Student Connect Data Protection Notice

This privacy notice sets out how we deal with the personal information of people who are accessing support within the University’s Student Life Services (referred to hereafter as Student Life).

This privacy notice sets out how we deal with the personal information of people who are accessing certain services within the University’s Student Life and other support provision, including but not limited to Registry and Finance. It applies in addition to and does not replace the University’s general data protection notice for students and applicants.

This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.

Identity of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with Data Protection legislation. In order to carry out its functions and obligations in respect to your study at the University, it is necessary for the University to collect, store, analyse and sometimes disclose your personal data.

The University is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

Contact details of the Data Protection Officer

If you have any queries over the way that your data is processed, please raise these first with the relevant team. If you are still concerned, the University has a data protection officer who can be contacted at InfoRequest@cardiff.ac.uk

What personal information do we collect about you?

The personal details which we process will depend on the support which you engaged with but are likely to consist of:

• Name
• Contact detail – address, phone number, email
• Programme of study
• Demographic data such as age, gender, health related information
• Details of request for support, including details of the risk you may present to yourself or other people
• Details of support provided by us or referrals to other agencies including those external to the University
• Dates that you have engaged with the service
• Details of any relevant disability, medical condition or other medical information
• Emergency contact details
• Details of your request or need for support and related searches

What is our legal basis for processing your personal data?

The University needs to state on what legal basis we will process your data. This can depend on the reason that we need to process your data, and in relation to Student Support and Wellbeing, can include, but is not limited to:

1. Performance of Contract
2. Consent
3. Legitimate interest
4. Public Task
5. Legal obligation
6. Statistical and Research Purposes

Further details of these categories can be found in the general student and applicant data protection notice.

The relevant number of the basis that applies is shown in brackets after each purpose listed in the following section.

We collect this information in a variety of ways. For example, data may be collected through your submission of forms (online or in paper format), emails, in person, telephone or online meetings, interviews or other assessments, via case management software or enquiry management systems including our Chat Bot.   It might also be collected from third parties such as other students or staff.

For what purpose with your personal data be used?

The purposes and related legal basis under which the University may process your personal data include the following:

• administration (including application, enrolment, assessment, disciplinary matters, health matters) (1)
• to organise your studies (1)
• access to, and security of, University facilities (including library services, computing services, sports and conference facilities (1)
• to consider and provide support for disability or health related adjustments (5)
• to assist in pastoral and welfare needs (eg the counselling service) (4)
• internal and external auditing purposes (5)
• meeting health and safety obligations and equality of opportunity monitoring obligations (5,6)
• to enable the Students’ Union to provide you with access to its facilities and support services (3)
• for consideration of ‘fitness to practise’ or ‘fitness to study’ issues (4)
• carrying out statutory duties to provide information to external agencies (see ‘Sharing information with others’ for further details)
• from time-to-time, other activities that fall within the pursuit of the University’s legitimate business and do not infringe your rights and freedoms (3)
• Orientation (including virtual orientation) (3)

Given the complexity of the relationships a university has with its students, this list is not exhaustive.

Who has access to your personal data?

The staff within the relevant parts of the University whose services you are accessing will have access to your personal data, to provide support to you or to refer you to other services.

Exception with regard to the Counselling Service

Your details may be shared with Associate Counsellors who are undergoing training whilst working with the University but are not University staff.

All counsellors, including Associate Counsellors working in the service, are bound by service standards on confidentiality and must adhere to the relevant professional ethical frameworks.  Full details of this, including situations that may arise where we may need to talk to someone about you which may involve breaking confidentiality are set out in the Counselling Confidentiality Statement.

Who will your personal data be shared with outside of the University?

The University works in partnership with statutory agencies and other third-party organisations external to the University where this is of benefit to our students or the wider community. With your consent we may pass your data on to the appropriate and relevant agencies so that they can contact you or to facilitate the provision of your support.

In exceptional circumstances, we may share your information with appropriate and responsible third parties including statutory agencies such as the police, healthcare and welfare services without informing you first. This will normally be for safeguarding purposes, including when someone is considered to be a risk to themselves or others.

Any disclosures that the University makes will be in accordance with data protection law and your interests will always be considered.

Under your direction, we will share data with the NHS when you are in receipt of mental health support from Cardiff University in order for you to access further support from NHS services.

How do we keep your information safe?

Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant personal data will be authorised to do so. You can find out more by referring to the University Information Security Policies.

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with data protection legislation. For example, if you contact the service via a web-based form your data will be collected via Online Surveys, a service provided by JISC under contract to the University.

Do we transfer information outside the UK?

Details of our transfers of data can be found on our general student and applicant data protection notice.

How long will your personal data be held?

Your data will be held for the length of time specified in our Records Management Policy and Records Retention Schedules.  This is usually for a period of approximately 6 years but will depend on the precise schedule for the service you have used. For precise retention periods, please see our record management policies and retention schedules and refer to the Student Administration and Support records section.

How to raise a query, concern or complaint

If you have a query, concern or complaint, please contact the relevant team the first instance.  If you still have queries, concerns or wish to raise a complaint, details of how you can contact the University data protection officer and Information Commissioner’s Office are available on our Data Protection page.

Your data protection rights

Under data protection legislation you have certain rights, such as the right to request a copy of your personal data held by the University and the legal basis on which we process your data. To find out more about your rights and how you can exercise them, please see our web page on your data protection rights.  For further information please see the following guidance published by the Information Commissioner’s Office.

The Information Commissioner’s Office is responsible for regulating data protection in the UK. We hope to resolve any of your questions, queries or concerns but if you remain dissatisfied you can contact the Information Commissioner's Office.

Updated: January 2022

Related links

• Student and applicant data protection notice
• Counselling Confidentiality Statement.
• Disability and Dyslexia Service Confidentiality Statement
• Online enrolment
• Cardiff University's entry on the Data Protection Register
• Information Commissioner's Office
• Admissions policies

Related documents

• Photographic identification code of practice, 104.0 KB
• Declaration of enrolment, 214.1 KB
• Public Health Wales TB DSA, 75.1 KB