance team; campus security; we may also share information with the medical centre  or student support services (for the purpose of protecting your safety and/or the safety of others); or where necessary for statutory purposes. Your ILP (where applicable) is limited to relevant staff involved in teaching you/arranging your support (only relevant sections for the purpose of delivering appropriate support with even fewer staff in your department having full access).

Service Providers (third party data processors)

We use third party organisations (known as data processors) who carry out services on the University’s behalf under contract. We will ensure that only the minimum amount of relevant personal data necessary for the purpose is transferred. We will ensure that contractual terms are included to ensure compliance with data protection laws and that the data is used solely under our instruction. In these circumstances personal data will be deleted or returned to us after the contract has terminated.  Where you complain about a third party provider who is providing services on behalf of the University your complaint will be shared with them (although we will obtain your permission before sharing confidential health information) and where appropriate may be shared with a third party to resolve.  Our main Enterprise-wide service providers are listed below:

Partners (third party ‘data controllers’) who use your data for their own purposes

We share your personal data with third party data controller(s) where we are required by law to do so or where those third party organisations have a legitimate reason to use your data for their own purposes.  Our data protection policy requires that we ensure a Data Sharing Agreement is put in place to protect the use of your personal data.   We will ensure that only the minimum information necessary to fulfil the purpose is shared.  Where data is shared for the purposes of research and evaluation appropriate safeguards will be put in place (such as pseudonymisation or anonymisation of the data). 

We are a signatory to the Kent and Medway Information Sharing Agreement and where possible we will use that data sharing agreement for sharing with other signatories.  For more information please see the Kent and Medway Information Partnership.

The organisations and categories of organisations or circumstances where we share your personal data are listed below.

Occasionally the University may, if appropriate, legitimate and necessary, rely on relevant exemptions to UK GDPR provisions as are allowed under the Data Protection Act 2018 (in relation to crime and taxation, management forecasts, negotiations, confidential references, exam scripts and exam marks and the special (academic) purposes).  

When it is necessary for us to transfer your personal information across national boundaries to a third party data processor, such as one of our service providers, in connection with the purposes identified above, we will ensure this safeguards your personal data and complies with data protection laws 

The transfer will be authorised by:

• adequacy regulations made by the Secretary of State (which indicate the recipient country has equivalent personal data protection) found here: What countries or territories are covered by adequacy regulations? (ICO website); Department for Science, Innovation and Technology UK adequacy
• safeguards prescribed by the UK GDPR or EU GDPR (if applicable) such as EU Standard Contractual Clauses and the ICO Addendum or the ICO’s International Data Transfer Agreement (IDTA). Further information here: Is the restricted transfer covered by appropriate safeguards? (ICO website)

We will only retain your information for as long as necessary to fulfil the purpose(s) we collected it for, including to satisfy any auditory, legal, regulatory or reporting purposes. 

If your make an enquiry, request a prospectus or book to attend an Open Day; if your application is unsuccessful, you withdraw or decline any offer made, your record or application and associated documents will be retained for a maximum period of six years from the expected date of entry.

Where a Confirmation of Acceptance for Studies (CAS) has been issued to support a student visa application, your data and documentation will be kept in accordance with our UKVI data retention policy.  If you are a sponsored student holding a visa, please refer to our Record keeping duties policy.

Please refer to the University’s Documentation and Retention and Archiving Policy in relation to Quality and Standards, Collaborative Partnerships, Student Records, Student Assessment and Supervisors/Examiners.  We keep a core student record permanently.

If you are an employed student, please refer to HR’s retention schedules as appended to the HR privacy notice.

For alumni and other supporters, please refer to our Alumni privacy notice.

Please refer to the University’s Records Management Policy and Retention Schedule.  As a general rule many teams (student services, data protection, complaints, appeals) keep records for 6 years from the last action on the file.  Please refer to individual privacy notices or the University retention schedule.  When determining retention periods, the University will use the JISC records retention management schedules for the sector as a guide:  Records retention management - Jisc

We will aim to reduce your directly identifiable personal data wherever possible (through pseudonymisation or data minimisation).  In some circumstances we will anonymise your personal data so we can no longer directly or indirectly identify you, in which case we may use such information without further reference to you.

We will ensure that security measures are in place to prevent the accidental loss, unauthorised use or access to your data. Access is given to staff on a ‘need to know’ basis. Our staff are required to keep your data safe and complete data protection training.

We have procedures in place to deal with any data security incidents and will notify you and the ICO in the event of a data breach where we are required to do so.

The University and its payment processing providers adhere to the Payment Card Industry Data Security Standard.

Please be aware of the following rights which can be accessed free of charge by contacting dataprotection@kent.ac.uk: 

• to know how we are using your personal information and why (right to information)
• to access the personal data held by us (often called a subject access request)
• to ask for correction of any mistakes or completion of your data (rectification)
• to object to direct marketing
• to complain to the ICO

In some circumstances you also have the right to:

• object to how we are using your information
• ask us to delete information about you (the right to be forgotten)
• have your information transferred electronically
• object to automated decisions which significantly affect you
• restrict us from using your information.

For further guidance regarding your rights please see the ICO website: https://ico.org.uk

You will not have to pay a fee to exercise your rights.  However if your request is unfounded or excessive, we may charge a reasonable fee in line with our Schedule of charges for information requests as detailed on our freedom of information requests page, or alternatively, refuse to comply with the request.

Please consult our data protection rights page of our website for further information and contact us if you would like to make any of these requests.

You have the right to be informed about the existence of any automated decision-making (which would include the use of Artificial Intelligence (AI) and include any profiling of you) in cases where the decision significantly affects you or produces legal effects concerning you. We will provide you with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.  Unless the decision making is necessary for a contract with you, based on your explicit consent or required by law you have the right not to be subject to a decision based solely on automated processing. Where a decision is based on a contract with you or your consent we will implement measures to safeguard your rights and at least the right to obtain human review of the decision. We currently use automated processing and AI for network and device security monitoring purposes. Any activity which results in restriction of a device will involve human intervention to review the security alert automatically generated. 

We currently have the use of Microsoft’s Copilot Chat available within our Microsoft 365 tenancy for education and accessed using a Kent IT account.  This enables staff and students to get answers to questions via prompts using a chat based interface. Although staff are instructed not to put personal or sensitive data into Copilot Chat we recognise AI may process personal data in the course of generating responses. We therefore rely on legitimate interests as our lawful basis for recommending this tool should we process any personal data, either directly or incidentally through our use of Copilot chat.  Any retained outputs generated by Copilot Chat (or any other permitted generative AI tool) will be reviewed and verified for accuracy. Students should be aware that outputs of AI systems are statistically informed guesses rather than facts. 

Microsoft’s privacy and security information for Copilot Chat can be viewed here:

https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-transparency-note?view=o365-worldwide 

Microsoft’s privacy notice (relevant to Bing enabled searching) is here: https://www.microsoft.com/en-gb/privacy/privacystatement

We will review our generative AI practices to ensure these and any emerging risks are monitored.  Limited authorised staff may check audit logs for security monitoring purposes or generate reports which indicate active users (name and email address or IP address and device location).  In the event an information request or complaint is received audit, or prompt and response data may be reviewed. Prompts and responses can be deleted directly by users: https://support.microsoft.com/en-gb/office/delete-your-microsoft-365-copilot-activity-history-76de8afa-5eaf-43b0-bda8-0076d6e0390f

For more detailed information regarding the use of Generative Artificial Information at the University of Kent, please click here.

You can withdraw your consent at any time where we process your personal data on the basis of your consent or explicit consent for special category data for a specific purpose.

You can do this by contacting us at: dataprotection@kent.ac.uk or, if your consent relates to receiving email updates from us, by clicking on the ‘unsubscribe’ link within the email sent to you. This does not affect the lawfulness of the processing based on consent before its withdrawal.

  The University tries to ensure that the information it holds is accurate and up to date. It must, however, rely on students to inform the appropriate office of any change in their personal data. Any change of home or term-time address should be notified to the Central Student Administration or online via the Student Portal. As a user you are required to comply with the University's IT regulations for the use of computing facilities. It is also your responsibility, should you hold personal data on others, to ensure that you abide by the terms of Data Protection law.  

This privacy notice will be reviewed biennially.