Privacy Notice for Students

How we use your information - Student Privacy Notice

This Privacy Notice outlines how the University of Kent collects, uses, and manages your personal data in a concise manner in accordance with EU GDPR (if applicable) or the UK GDPR Article 12, whilst meeting our statutory notice obligations under data protection law (Articles 13 and 14). If you would like to know more, please contact our Data Protection Officer via the Data Protection web form.

Data Protection Register

We maintain an up to date entry as a ‘Data Controller’ in the Information Commissioner’s Office (ICO) Data Protection Register (Number Z6847902).

How we collect your personal information

We primarily collect your enrolment information directly from yourself, via your UCAS application, or for students applying for the International Foundation Pathways Programme, from a third party. For more information about the categories of information we collect on admission, please see our Student Recruitment and Admissions Privacy Notice.  This information forms your student record together with ongoing information collected from academics and other professional services teams you interact with throughout the course of your studies. 

Categories of information we collect

Personal data we collect about you is to comply with the University’s legal obligations and public tasks:

  • your full name
  • your full address and postcode
  • telephone number
  • email address
  • date of birth
  • gender
  • national insurance number
  • student ID number

Student academic records (including references, examination certificates, and attendance)

  • financial information
  • employment or other references
  • location data (IP address)
  • online identifiers
  • pseudonymous data such as unique identifying codes
  • your opinions when you answer student surveys, we send you
  • your image for identification and verification purposes

For students applying for the International Foundation Pathways Programme, additional information will be processed as follows:

  • An ID number (on assigning the Confirmation of Acceptance of Studies or “CAS” letter)
  • outcomes of Secure English Language Tests (SETS)/unique ID or other assessment outcome)
  • Passport information (all pages showing personal identity -sponsorship requirement)
  • Proof of immigration status (obtained via an e-Visa)
  • Copy of e-Visa (obtained using view and prove service) (where applicable)
  • ATAS (Academic Technology Approval Scheme) evidencing clearance to study from the Foreign Commonwealth and Development Office certificate (where required)
  • Certificates of application (to the EU Settlement scheme) (where applicable)
  • Images (captured in video conferencing software- e.g., via Skype)

Special category data we will collect about you in connection with [delete as appropriate/insert purpose for using this type of data]:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • biometric data for uniquely identifying you and for those on the International Foundation Programme, a Biometric Resident permit if applicable
  • physical or mental health data (for example as part of your Individual Learning Plan, or ‘ILP’)

Criminal offence data: Only where relevant and where the university has a legal basis to do so Criminal offence data may include allegations as well as conviction data. As we also use your criminal offence data, we additionally rely on conditions in Schedule 1 of the Data Protection Act 2018

Note: Students arriving on campus will be encouraged to provide third party details of those individuals who can be contacted in the case of an emergency.

How we use your personal information

Our objective is to ensure an excellent educational experience both curricular and extra-curricular whilst protecting your privacy by complying with Data Protection legislation. We will use your personal data to fulfil our contracted commitments with you and as stated in our Student Charter and Regulations and would be unable to facilitate your studies and experience at Kent without it.

We perform tasks in the public interest as part of our role of being a teaching and research institution. We will use your information in a safe and protected manner to monitor, enable and evaluate the management of the University and the services it provides. This includes monitoring and reporting on student attendance and engagement in line with our attendance monitoring policy.

The University Charter sets out that ‘the objects of the University are to advance education and disseminate knowledge by teaching, scholarship and research for the public benefit’ (paragraph 3). This underpins the University’s use of student personal data for research and evaluation in the public interest under the GDPR lawful basis ‘task in the public interest.’ Academic researchers follow research ethics policies and procedures designed to ensure compliance with regulations and legislation that govern the conduct of research, including data protection law.

Our Student Immigration Compliance Team has a responsibility to process your data where required to ensure we comply with immigration law. For more information, please see our Student Immigration and Compliance Privacy Notice.

You may also require assistance and guidance from our Student Support and Wellbeing service. For more information about how your personal data will be processed by this service, please see our Student Support and Wellbeing Privacy Notice.

As we have statutory and contractual reasons for processing your personal data if we do not receive this personal data, we may not be able to provide you with relevant educational services.

Our lawful basis for processing your data

We rely on the following lawful basis as allowed by the UK GDPR for processing your personal data as this is necessary for:

  • the performance of a task carried out in the public interest or in the exercise of official authority -Article 6(1)(e)
  • our contract with you – Article 6(1)(b)
  • a legal obligation – Article 6(1)(c)
  • to protect your vital interests or those of another person – Article 6 (1)(d)
  • the purpose of our legitimate interests or those of a third party Article 6(1)(f) (unless those interests are overridden by your interests, rights or freedoms)

Our legitimate interests are ensuring the security of our IT systems and infrastructure, ensuring the security of our buildings and the protection of staff, students and visitors as set out in our CCTV Policy.

  • you have given your consent for one or more specific purposes- Article 6(1)(a)

The legal basis underpinning our use of personal data

As we also use your special category data, we must identify a further basis for processing that data. The processing is necessary for:

  • to protect your vital interests or those of another where you are physically or legally incapable of giving consent – Article 9(2)(c)
  • you have manifestly made the data public – Article 9(2)(e)
  • the university  to establish, exercise or defend legal claims (or where courts are acting in their judicial capacity) – Article 9(2)(f)
  • reasons of substantial public interest (as defined within the Data Protection Act 2018)– Article 9(2)(g).

Our substantial public interest reason(s) are:

    • statutory purposes
    • equality of opportunity or treatment monitoring
    • prevention or detection of crime
    • safeguarding
    • fraud purposes.
  • archiving in the public interest, scientific or historical research purposes or statistical purposes with a basis in law – Article 9(2)(j) Where we do so, we will ensure that we comply with Article 89(1) UK GDPR and section 19 DPA 18 to ensure that the data is pseudonymised (or anonymised if possible).
  • Where we need to share your sensitive data with others and none of the legal bases above apply, we will seek your consent before doing so – Article 9(2)(a).

We have a Special Category and Criminal Offence Data Appropriate Policy document in place throughout the time that we use your data and for 6 months after we cease to use it. 

Who your information is shared with

We use third party organisations (known as data processors) who conduct services on the University’s behalf under contract. We will ensure that only the minimum amount of relevant personal data necessary for the purpose is transferred. We will ensure that contractual agreements exist to ensure compliance with data protection regulations and that data is used solely under our instruction. In these circumstances personal data shall be deleted after the contract has terminated.

In addition to the processors included on the Applicant privacy notice, the University uses:

  • Central Management Information System (CIMS) the University’s timetabling system
  • Moodle, our training delivery platform and Presto Student, an attendance monitoring system provided by Simac IDS Ltd
  • Digital Certificates, our online eDocumentation system provided by Advanced Secure Technologies Ltd. 

We share your personal data with third party data controller(s) which are organisation(s) who use the data for their own legitimate purposes. They in turn will share your data with the university.

Where students are applying through the International Foundation Pathways Programme, the university will receive information from Oxford International Education and Travel Limited and its subsidiaries including agencies based Worldwide, to facilitate your verification and application process and assess your credentials

The University has statutory requirements to provide information to external bodies such as the Higher Education Statistics Agency (HESA), grant awarding bodies, Student Loans Company, the Home Office (in connection with UK Visas and Immigration Office), local authorities for Council Tax and Electoral Roll purposes, and to the Police or officers of the Courts.

Your information will be stored within the universities systems including Kent Vision.

Where academic research is a collaboration between the University and other educational or research institutions, your information may be shared for the purpose of research and evaluation in the public interest with appropriate data protection safeguards in place, such as data anonymisation or pseudonymisation and data sharing agreements or data processing contracts agreed by all parties.

This processing is performed under UK or (if applicable) member state law and to carry out tasks in the public interest. We are a signatory to the Kent and Medway Information Sharing Agreement and where possible we will use that data sharing agreement for sharing with other signatories.

For more information please see Kent and Medway Information Partnership.

Sometimes it is necessary for your personal information to be shared:

  • with competent authorities (such as the police, NCA, Home Office) or action fraud for law enforcement purposes (for on substantial public interest reasons – Article 9(2)(g) – for preventing or detecting unlawful acts, safeguarding or fraud purposes.
  • with our professional advisors where it is necessary for the establishment, exercise, or defence of legal claims – Article 9(2)(f).

Occasionally the University may, if appropriate, legitimate and necessary, rely on relevant exemptions to UK GDPR provisions as are allowed under the Data Protection Act 2018 (in relation to crime and taxation, management forecasts, negotiations, confidential references and exam scripts and exam marks).

Transfer of your information outside of the UK

When it is necessary for us to transfer your personal information across national boundaries to a third-party data processor, such as one of our service providers, we will ensure this safeguards your personal information by requiring such transfers are made in compliance with all relevant data protection laws.

Any transfer is authorised by either:

  • adequacy regulations made by the Secretary of State listed on the DCMS website, or
  • safeguards prescribed by the EU GDPR (where applicable) or UK GDPR such as an International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (EU SCCs) with added UK Addendum.
  • Where data is received from an international source, in the case of International Foundation Pathways Programme students, technical, contractual, and organisational methods have been deployed to keep your data secure.

How long your personal data will be kept

For details about the period for which your personal data will be stored, please see our Documentation and Retention Archiving Policy.


We will ensure that security measures are in place to prevent the accidental loss, unauthorised use, or access to your data. Access is given to staff on a ‘need to know’ basis. Our staff are required to keep your data safe and complete data protection training.

We have procedures in place to deal with any data security incidents and will notify you and the ICO in the event of a data breach where we are required to do so.

Your rights

Please be aware of the following rights and further information which can be accessed free of charge by contacting

  • know how we are using your personal information and why (right to information)
  • ask for a copy of the personal data held by us (subject access request)
  • ask for correction of any mistakes (rectification)
  • to object to direct marketing
  • to complain to the ICO

In some circumstances you also have the right to:

  • object to how we are using your information
  • ask us to delete information about you (the right to be forgotten)
  • have your information transferred electronically (data portability)
  • object to automated decisions which significantly affect you
  • restrict us from using your information.

For further guidance regarding your rights please see the ICO website.

Please contact us if you would like to make any of these requests.

You can withdraw your consent at any time.

You can do this by contacting us at

This does not affect the lawfulness of the processing based on consent before its withdrawal.

Your right to complain to the ICO

Complaints can be lodged with the Information Commissioner's Office.

Their helpline telephone number is: 0303 123 1113.

Your obligations

The University tries to ensure that the information it holds is accurate and up to date. It must, however, rely on students to inform the appropriate office of any change in their personal data. Any change of home or term-time address should be notified to the Central Student Administration or online via the Student Portal. As a user you are required to comply with the University's regulations for the use of computing facilities. It is also your responsibility, should you hold personal data on others, to ensure that you abide by the terms of Data Protection law.


If you have any questions or concerns about the way the University has used your data, or wish to exercise any of your rights, please consult our website.

The University’s Data Protection Officer can be contacted at:

Document review date

Version Author Description of Change Approver Date
1 Head of Data Protection First version Secretary to the Council May 2018
2 Head of Data Protection Paragraphs added: 'The University Charter' and 'Where academic research' Secretary to the Council June 2021
3 DPO     November 2022
4 Acting DPO Transferred to university template Acting DPO July 2023
5 DPO Additional information for IFP DPO September 2023
6 Acting DPO Additional information for AST Acting DPO January 2024
Last updated