Document

Widening Participation privacy notice

Cardiff University runs a programme of initiatives and projects to engage with individuals from different backgrounds and with different experiences and to support access to higher education. The privacy of those participating in our activities is important to us and this notice sets out how and why we will use your personal data.

Cardiff University is considered the Data Controller of the personal data which we hold about you and as such is legally responsible for processing your personal data in accordance with data protection legislation. The University is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

How will your personal data be used?

We collect your personal information to assess eligibility for our activities, to administer our activities, including communications and feedback about the activities, and ensure that the appropriate support is in place for those enrolling onto a Cardiff University event. We’ll use contact information to let you know about our activities and initiatives.

We’ll also use information for evaluating our activities, monitoring their effectiveness and purposes, to see whether our participants go on to study in higher education. This research will help us ensure we are interacting with students from a broad range of backgrounds and evaluate the effectiveness of our programmes.

What personal data will we collect?

Participant details

Name
Date of birth
Contact information (Home address, email, phone number)
Equality opportunity monitoring information
Asylum seek (where applicable)
School (where applicable)
Teacher details (where applicable)

Parent/carer details

Name
Emergency contact information
Relationship to participant

Teacher details

Name
Institution and role
Contact information (email/phone number)

Attendees at events

In addition to the above, where individuals attend in-person events, we may also collect the following information:

Accessibility requirements
Dietary requirements
Information about health conditions
Emergency contacts
Photographs, audio/video recordings (where you have not opted out)

The university collects this information in a variety of ways. For example, we might collect your personal data directly from yourself when you apply to participate in our activities; or someone else may provide your personal data to us as their emergency contact.

We'll also conduct surveys to collect your opinions and feedback on our programme activities, events and initiatives.

We may also receive information from programme partners (e.g. The Sutton Trust) where you have submitted an application form to attend one of their programmes, as set out in their privacy procedures.

What is the legal basis for processing your personal data?

Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university.

Where we process special category data (e.g. information about health or ethnicity) we do this on the basis that there is a substantial public interest on the conditions of equality of opportunity or treatment, regulatory requirements, safeguarding of children and individuals at risk in accordance with Schedule 1 of the Data Protection Act 2018.

Who has access to your personal data?

Your personal information will only be used by members of Cardiff University staff who have a business purpose for processing. Primarily this will be staff within the Widening Participation team however relevant information may also be shared with other appropriate Cardiff University departments (such as Admissions and Student Life) to contact you about opportunities that benefit you, such as Cardiff University's contextual admissions policy.

Some processing may be undertaken on the university's behalf by an organisation contracted for that purpose. Organisations processing personal data on the university's behalf will be bound by an obligation to process personal data in accordance with data protection legislation. For example, if you complete an application form or evaluation survey your data will be stored by Jotform, an organisation contracted to the university.

Who will your personal data be shared with outside of the university?

Some of your data may be shared with appropriate third-party organisations:

Disclosure to	Details
The Higher Education Access Tracker (HEAT) service and its members	To track and monitor participants’ progression to access higher education. You can read more about how your data is used in their privacy notice.
The Higher Education Funding Council for Wales (HEFCW) and its agents	Agents include JISC, acting as data controller for the Higher Education Statistics Agency (HESA). We share anonymised data with HEFCW and HESA as part of our reporting obligations to governmental and official agencies.
UCAS	We share anonymised data with UCAS as part of our reporting obligations to governmental and official agencies.
Other higher education institutions and initiatives	Other initiatives include Reaching Wider, a HEFCW funded collaboration between Cardiff Metropolitan University, University of South Wales, and Cardiff University
Other organisations (e.g. The Sutton Trust, The Brilliant Club, The Cowrie Foundation)	Where you participate in a programme which is delivered collaboratively with the organisation and where an agreement is in place on how they can process personal data.

Is personal data transferred outside of the UK?

Generally, information you provide to us is stored on our secure servers, or on our cloud-based systems. These are located within the UK or in countries/areas which are considered to have adequate privacy and information security provisions, such as the EEA.

However, there are times when we will need to store information outside these locations and where we do, we will carry out transfer risk assessments where required to ensure that appropriate security measures are taken to protect your privacy rights. This may mean imposing contractual obligations on the recipient of your personal information where no other relevant safeguards exist. Technical measures such as encryption will also be considered.

How long will your personal data be held?

Cardiff University will retain your personal information in line with the university Records Management Policy and Records Retention Schedules.

Personal data from individuals who participate in Widening Participation activities will be retained for a minimum period of 5 years after the end of the project. We review any personal data we hold regularly and delete it when it is no longer needed.

Your rights

Under data protection legislation you have a number of rights such as a right to request a copy of your personal data held by the university or to correct any information you think is inaccurate. To find out more about your rights and how you can exercise them, please see our web page your data protection rights.

Contact details

If you have any queries on how your data is used you should in the first instance contact: outreach@cardiff.ac.uk

Should you have any further concerns or complaints you can contact Cardiff University's Data Protection Officer at InfoRequest@cardiff.ac.uk.

The Information Commissioner’s office is responsible for regulating data protection in the UK. We hope to resolve any of your questions, queries or concerns but if you remain dissatisfied you can contact the Information Commissioner's Office.