General Privacy Notice

This University of South Wales is the data controller with regard to this personal information, and is committed to protecting the rights of individuals in line with its statutory requirements. The University of South Wales has a Data Protection Officer who can be contacted through [email protected].

This is a general privacy notice for the capture of personal data not routinely captured in the course of day to day business and supplements any other University privacy notices which may apply.

What information do we collect?
This privacy notice applies to personal data provided to us, both by individuals themselves or by third parties and is designed to help those whose data is held understand how it is used.

The notice is aimed at the following individuals who may -

  • Contact the University by any means for any purpose
  • Provide services or work with the University
  • Request information under information compliance legislation
  • Visit or use the University’s website
  • Provide the University with unsolicited information

The University may collect the following information:

  • Personal details (such as name, contact details and email address) that are provided at the point of contact where an individual requests information or submits it via the website.
  • Responses to surveys completed on webpages or via links received by the individual.
  • Any other information posted, emailed or otherwise sent to the University.
  • Information around the use of webpages and where available, browser type, the IP address and operating system.
  • Unsolicited personal information (information that USW has not sought or requested) such as a CV, concern or medical records that are sent to University staff. Where this is the case, this personal data will be handled with the same care as any other personal data we process and in accordance with data protection legislation as laid out in this notice.
  • The University will collect personal information about website usage through cookies in accordance with the Cookies Policy.

How is data used?
Personal data will only be processed when the law allows – and will only be used for the following purposes:

  • For administrative purposes and to help with enquiries and requests
  • To manage the relationship with suppliers and partners
  • To comply with a legal or regulatory obligation
  • To enable the University to provide a product, facility or service
  • To process feedback and improve services
  • To manage and improve the web system and troubleshoot problems
  • Where personal information is collected on the University’s website, for instance through a web form or an online payment system, users will be informed as to what information is being captured, why and who (if anyone) it will be shared with,
  • Where information has been requested from the University under freedom of information or data protection legislation, or more generally, the University may share personal data internally in order to deal with the request
  • Employer information in relation to apprenticeships will be used for monitoring and evaluation purposes

The lawful basis for processing
Data protection legislation requires that a legal basis is in place when processing personal data.

Consent: Consent has been provided as a basis for processing personal data.

Performance of contract: The processing of personal data may be necessary in relation to the contract the University has entered into with an organisation to provide the University’s services, or because a request has been made to enter into the contract.

Public task: The processing of the personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University.

Legal obligation: The processing of personal data is necessary for compliance with a legal obligation – this could include provision of certain data to external agencies as required by law.

Legitimate interests: The processing of personal data may be necessary for the purposes of the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interests of the individual or by fundamental rights and freedoms which require protection of personal data.

Lawful interests: processing is necessary for compliance with a legal obligation to which the University is subject.

Some of the above grounds for processing will overlap and there may be several grounds which justify the use of personal information.

Who receives this data?
For the purposes detailed above, the University may have to share personal data with the following:

  • External third party service providers: there may be times when external organisations use personal information as part of providing a service to the University or as part of checking the quality of service delivery, such as auditors;
  • Law enforcement or other government and regulatory agencies: The University may be required by law to disclose certain information to the police or another relevant authority in circumstances e.g. where it is considered that an individual is at serious risk of harm.
  • Periodically requests are received from third parties with authority to obtain disclosure of personal data. Such requests will only be fulfilled where the University is permitted to do so in accordance with applicable law or regulation.
  • Where the University is working with employers certain contact details relating to the lead contact must be provided to the government for evaluation and monitoring purposes.

Transfers to third countries and the safeguards in place
The University may use third party providers to deliver services, such as externally hosted software or cloud providers, and those providers may involve transfers of personal data outside of the UK. Whenever third party providers are used the University will ensure that personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, and that safeguards are in place.

Retention of data
Personal data will only be held for as long as necessary to fulfil the purposes it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, and in accordance with the University’s Retention Schedule.

Security of data
Data Protection legislation requires the University to keep personal information secure. This means that confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to information will be authorised to do so. Information held electronically will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access.

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with Data Protection legislation.

Individual rights
Individuals have a right to access personal information, to object to the processing of, to rectify, to erase, to restrict and to port personal information.

Further information on individual rights is available on the University Data Protection webpages.

Requests or objections should be made in writing to the University Data Protection Officer:-

University Secretary’s Office,
University of South Wales
Pontypridd,
CF37 1DL

Email: [email protected]

Individuals who are unhappy with the way in which their personal data has been processed may in the first instance contact the University Data Protection Officer using the contact details above.

Individuals who remain dissatisfied have the right to apply directly to the Information Commissioner with concerns. The Information Commissioner can be contacted at:

Information Commissioner’s Office,

Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF

www.ico.org.uk