Somerville College – individuals whose data is retained in our archives privacy notice
Privacy notice – individuals whose personal data is retained in Somerville College’s archives
A summary of what this notice explains
Somerville College is committed to protecting the privacy and security of personal data.This privacy notice applies to anyone whose personal data is retained in Somerville College’s archives. This group will include:
- Former students
- Current and former staff and officers of Somerville College.
- Individuals who have donated items to our archives
- Researchers who access our archives
- Other third parties referred to in records held in the archive
This notice explains what personal data Somerville College holds about you, how we use it internally, how we share it, how long we keep it and what your legal rights are in relation to it.
This notice also explains the lawful basis on which we process your data.
For the parts of your personal data that we generate about you, or that we receive from others, this notice also explains the sources of the data.
What is your personal data and how does the law regulate our use of it?
“Personal data” is information relating to you as a living, identifiable individual. We refer to this as “your data”.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it.
Data protection law requires us:
- To process your data in a lawful, fair and transparent way;
- To only collect your data for explicit and legitimate purposes;
- To only collect data that is relevant, and limited to the purpose(s) we have told you about;
- To ensure that your data is accurate and up to date;
- To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
- To ensure that appropriate security measures are used to protect your data.
Somerville College’s Contact Details
If you need to contact us about your data, please contact: firstname.lastname@example.org
The College has a Data Protection Officer, whose contact details are: email@example.com
Data that you provide to us and the possible consequences of you not providing it
If you as a researcher do not provide your data (such as your name and contact details), you may not be allowed to access the archive.
Other sources of your data
Apart from the data that you provide to us, the data we hold about you may have been obtained from our staff, students, the University of Oxford, donors to our archives or other third parties.
The lawful basis on which we process your data
The law requires that we provide you with information about the lawful basis on which we process your personal data, and for what purposes. The data we hold will generally have been obtained for other purposes originally and the law permits Somerville College to retain lawfully obtained data for the purposes of archiving in the public interest, for historical or scientific research purposes or for statistical purposes. The law provides further safeguards that such processing must (a) not be likely to cause substantial damage or substantial distress to you or another individual; and/or (b) must not be carried out for the purposes of measures or decisions with respect to you or another individual, unless the purposes for which the processing is necessary include the purposes of approved medical research.
In addition, the College (or a third party such as researchers or donors of archive material) will typically also have a legitimate interest in processing data for such purposes, provided your interests and fundamental rights do not override those interests.
How we apply further protection in the case of “Special Categories” of personal data
“Special categories” of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.
The Special Categories of personal data consist of data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership.
They also consist of the processing of:
- genetic data;
- biometric data for the purpose of uniquely identifying someone;
- data concerning health;
- data concerning someone’s sex life or sexual orientation.
We may process special categories of personal data in the following circumstances:
- With your explicit written consent; or
- Where it is necessary in the substantial public interest, in particular:
- is necessary for the purposes of the prevention or detection of an unlawful act, must be carried out without the consent of the data subject so as not to prejudice those purposes; or
- for equal opportunities monitoring;
- Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law. The safeguards are that the processing must (a) not be likely to cause substantial damage or substantial distress to you or another individual; and/or (b) must not be carried out for the purposes of measures or decisions with respect to you or another individual, unless the purposes for which the processing is necessary include the purposes of approved medical research. In addition, the processing must also be in the public interest.
We have in place an appropriate policy document and/or other safeguards which we are required by law to maintain when processing such data.
Less commonly, we may process this type of data where it is needed in relation to legal claims or where it is needed to protect your vital interests (or someone else’s vital interests) and you are not capable of giving your consent, or where you have already made the information public.
Criminal convictions and allegations of criminal activity
Similar legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
Details of our processing activities, including our lawful basis for processing
We have prepared a detailed table setting out the processing activities that we undertake, the source of the data, the reasons why we process it, how long we keep it and the lawful basis we rely on (in addition to the lawful basis on which we originally collected the data). It may be reviewed by contacting firstname.lastname@example.org
The table includes detailed information about how and why we process various categories of data, and the related lawful basis including the legitimate interest that Somerville College has in processing in its archives:
- Student files including dates of attendance, course of study and outcome of their studies, results of College examinations (“collections”), University examinations, and College and University assessments, awards, scholarships and prizes conferred, applications (e.g. UCAS forms and references), academic and disciplinary records. These files may include information about a former student’s personal life including their health, family circumstances, ethnicity, sexuality, political opinions, religious or philosophical beliefs, criminal convictions or allegations, gender, background, family circumstances and/or financial circumstances. Somerville College has a legitimate interest in processing such data for the purposes of research and its archive in the public interest. Somerville College also considers that it is in the public interest to process special category and/or criminal convictions or allegations data for such purposes.
- Extracts from staff records consisting of employee name, dates of employment, role(s) and reason(s) for departure (including for example retirement, new employment or dismissal), staff photograph, records of references given.
- Other administrative records of the College, for example Governing Body and committee records. Such records may include the personal data of College staff where they are mentioned in Governing Body minutes, for example.
- Other material collected by or donated to our archive
How we share your data and the safeguards we apply to such sharing
We will not sell your data to third parties. We will only share it with third parties if we are allowed or required to do so by law. Our archives may be consulted by researchers, with our permission and subject to our archives policy including access restrictions
All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies, and are only permitted to process your personal data for specific purposes in accordance with our instructions. We do not allow our third party providers to use your personal data for their own purposes.
Sharing your data outside the European Union
The law provides various further safeguards where data is transferred outside of the EU.
We may transfer your data outside the European Union, but only for the purposes of research and provided either:
- There is a decision of the European Commission that the level of protection of personal data in the recipient country is adequate; or
- Appropriate safeguards are in place to ensure that your data is treated in accordance with UK data protection law, for example through the use of standard contractual clauses; or
- There is an applicable derogation in law which permits the transfer in the absence of an adequacy decision or an appropriate safeguard.
We do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes.
How long we keep your data
As your data is being processed for the purposes of archiving and historical research, we will keep it until the data is no longer required for this purpose. In practice, this means your data is likely to be retained permanently. However, if you believe our processing this data will cause you substantial damage or substantial distress, please contact email@example.com so that we may consider whether it is appropriate for us to continue processing it, and/or whether further safeguards may be applied to our processing of the data.
Your legal rights over your data
Subject to certain conditions set out in UK data protection law, you have:
- The right to request access to a copy of your data, as well as to be informed of various information about how your data is being used;
- The right to have any inaccuracies in your data corrected, which may include the right to have any incomplete data completed;
- The right to have your personal data erased in certain circumstances;
- The right to have the processing of your data suspended, for example if you want us to establish the accuracy of the data we are processing.
- The right to receive a copy of data you have provided to us, and have that transmitted to another data controller (for example, another University or College).
- The right to object to any direct marketing (for example, email marketing or phone calls) by us, and to require us to stop such marketing.
- The right to object to the processing of your information if we are relying on a “legitimate interest” for the processing or where the processing is necessary for the performance of a task carried out in the public interest. The lawful basis for any particular processing activity we carry out is set out in our detailed table of processing activities
- The right to object to any automated decision-making about you which produces legal effects or otherwise significantly affects you.
- Where the lawful basis for processing your data is consent, you have the right to withdraw your consent at any time. When you tell us you wish to exercise your right, we will stop further processing of such data. This will not affect the validity of any lawful processing of your data up until the time when you withdrew your consent. You may withdraw your consent by firstname.lastname@example.org or by contacting the College’s Data Protection Officer. Further guidance on your rights is available from the Information Commissioner’s Office (https://ico.org.uk/). You may also wish to contact the College’s Data Protection Officer email@example.com if you are considering how or whether to exercise your rights.
You have the right to complain to the UK’s supervisory office for data protection, the Information Commissioner’s Office if you believe that your data has been processed unlawfully https://ico.org.uk/make-a-complaint/.
Future changes to this privacy notice, and previous versions
We may need to update this notice from time to time, for example if the law or regulatory requirements change, if technology changes, if the University makes changes to its procedures, or to make College’s operations and procedures more efficient. If the change is material, we will give you not less than two months’ notice of the change so that you can decide whether to exercise your rights, if appropriate, before the change comes into effect. We will notify you of the change by email.
Version control: V.1.1 (May 2018)