Somerville College (referred to as ‘we’ or ‘us’) is a registered charity with registration number 1139440. We are one of the constituent colleges of the University of Oxford. We were founded in 1879 and named in honour of the Scottish mathematician and scientist Mary Somerville. Ever since, great scientists, novelists and politicians alike have studied at Somerville: Vera Brittain, Dorothy L. Sayers, Dorothy Hodgkin, Indira Gandhi and Margaret Thatcher. In 1994, the college admitted men for the first time.
Today Somerville retains its founding commitment to including the excluded and the college continues to produce pioneers across all fields. You can find out more about us here. The full text of our Privacy Notice is accessible via the following links.
We, at Somerville, are committed to protecting and respecting your privacy and the purpose of this notice is to provide you with information on who we are, how and why we collect and process your personal data.
It is important that you read this privacy notice carefully together with any other privacy notice we may provide to you on specific occasions when we are collecting or processing personal data about you, to ensure you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.
What is Personal Data?
What we mean by personal data is any information about an individual from which that person can be identified (either by itself or when combined with other information).
Special category data is sensitive personal information. This type of data is particular to you as it reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership as well as genetic data, biometric data used to identify an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
This type of data requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
Further information regarding the reasons why we might process such data can found below.
How to contact us
You can write to us at Somerville College, Woodstock Road, Oxford OX2 6HD, U.K. firstname.lastname@example.org or by contacting our Data Protection Office (DPO) by using the details below.
We have appointed GRCI Law as our DPO and if you have any questions about this privacy notice, data processing practices, data protection matters generally, or you wish to exercise your legal rights you can contact them using the details set out below.
Data Protection Officer
Tel: 0333 800 7000
Post: GRCI Law
Unit 3 Clive Court
Cambridgeshire Business Park
Ely, CB7 4EA
Data we collect about you
We may collect, use, store and/or transfer different kinds of personal data about you which will differ depending on your interaction with us.
We will limit the collection and processing of personal data to what is necessary to achieve one or more purpose(s) as identified in this notice.
As a minimum we will collect basic information about you which will include:
- Basic personal data to identify you such as your first name, maiden name, last name, username or similar identifier, title, occupation, job title, date of birth;
- Your contact information including your email address, address, geographical region and telephone numbers.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Please click the link below to find out more about the different types of personal data we will process depending on your interaction with us.
What are the consequences of not providing data requested?
In the majority of circumstances, the provision of data is a contractual requirement.
If you do not provide us with information that you are contractually obliged to provide, the consequences will depend on the particular circumstances. In some cases, we may not be able to provide you with certain services; in other cases, this could result in disciplinary action or the termination of your contract.
Certain information will be required to use the relevant IT system. For example, you will require a password to access College IT systems. If you do not provide such data, you will not be able to use our system and depending on the circumstances this may become a disciplinary matter that could lead to the termination of your contract with us if you are an employee or a student.
If you are a prospective student wanting to attend an open day, it may mean that you cannot attend the open day depending on the type of data we have requested.
If you an applicant wanting to study with us, it may mean that we reject your application depending on the type of information we requested.
In most cases the data you provide to will be necessary requirement of entering or living on College premises. If you do not provide such data, you may not be able to enter College premises. If you do not provide such data, you may not be able to enter College premises and depending on circumstances this may become a disciplinary matter that could lead to the termination of your contract with us whether you are an employee or a student.
Failure to provide financial information will mean we are unable to process any payment from you and may not be able to enter into the relevant contract with you.
Failure to provide accurate organisation and purpose details for events may mean that we choose not to enter into the relevant contract with you or an event in progress may not be permitted to continue.
Failure to provide information regarding visa status or right to work or related information may mean you are unable to enter into a contract with you and/or may result in the termination of a contract.
Failure to notify us of a conflict of interest may result in disciplinary proceedings
We may collect personal information from children under the age of 16, but we will not do so or knowingly allow such persons to provide us with their personal information without informing them of the collection or without a lawful basis to do so.
We provide personal data to the Higher Education Access Tracker (HEAT) as a part of our duty under the Department of Education. A separate privacy notice can be found here for HEAT.
How we collect personal data
We collect personal data directly from you but also may collect and generate data from different sources.
Our Record of Processing Activities provides further detail regarding the sources of each category of personal data we collect and process.
Why we use your personal data
We will collect and process personal information about you, to enable us to administer applications, to enter into a contract or commercial arrangement with you, to inform you of conferences and events tailored to your interests, to provide you with information about the college and college activities, to facilitate financial transactions, operational reporting and for the production of management information, to provide support and assistance where required and to manage our ongoing relationship with you.
Under data protection law, we can only use your personal information if we have a proper reason or legal basis for doing so. We have provided further information regarding our reasons for processing your data below.
Why we use special category data
We may process special categories of personal information in the following circumstances:
- Where we have your explicit written consent do so
- Where it is necessary for reasons of employment, social security and or social protection law
- Where it is necessary for your protection or that of another individual for example in an emergency situation
- Where it is necessary in the substantial public interest, for example for the purposes of promoting and maintaining equal opportunity or treatment
- Where processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law
- Where it is necessary for the establishment, exercise or defence of a legal claim.
We have in place appropriate policy documents and/or other safeguards which we are required by law to maintain when processing such data.
Criminal convictions and allegations of criminal activity
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
Details of the lawful bases we rely on for the processing of the categories of data are in our Record of Processing Activity.
We have put in place appropriate security measures including layered security software to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. Our security system is subject to regular audit and proactive monitoring.
We have put in place procedures to deal with any suspected personal data breach; we will notify you, and any applicable regulator of a breach, where we are legally required to do so.
You have several rights under data protection laws which are set out below. You can access any of these rights at any time (depending on the lawful basis for processing). If you wish to do so or require further information about your rights please contact us using the details above.
- Access – the right to request a copy of the personal data we hold on you. When you request this data, this is known as making a Subject Access Request (SAR). In most cases, this will be free of charge, however in some limited circumstances, for example, repeated requests for further copies, we may apply an administration fee;
- Rectification of personal data – is the right to have any inaccuracies corrected;
- Erasure of personal data – the right to have any data erased in certain circumstances;
- Restriction of processing personal data – the right to restrict processing, in limited circumstances, where we don’t have legitimate grounds for processing your personal data;
- Objection to processing of personal data – the right to object to processing of personal data in certain circumstances. For example, you can object to your personal data being used, for example to send you marketing material.
- Automated decision making – the right to ask for a decision to be made manually, where a decision is made using automated means and this adversely impacts you. Please note that we do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes; and
- Portability – the right to have a copy of the personal data we hold about you transferred to another data controller in electronic form (for example another university or college).
- Withdraw consent – where we rely on consent as a legal basis for processing personal data you may withdraw consent at any time. This will not affect the validity of any lawful processing of your data up until the time when you withdrew your consent. You may withdraw your consent by contacting the college Data Protection Officer at email@example.com
Please note that we do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.
If you wish to exercise any of your rights in relation to your data as processed by Somerville College, please contact our Data Protection Officer at firstname.lastname@example.org. Some of your rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.
Further guidance on your rights is available from the Information Commissioner’s Office.
How to complain
If you are unhappy with the way we have handled your personal data and want to complain about how your personal data is being processed, you can do so at any point in time. Please contact our Data Protection Officer at email@example.com.
The Information Commissioners Office (ICO) is the UK’s supervisory authority whose role is to enforce data protection laws. You have the right to complain to ICO (https://ico.org.uk/concerns/) if you believe that your data has been processed unlawfully.
We would appreciate the chance to address any concerns you may have before you approach the ICO and ask that you contact us first.
How and why we share your personal data
We do not sell your personal data, however we may share your personal data with certain third parties if we are allowed to do or are required to do so by law.
In circumstances where your personal data is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies and are only permitted to process your personal data for specific purposes in accordance with our instructions. We do not allow our third-party providers to use your personal data for their own purposes.
Please click the following link for examples of the types of third parties with whom we may share your personal data, including but not limited to the following.
Transferring personal data outside the UK and European Economic Area (EEA)
It may be necessary for your information to be transferred to and stored in locations outside the European Economic Area (EEA), including countries that may not have the same level of protection for personal information.
We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests. You can obtain more details of the protection given to your information when it’s transferred outside the EEA by contacting us.
When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is in accordance with data protection laws.
When you are resident outside the EU in a country where there is no “adequacy decision” by the European Commission, and an alternative safeguard is not available, we may still transfer data to you which is necessary for performance of your contract with us.
How long do we hold personal data?
We keep your personal data for no longer than is necessary to fulfil the purpose for which it was collected. Details of expected retention periods for different categories of personal data held by us are set out in our Record of Processing Activities (to access, please contact firstname.lastname@example.org)
How long we keep your personal data depends on several factors including but not limited to the nature and type of record, the nature of the activity, the product or service and any applicable legal or regulatory requirements and changes thereof. Any such changes will be reflected in our Record of Processing Activities.
Where legal proceedings, regulatory, disciplinary or criminal investigations are in progress or relevant requests are made under data protection laws or freedom of information legislation it may be necessary to suspend deletion of data until such proceedings, investigations or request have been fully concluded.
Please note that we may keep anonymised statistical data indefinitely however you cannot be identified from such data.
If you wish to discuss our Record of Processing Activities, our retention periods or believe processing may cause substantial distress, please do contact us that we may consider whether it is appropriate or us to continue to process and/or whether further safeguards might be applied to our processing activities.
Links to other websites
Within our website we may have links to third party websites, plug-ins and applications. Clicking those links may enable third parties to share or collect your personal data.
Please be aware that we do not control such third-party websites and are not responsible for their privacy statements or the contents of those websites. We would encourage you to read the privacy notice of every website you visit.
Changes to the privacy notice
We encourage you to review this page regularly to identify any updates or changes to our privacy notice.
Please contact us if you wish to receive past versions of any of our privacy notices.