Somerville College (referred to as ‘we’ or ‘us’) is a registered charity with registration number 1139440. We are one of the constituent colleges of the University of Oxford. We were founded in 1879 and named in honour of the Scottish mathematician and scientist Mary Somerville. Ever since, great scientists, novelists and politicians alike have studied at Somerville: Vera Brittain, Dorothy L. Sayers, Dorothy Hodgkin, Indira Gandhi and Margaret Thatcher. In 1994, the college admitted men for the first time.

Today Somerville retains its founding commitment to including the excluded and the college continues to produce pioneers across all fields. You can find out more about us here. The full text of our Nursery Users’ Privacy Notice is accessible via the following links.

Privacy commitment

We, at Somerville, are committed to protecting and respecting your privacy and the purpose of this notice is to provide you with information on who we are, how and why we collect and process your personal data.

It is important that you read this privacy notice carefully together with any other privacy notice we may provide to you on specific occasions when we are collecting or processing personal data about you, to ensure you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

What is Personal Data?

What we mean by personal data is any information about an individual from which that person can be identified (either by itself or when combined with other information).

Special category data is sensitive personal information. This type of data is particular to you as it reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership as well as genetic data, biometric data used to identify an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.

This type of data requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

Further information regarding the reasons why we might process such data can found below.

How to contact us

You can write to us at Somerville College, Woodstock Road, Oxford OX2 6HD, U.K. dpo@some.ox.ac.uk or by contacting our Data Protection Office (DPO) by using the details below.

We have appointed GRCI Law as our DPO and if you have any questions about this privacy notice, data processing practices, data protection matters generally, or you wish to exercise your legal rights you can contact them using the details set out below.

Data Protection Officer 

Email: dpoaas@grcilaw.com

Tel: 0333 800 7000

Post: GRCI Law
Unit 3 Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, CB7 4EA

Data we collect about you

We may collect, use, store and/or transfer different kinds of personal data about you which will differ depending on your interaction with us.

We will limit the collection and processing of personal data to what is necessary to achieve one or more purpose(s) as identified in this notice.

As a minimum we will collect basic information about you which will include:

  • Basic personal data to identify you such as your first name, maiden name, last name, username or similar identifier, title, occupation, job title, date of birth;
  • Your contact information including your email address, address, geographical region and telephone numbers.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Please click the link below to find out more about the different types of personal data we will process depending on your interaction with us.

Table of Data Collected

What are the consequences of not providing data?

In most cases the data you provide is required in order to register your child at the nursery, avail yourself of the nursery’s service and comply with the laws which apply in the provision of the nursery’s services.

Failure to provide financial information will mean we are unable to process any payment from you and may not be able to enter into the relevant contract with you.

Our Record of Processing Activities provides further detail regarding the sources of each category of personal data we collect and process.

View details of data sources

Why we use your personal data

We will collect and process personal information about you to enter into a contract with you, to provide a record of your child’s learning journey, to manage the nursery services, to facilitate financial transactions, to provide support and assistance if required and, where appropriate, to provide you with information about the college and college activities.

Under data protection law, we can only use your personal information if we have a proper reason or legal basis for doing so. We have provided further information regarding our reasons for processing your data below.

Our reasons for processing personal data

Our legitimate interests

We process your personal data for our legitimate business purposes, which include but are not limited to the following:

  • Communicating with you about the college and/or college activities
  • Alumni relations and Development activities including fundraising
  • Monitoring IT and telecommunications systems to maintain the integrity of the systems and prevent misuse
  • Providing technical support
  • Notifying you about updates to our processes and services
  • Using CCTV monitoring at the college to help provide safety and security and to assist in the prevention of unlawful activity

Wherever we process your personal data for these purposes, we ensure that your interests, rights and freedoms are carefully considered.

Contractual necessity

We use your personal data for the following purposes on the basis that it is necessary for us to provide our services to you:

  • to identify you
  • to respond to your enquiry if you contact us
  • to provide pre-contractual information about the nursery
  • to register your child with the nursery

Compliance with a legal obligation

We may use your personal data in order to comply with certain laws and legal obligations. For instance: Childcare Grant funding application  

Consent

Sometimes we may have to get your consent to use your personal data, such as to share your email address with the college for communications. Where we process your personal data on this basis, you have the right to withdraw consent at any time.

Vital interests

We may also use your personal information, typically in an emergency situation such as a medical emergency, where this is necessary to protect your or your child’s vital interests.

Why we use special category data

We may process special categories of personal information in the following circumstances:

  • Where we have your explicit written consent do so;
  • Where it is necessary for reasons of employment, social security and or social protection law;
  • where it is necessary for your protection or that of another individual for example in an emergency situation;
  • where it is necessary in the substantial public interest, for example for the purposes of promoting and maintaining equal opportunity or treatment;
  • where processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law;
  • where it is necessary for the establishment, exercise or defence of a legal claim.

We have in place appropriate policy documents and/or other safeguards which we are required by law to maintain when processing such data.

Criminal convictions and allegations of criminal activity

Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.

Details of the lawful bases we rely on for the processing of the categories of data are in our Record of Processing Activity. 

Data security

We have put in place appropriate security measures including layered security software to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. Our security system is subject to regular audit and proactive monitoring.

We have put in place procedures to deal with any suspected personal data breach; we will notify you, and any applicable regulator of a breach, where we are legally required to do so.

Your rights

You have several rights under data protection laws which are set out below. You can access any of these rights at any time and if you wish to do so or require further information about your rights please contact us using the details above.

  1. Access – the right to request a copy of the personal data we hold on you. When you request this data, this is known as making a Subject Access Request (SAR). In most cases, this will be free of charge, however in some limited circumstances, for example, repeated requests for further copies, we may apply an administration fee.
  2. Rectification of personal data – is the right to have any inaccuracies corrected.
  3. Erasure of personal data – the right to have any data erased in certain circumstances.
  4. Restriction of processing personal data – the right to restrict processing, in limited circumstances, where we don’t have legitimate grounds for processing your personal data.
  5. Objection to processing of personal data – the right to object to processing of personal data in certain circumstances. For example, you can object to your personal data being used, for example to send you marketing material.
  6. Automated decision making – the right to ask for a decision to be made manually, where a decision is made using automated means and this adversely impacts you. Please note that we do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.
  7. Portability – the right to have a copy of the personal data we hold about you transferred to another data controller in electronic form (for example another university or college).
  8. Withdraw consent – where we rely on consent as a legal basis for processing personal data you may withdraw consent at any time. This will not affect the validity of any lawful processing of your data up until the time when you withdrew your consent. You may withdraw your consent by contacting the college Data Protection Officer at dpo@some.ox.ac.uk

If you wish to exercise any of your rights in relation to your data as processed by Somerville College, please contact our Data Protection Officer at dpo@some.ox.ac.uk. Some of your rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

Further guidance on your rights is available from the Information Commissioner’s Office (https://ico.org.uk/). 

How to complain

If you are unhappy with the way we have handled your personal data and want to complain about how your personal data is being processed, you can do so at any point in time. Please contact our Data Protection Officer dpo@some.ox.ac.uk.

The Information Commissioners Office (ICO) is the UK’s supervisory authority whose role is to enforce data protection laws.  You have the right to complain to ICO https://ico.org.uk/concerns/ if you believe that your data has been processed unlawfully.

We would appreciate the chance to address any concerns you may have before you approach the ICO and ask that you contact us first.

How and why we share your personal data

We do not sell your personal data. However, we may share your personal data with certain third parties if we are allowed to do or are required to do so by law.

In circumstances where your personal data is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose. 

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies and are only permitted to process your personal data for specific purposes in accordance with our instructions.  We do not allow our third-party providers to use your personal data for their own purposes.

Please click the link below for examples of the types of third parties with whom we may share your personal data, which include but are not limited to the following categories.

Types of Third Party with whom we may share your data

Transferring personal data outside the UK and European Economic Area (EEA)

It may be necessary for your information to be transferred to and stored in locations outside the European Economic Area (EEA), including countries that may not have the same level of protection for personal information.

We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests. You can obtain more details of the protection given to your information when it’s transferred outside the EEA by contacting us.

When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is in accordance with data protection laws.

When you are resident outside the EU in a country where there is no “adequacy decision” by the European Commission, and an alternative safeguard is not available, we may still transfer data to you which is necessary for performance of your contract with us.

How long do we hold personal data?

We keep your personal data for no longer than is necessary to fulfil the purpose for which it was collected. Details of expected retention periods for different categories of personal data held by us are set out in our Record of Processing Activities (to access, please contact dpo@some.ox.ac.uk)

How long we keep your personal data depends on several factors including but not limited to the nature and type of record, the nature of the activity, the product or service and any applicable legal or regulatory requirements and changes thereof. Any such changes will be reflected in our Record of Processing Activities.

Where legal proceedings, regulatory, disciplinary or criminal investigations are in progress or relevant requests are made under data protection laws or freedom of information legislation it may be necessary to suspend deletion of data until such proceedings, investigations or request have been fully concluded.

Please note that we may keep anonymised statistical data indefinitely however you cannot be identified from such data.

If you wish to discuss our Record of Processing Activities, our retention periods or believe processing may cause substantial distress, please do contact us that we may consider whether it is appropriate or us to continue to process and/or whether further safeguards might be applied to our processing activities.

Links to other websites

Within our website we may have links to third party websites, plug-ins and applications. Clicking those links may enable third parties to share or collect your personal data.

Please be aware that we do not control such third-party websites and are not responsible for their privacy statements or the contents of those websites. We would encourage you to read the privacy notice of every website you visit.

Changes to the privacy notice

We encourage you to review this page regularly to identify any updates or changes to our privacy notice.

Please contact us if you wish to receive past versions of any of our privacy notices.