We comply with the Data Protection Act 1998 (until 25 May 2018) and with the EU's General Data Protection Regulation (GDPR) from 25 May 2018, full details can be found in the Policies and Procedures section on our site.
The University of Winchester treats very seriously both the personal data and the sensitive personal data it processes on behalf of primarily its students and staff members, and also a wide range of other people who it works with and has contact with. These include for example potential students, visitors, members of the public, contractors and people it works with as a University.
The University has been and is continuing to work hard to comply fully with the new General Data Protection Regulation (GDPR) which is enforceable from 25 May 2018. The GDPR makes a number of key changes to data protection law in the United Kingdom and within the European Union (EU) and potentially beyond the EU. More information on these changes, which include strengthening of some individual rights and some new individual rights can be found on The Information Commissioners’ Office (ICO) website at: https://ico.org.uk/
The ICO will enforce compliance with the GDPR from 25 May 2018.
The University processes both personal data and sensitive personal data under a range of different ‘lawful bases’ depending on the nature of the respective ‘processing purposes’.
For ‘personal data’, these ‘lawful bases’ include one or more of:
- ‘Public task’ (as the University is designated as a ‘public authority’ in law).
- Legal obligation.
- Vital interests.
- Consent; and
- Legitimate interests.
In addition for sensitive personal data, the University processes under one or more of the ‘lawful bases’ conditions listed in Article 9(2) of the GDPR.
The ‘purposes of the processing’ range from for example sending prospective students information about the University, to complying with legal obligations where the University is required to provide personal data under for example a Freedom of Information Act request.
When communicating with key audiences such as prospective and current students, ‘Legitimate interests’ is the lawful basis used by the University for specific processing purposes in line with ICO guidance.
Such ‘Legitimate interests’ for the processing include under the generally accepted three-part test for this ‘lawful basis’ as follows:
Purpose test: are you pursuing a legitimate interest? - The University has a legitimate interest in processing via the respective ‘processing purposes’ here the opportunities for prospective and current students to study at The University of Winchester, which includes the gaining of educational qualifications. In a wider sense, the University also has a legitimate interest in processing via the ‘processing purposes’ to achieve social bettering and transformation through education, and enable individuals to achieve their potential; and finally to increase applications and enrolments to the University of Winchester by communicating via direct marketing (email, SMS, postal) to prospective students considering studying at the University of Winchester.
Necessity test: is the processing necessary for that purpose? – It is necessary for the University to process data for the purpose of:
(a) increasing applications and enrolments to the University of Winchester by communicating via direct marketing (email, SMS, postal) to prospective (and current) students considering studying at the University of Winchester, and there is no other realistic alternative which is as effective; and
(b) communicating with individuals, including alumni and ex staff. We believe that there is no other realistic alternative which is as effective for interests including fundraising and general updates on developments with the University, which either as alumni (former students) and/or as ex staff members they were previously associated with.
Balancing test: do the individual’s interests override the legitimate interest? - The University believes that prospective (and current) students would reasonably expect the University to use their personal data in these ways, as summarised in the respective processing purposes. In addition, we do not believe that it would cause them (prospective and current students) unwarranted harm for the University to use their personal data in these ways, as summarised in the processing purposes. The personal data is provided by the prospective students themselves after they have completed a data capture form, for example, by ordering a copy of the prospectus or by booking onto an Open Day. The personal data collected includes first name, last name, email address, phone number and address information.
Linked to its above mentioned ‘processing purposes’, the University processes a specific amount of personal data, which includes for example the names and contact details of both staff and students. Such processing enables students to undertake their courses and for staff to be paid for their work.
In certain specific circumstances and linked also to its above mentioned ‘processing purposes’ and where there is also an additional ‘lawful basis’ for this further processing, the University may process a specific amount of sensitive personal data. This is done in line with ICO guidance, and may include information about an individuals’ health for example.
Sometimes the University has a requirement to share this information with groups of recipients. They include sharing details within the University for when students enrol and for example may need housing.
For students interested in studying abroad, there will be the need to share their data with the relevant organisation(s).
Personal data and sensitive personal data will be kept for no longer than necessary.
There are a number of individual rights available, and more information on these can be found at https://ico.org.uk/
If consent has been used as the lawful basis for a particular ‘processing purpose’, there is a right to withdraw consent (if applicable).
There is a right to lodge a complaint with a supervisory authority. This is the ICO, who can be contacted in various ways as listed at:
The majority of the personal data held by the University is obtained from the individual it relates to. However, in certain circumstances data may be provided by partner organisations for example UCAS.
In some cases, individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
We review and update (where necessary) this policy statement in line with current guidance and developments.
The data protection officer for the University is:
David Farley, Data Protection Officer,
The University of Winchester, Sparkford Road
Tel: +44 (0) 1962 841515, Ext. 7306.
The name and contact details of our organisation are:
The University of Winchester,
Fax: +44 (0) 1962 842280
What are cookies?
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.
The university webservers collect anonymous information, like the IP address of your computer, the browser software used, the operating system, access times and pages visited. This information is used to monitor usage and to assess the effectiveness of the university website.
In some sections of the university website anonymous data such as browser type or IP address may be used to customise web page content. This information is used in an anonymous form to ensure appropriate and effective delivery of content.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. You should be aware that this may prevent you from taking full advantage of our website. If you are unsure how to do this, use your favourite search engine to look this up using the term 'declining cookies' with your browser name, or contact your local IT support for advice.
Google Analytics use traffic log cookies to gain information about the use that is made of pages on our website. We use the information from cookies to generate reports on the usage of our website which are used for evaluation and analysis. The purpose is to improve our website by tailoring it to the needs of users. In all cases, no data specific to any identifiable user is retained.
As a user you can opt out of this process of collecting traffic log data. To do so please visit Opt out of Google Analytics Information.
What are your choices regarding cookies?
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
We endeavour to keep the information we hold as up-to-date and as accurate as possible. If you wish to see the data the University holds about you please contact the Data Protection Officer.
In line with the new General Data Protection Regulation (GDPR) from 25 May 2018, the University will not charge a fee to deal with a request in most circumstances.
However, the University reserves the right to charge a fee in cases in line with ICO guidance.
Our Data Protection Officer is David Farley, he can be contacted via email David.Farley@winchester.ac.uk