Use of special category data of students privacy notice

1. About this Privacy Notice

Canterbury Christ Church University is the data controller concerning the processing activities described below.

As part of the University’s statutory and corporate functions, we process special category data and criminal offence data about applicants and students.

We do this in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).

Some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an Appropriate Policy Document in place.

2. What we collect and how we use it

Special Category Data

As part of your engagement with the University we may collect special category data about yourself. This may include:

Racial or ethnic origin
Political opinion
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data for uniquely identifying a natural person
Data concerning heath
Data concerning a natural person’s sex life or sexual orientation

We process special category data about our applicants and students where there is a substantial interest, a statutory requirement or a legal obligation. Our processing relates to the data we receive or obtain to undertake the following:

Monitor Equal Opportunities
Make Statutory Returns
Assess a student’s fitness to undertake placements
Support students with a declared disability, engaging with the fit to study process or with a medical condition
Assess the right to study in the UK
Meet the requirement to have due regard to the need to prevent people from being drawn into terrorism

Criminal offence data

As part of your engagement with the University we may collect criminal offence data about yourself. This may include:

Information about spent or unspent criminal convictions and offences

We process criminal offence data about our applicants and students where there is a statutory requirement or to prevent or detect unlawful acts.

Our processing relates to the data we receive or obtain to undertake the following:

Where the person applies for study related to a regulated profession or undertakes study or volunteering requiring engagement in regulated activity
Where the person applies for residential accommodation
Where the person is subject to disciplinary action, including fitness to practise

3. The legal bases we use to process your information

Data protection law sets out reasons for collecting and processing your sensitive personal data. In this section, we outline the legal bases the University uses.

Substantial public interest
Employment, social care and social protection
Archiving for scientific or historical research and statistical purposes
Establishment, exercise or defence of legal claims
Consent
Vital interests

More information about the legal bases we use for processing your sensitive personal data is included in our full policy document.

4. What happens if you refuse to provide sensitive personal information?

If you choose not to submit any sensitive personal information when requested, we may not be able to provide you with specific services.

For example, if you are applying for a regulated course and are required to undertake a placement as part of the course, you may be required to undertake background checks. If you refuse, you will not be able to participate in the course.

5. Recipients of your personal data

For the fulfilment of the contractual relationship, CCCU may be required to transfer your data to third party organisations, including Service Providers.

These include Partners, Agents, Contractors and other third parties (‘data processors’) to fulfil the contract.

Before appointing a data processor, the University will conduct due diligence checks. The University will only appoint data processors based on a written contract requiring the processor to comply with all relevant legal requirements.

Any company appointed as a data processor/contractor must comply with the University’s Data Protection Policy under their contract with it. Any breach of the Policy will be taken seriously and could lead to us taking contract enforcement action against the company or terminating the contract.

Data processors have direct obligations under the UK GDPR, primarily to only process data on instructions from the University and to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved.

6. How does the University protect data

The University takes the security of your data seriously. The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.

Where the University engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

7. Retention period

The University will retain copies of sensitive personal data for as long as required for the purpose the information was collected.

Our retention schedule, which provides specific time frames for types of information held can be accessed here.

8. Further information

This is a summary of how we process special category and criminal offence data. If you would like further information on how the University processes special category data, we have a policy that explains our processing of special category and criminal offence data in full. You can read the full policy document.

In the Policy Document we explain how and why we process special category and criminal offence data. We explain the legal bases and set out the way we comply with the data protection principles.

Please click the link below to access further information regarding:

Return to

Privacy Notices