Royal Holloway and Bedford New College, also known as Royal Holloway, University of London, will act in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 when controlling and processing your personal data.
This notice explains how we collect, use and share your personal data and your rights in relation to the processing of your data.
In this notice:
• ‘personal data’ means any data which can identify you directly or indirectly (whether by itself or when combined with other data), regardless of the format or media on which the data are stored. This includes data that can identify you when combined with other data that is held separately (pseudonymous data) but does not include data that has been manipulated so that you can no longer be identified from it (anonymous data).
• ‘processing’ means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.
What personal data will be collected
The data the College collects includes:
• Contact details including business email and telephone number
• Employment details including job title and area of industry
• A record of your involvement in activities organised by Careers & Employability
• Visual images
• Education, professional qualifications details
• Previous employment details
• Academic records relating to publications and research grant awards.
• Financial information
• Social media details e.g. Twitter handles, Facebook pages.
Special category data processed may include:
• Sexual orientation
• Gender reassignment
• Disability Pregnancy and maternity
• Ethnic origin
• Trade union membership
• Religious or other similar beliefs
• Physical or mental health details
• Spent and unspent criminal convictions
Personal data provided by you about others
You may provide us with personal data about other individuals, for example colleagues’ contact details. You should notify the relevant person that you are providing their contact details to the College and in what capacity (e.g. in relation to your organisation’s participation in a careers event).
How and when do we collect your personal data?
We collect your data when you complete our Employer booking forms, through correspondence etc.
When we receive your enquiry through our online form
When you complete a registration of interest form
When you contact us by any means with queries etc.
When you contact us via LinkedIn
When you book to attend an event
When you provide your personal profile
Personal data from third parties
If you have given your permission, we may on occasion receive information about you from third parties such as staff in academic departments.
Why do we collect this data, how do we use it and what is our legal basis for doing so?
We collect your data in order to provide you with information regarding careers events, placement schemes, advertising job vacancies, process your event booking form or enquiry, process invoices. We also collect your data in order to provide information to students and graduates regarding careers events, placement schemes and job vacancies.
We collect your contact details in order to communicate opportunities for employers to be involved in careers-related activities, such as fairs, workshops and placement schemes, and you can update these at any time on the Employer tab of our Careers Portal. This is done on the basis of our legitimate interests in providing students with employment opportunities.
We collect your financial information in order to process invoices relating to careers events and placement schemes. We collect your insurance details as part of our work placement procedures. This is done on the basis of your legitimate interests.
We may also use digital content relating to past events on our website and social media.
Note: There are a number of ways you can provide this information and no one way is better.
For reference, the legal bases are as follows:
• to perform a contract the College has entered into with you or take steps before entering into a contract with you at your request
• to comply with the College’s legal obligations (for example, complying with employment and tax, immigration, health and safety and safeguarding laws, preventing and detecting crime, assisting the police and other authorities with their investigations)
• where necessary for our legitimate interests or those of a third party provided your interests and rights do not override those interests (for example, to provide information regarding speakers at a careers event)
• to protect your vital interests or those of another person (for example, where we know or have reason to believe that you or another person may suffer harm)
• to perform a public task in the public interest or in the Colleges official functions, and the task or function has a clear basis in law.
In circumstances where you have a genuine choice as to whether we should process your personal data, we will ask you for your consent. The method used to obtain your consent will depend on the scope and context of the processing that we propose.
In relation to special categories of personal data and personal data relating to criminal convictions and offences, we may request your explicit consent unless a condition applies which allows us to process such personal data without doing so.
How long the College will retain your personal data
The College must only retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to satisfy any legal, regulatory, accounting or reporting requirements.
Specified retention periods are applied to each category of personal data that we may process about you. In setting these retention periods, the College has taken into account:
• the nature, sensitivity and volume of the personal data
• the potential risk of harm to you arising from the College’s continued retention of the personal data
• the purposes for which the College may process your personal data
• whether the College is required to retain any personal data by law or in accordance with its legitimate interests
Your data will be kept in accordance with the College’s Records Retention Policy and Schedule.
CCTV and automatic number plate recognition (ANPR)
The College has a comprehensive, image-only CCTV surveillance system across its campus. Cameras located on and within buildings are monitored by Security. On occasions, Security staff will wear Body Worn Cameras in the course of their duties. These cameras record both images and sound, and data captured in this manner is processed in compliance with GDPR.
College uses ANPR (Automatic Number Plate Recognition) camera technology to manage, control and enforce parking on its sites. They are governed under guidelines from the Information Commissioner’s Office on the use of CCTV and ANPR Cameras and are operated by College’s Security team. In exceptional circumstances this information may be used as evidence in disciplinary cases.
Sharing your personal data with third parties
Where the College uses third parties to process personal data on its behalf (acting as data processors), a written contract will be put in place to ensure that any personal data shared will be held in accordance with the requirements of data protection law and that such data processors have appropriate security measures in place in relation to your personal data.
This includes companies which provide such services as our Careers Service Management System (careers portal)
Where we may wish to acknowledge your involvement in any careers-related activities at the College we will request your permission beforehand.
Please note that in certain circumstances we may need to share your personal information with a regulator or to otherwise comply with the law.
International Data Transfers
Most personal data about you, including your personnel file, will be stored on servers within the UK or elsewhere within the European Economic Area (EEA).
On occasion it may be necessary for the College to transfer your personal data outside of the European Economic Area (EEA). This will only take place in circumstances where there are appropriate and adequate safeguards in place which incorporate appropriate assurances to ensure the security of the information and compliance with legislative and regulatory requirements.
How the College keeps your personal data secure
The College has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in any unauthorised way or altered or disclosed. In addition, the College limits access to your personal data to the persons and organisations, including those described above, who have a lawful and/or legitimate need to access it.
The College has also put in place procedures to deal with any suspected personal data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so.
You and your data
You have a number of rights in relation to the processing of your personal data by the College:
• Access: You have the right to request access to and be provided with a copy of the personal data held about you together with certain information about the processing of such personal data to check that the College is processing it lawfully and fairly.
• Correction: You have the right to request correction of any inaccurate or incomplete personal data held about you.
• Deletion: You have the right to request erasure of any personal data held about you where there is no good reason for the College to continue processing it or where you have exercised your right to object to the processing of your personal data.
• Restriction: You have the right to request restriction of how the College processes your personal data; for example, to confirm its accuracy or the College’s reasons for holding it or as an alternative to its erasure.
• Objection: You have the right to object to the College’s processing of any personal data which is based on the legitimate interests of the College or those of a third party based on your particular circumstances. You also have the right to object to the College processing your personal data for direct marketing purposes.
• Portability: You have the right to receive or request that the College transfers a copy of your personal data in an electronic format where the basis of the College processing such personal data is your consent or the performance of a contract, and the information is processed by automated means.
• Complaints: You have the right to complain to the Information Commissioner’s Office (ICO) in relation to how the College processes your personal data. Our registration number with the Information Commissioner’s Office is Z7056965.
The College may be entitled to refuse any request in certain circumstances and where this is the case, you will be notified accordingly.
Where the lawful ground relied upon by the College to process any of your personal data is your consent, you have the right to withdraw such consent at any time without having to give any reason. However, if you do so, the College may not be able to provide some or all of its services to you or the provision of those services may be affected.
You will not have to pay any fee to exercise any of the above rights, though the College may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, you will be notified accordingly.
To protect the confidentiality of your personal data the College may ask you to verify your identity before fulfilling any request in relation to your personal data.
Changes to this notice
The College may update this notice at any time and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly to take notice of any changes. Where any change affects your rights and interests, we will make sure we bring this to your attention and clearly explain what this means for you.
Questions or comments
If you have any questions or comments regarding this notice or you wish to exercise any of your rights you should contact our Data Protection Officer by email at firstname.lastname@example.org.
You also have the right to complain to the Information Commissioner’s Office and you can find more information on their website – www.ico.org.uk