Skip to main content

Privacy notice for the Step Up to University and Access to Professions programmes

References to “the programmes” in this notice refer to Cardiff University’s Step Up to University and Access to Professions programmes.

The programmes aim to raise aspirations, raise attainment and provide support for secondary aged pupils from disadvantaged areas to continue their studies post 16.

Cardiff University is the data controller for personal data processed as part of the programme.

Pupils' progress is monitored and tracked throughout the three-year period. Typically, there are around 3,000 pupils (in Years 11, 12 and 13) on the programme at any one time.

What information is collected about participants?

We collect the following compulsory pieces of information for all participants who take part in our activities. This helps us to demonstrate that our activities are engaging young people from backgrounds that are currently under-represented in higher education.

  • Name
  • Date of birth
  • Email address
  • Home address and postcode
  • Mobile number
  • Year group
  • School/college/organisation

Also eligibility characteristics1 including:

  • whether in receipt of free school meals
  • asylum seeker status
  • disability related information such as autism
  • whether the participant’s parent(s) or brothers and sisters went to University
    (providing this information is not essential but allows us to report on the number of participants who are potentially the first in their family to go to university)
  • whether the participant has experience of being in the care system.
    (providing this information is not essential but it allows us to report on an under-represented group and to provide priority access to some events)

1Step Up only.

We also request optional information about:

  • photographs and films consent – during events we may take and publish photographs and films to be used for marketing purposes such as on our website, in our newsletter or within social media accounts
  • whether a participant / parent /guardian would like to receive marketing communication from Cardiff University about other relevant activities
  • language preference
  • disability2
  • gender2
  • ethnicity.2

2Disability, gender and ethnicity information will not be shared with third parties but will be used in an anonymous form for research connected to the programme.

Residential and out of school activities

The programmes also require additional compulsory information when taking part in residential or out of school activities so that staff and third parties delivering on behalf of the programmes can provide appropriate support and ensure the health and safety of all participants and staff. These include:

  • disability information
  • gender
  • emergency contact details
  • dietary requirements
  • cultural requirements
  • allergies
  • medical arrangements
  • medication taken
  • parental consent to provide paracetamol to under 16s should the need arise.

What information is collected about teachers/other contacts?

We collect the following pieces of information from teachers and other contacts who would like to be kept informed our activities, the newsletter and other relevant opportunities for their school/college.

  • contact details
  • subject area
  • position held at school/college
  • teaching responsibility for which year groups
  • contact language preference
  • school/college

Why do we collect this information?

We collect data on individuals for the following main reasons.

  • For the purposes of monitoring which allows us to:
    • fulfil compulsory external reporting requirements to regulatory bodies such as the Higher Education Funding Council for Wales (HEFCW)
    • provide a clear picture of the activities we deliver and the people we work with
    • ensure that we are reaching those that could benefit most from outreach activities.
  • For the purposes of research and evaluation which helps us to assess the effectiveness of different initiatives on widening participation to Higher Education. This includes the long-term tracking of participants’ education journeys, to identify how many programme participants go on to study at university.
  • Identify participants who belong to groups, which are under-represented in Higher Education and to ensure that people from these groups are given priority access to other widening participation activities. For further information on this please see
  • Ensure the health and safety and well-being of all participants in our programmes and to assist with pastoral and welfare needs, for example ensuring that we are aware of medical conditions and disabilities.
  • To send relevant and necessary information regarding forthcoming activities as well as marketing communications.

What is the legal basis for processing the data?

Widening participation is a key component of the Welsh Government’s education policy and is represented in the University’s civic mission. The programmes process personal data as it is necessary for it to perform a task in the public interest and for its official functions. The legal basis for processing special category data is on the basis that it is in the substantial public interest and is necessary for statistical purposes to monitor equality of opportunity in accordance with the Equality Act 2010.

The legal basis for processing the use of photographs and marketing communications is Consent.

We do not process any data without explicit consent from the parent/guardian for children aged 16 and under who are still in compulsory education.

How will we process the data?

  1. For initiatives which are organised directly with schools, an interested participant’s contact information will be collected via a paper form which is returned directly to the relevant coordinator. Further data will be requested via an online form over a secure URL to be used for the purposes outlined above. For initiatives involving participants applying directly to the programmes, data will be requested via an online form.
  2. The programme coordinator may use this information to create an attendance register, which will be stored on a secure university server. Access to this information is restricted to Cardiff University members of staff and third parties contracted to deliver activities.
  3. Next, the participant information is visually checked and transferred from the online forms into the secure online database.
  4. For the purposes of monitoring and research, compulsory data may be processed by a third party under contract to the University, including HEAT (Higher Education Access Tracker), UCAS and Aula, to enable long-term tracking of participants’ educational journey into higher education.
  5. All internal and external reporting which utilises the collected data, does so in an aggregated fashion, meaning that only totals are shown, so individuals’ data is never disclosed within a report.

How long will the University retain the information?

We will retain participants’ data in line with the Cardiff University Retention Schedule within the student administration and support records under teaching and research section

In summary: paper copies of information will be retained for one complete academic year after the activity took place. For example, for an event that took place 20 November 2014 the forms would be reviewed and permanently deleted on 31 August 2016.

Electronic records are held on a secure online database for a period of 10 years after an event, with data reviewed annually on 31 August.

Data shared/linked with third parties for research purposes will remain within the third party databases for the lifetime of the third parties’ projects, as individuals are no longer identifiable.

What are my rights?

Under the GDPR you have rights relating to your personal data which could include: to object to the processing of your personal information, to access, to rectify, to erase, to restrict and to port your personal information. For further information please refer to

Security of data

Data protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant parts of your information will be authorised to do so. All personal data which is stored electronically will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access.

Some processing of data may be undertaken on the behalf of the programmes by an organisation contracted for that purpose. Organisations processing personal data on behalf of the programme will be bound by a Data Processing Agreement which will outline their obligation to process personal data in accordance with all Data Protection legislation.

How do I complain?

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact:

Cardiff University Data Protection Officer
University Secretary's Office
2nd Floor, Friary House
Greyfriars Road
CF10 3AE


If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane