Prospects and Applicants privacy notice

Introduction

1. The University of Chester ('the University') is committed to protecting the rights and freedoms of individuals as detailed in relevant Data Protection legislation including looking after any personal data that it collects, uses or holds. This Data Processing and Privacy Notice describes how and why we collect and use personal information about you for marketing, student recruitment and admissions purposes. It is issued under your right to be informed about how the University collects, uses and stores your personal data.
    
2. Marketing, Recruitment and Admissions ('MRA') is a central function within the University. The purpose of MRA is to communicate with Customers about products and services offered by the University that may be of interest to them, to process applications to courses of study, and send information to Customers that we are required to do so. ‘Customers’ are defined as:
   • Prospective students and/or service users
   • Applicants to courses of study
   • Current students and/or service users
   • Graduates and/or past students

Data Protection Principles

3. We will comply with data protection legislation, which means that the personal information we hold about you must be:
   • Used lawfully, fairly and in a transparent way
   • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
   • Relevant to the purposes we have told you about and limited only to those purposes
   • Accurate and kept up-to-date
   • Kept only as long as necessary for the purposes we have told you about
   • Kept securely

What Personal Data does the University collect?

4. Personal data, or personal information, means any information about you from which you can be identified. It does not include anonymous data. MRA collects different kinds of personal data about you which we have grouped together as follows:
   • Identity data includes first name, last name, title, gender, date of birth
   • Contact data includes address including postcode and country of residence, email address, phone number(s)
   • Course data includes course interest, course applied for, campus applied to, UCAS number, personal data collected via UCAS application for an undergraduate course or via GOV.UK for a PGCE course application, personal data collected for the purpose of applying for a postgraduate course, application decision
   • Technical data includes IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, other technology on the devices you use to access this website, public images on social platforms, usernames on social platforms, location tags on social platforms
   • Usage data includes information about how you use our website, products and services
   • Marketing and Communications data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

What Special Category Data does the University Collect?

5. Special category data includes information about your race or ethnicity, religious or philosophical beliefs, sexual orientation, health and biometric data. MRA may collect and process special category data which you disclose to the University. This data will be used to ensure that we are offering an inclusive and accessible experience and that we are able to meet the needs of our Customers. As part of the admissions process, it is also necessary for the University collect and process information relating to criminal convictions. This data is processed in an official capacity for safeguarding purposes.

Why does the University need this data and how will the University use this data?

6. MRA requires personal data in order to:
   • Process applications to courses of study
   • Inform Customers about products and services that may be of interest to them (i.e. marketing communications)
   • Send information necessary for the fulfilment of our obligations to you (i.e. necessary communications)

What is the Legal Basis for processing the data?

7. MRA will use the following legal bases for processing data, depending on the Customer type and purpose for processing the data.

For how long will the University keep this Data?

8. MRA will observe the following schedule for retention and/or deletion of data, depending on the Customer type. The retention periods given in this privacy notice are taken from the JISC Record Retention Schedule. 

Who has access to the data and who will the University share this data with?

9. Partners: In order to process an applicant’s application, in some circumstances, depending on the course applied for, it may be necessary to share applicant data with one of the University’s partners.

10. Third-party services: The University may contract selected third-party service providers to process your personal data. These service providers are authorised to use your personal data only as necessary to provide the requested services to us. Unless described in this Privacy Policy, the University does not share, sell, rent, or trade any data with third parties for their promotional purposes. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit. The following is a list of purposes for which your personal data may be processed by third parties and the service providers by whom it may be processed on behalf of the University.

    • Data Management: MRA use third-party data management providers for the purposes of storing personal data about you and your marketing preferences. Personal data may also be processed to support and improve the services that are offered. Service providers that may process personal data for the purposes of data management include: Akero; MailChimp.

    • Email: MRA use third-party email providers for the purposes of sending emails relevant to your interests and application status. Personal data may also be processed for the purposes of personalising emails with your application details and other relevant information. Personal data may also be processed to track your behaviour relating to emails received, including whether you opened the email, and/or clicked any links. Service providers that may process personal data for the purposes of sending emails include: Alchemer; MailChimp.  

    • Events: MRA use third-party event management software for the purposes of managing bookings for events such as Open Days, Applicant Days and Campus Tours. Personal data will be processed and stored by these providers for making the booking, tracking attendance at events and sending event-based updates. Service providers that may process and store personal data for the purposes of event management include: Akero; Eventbrite; Gecko Labs Limited; Microsoft Bookings; Terminalfour Solutions Ltd.  

    • Image Processing: MRA use third-party image processors for the purposes of collecting, storing and republishing images that you post on social networks. With your permission (by responding to a request with #YESChester), these images may be used by us for the purposes of marketing and advertising. Further details about these permissions can be found in our separate Image Processing Terms of Use. The service provider that may process personal data for the purposes of image processing is Pixlee.

    • Market Research: MRA use a third-party survey software provider for the purposes of contacting respondents and collecting survey responses. Personal data may be processed by this provider for the purposes of collecting customer feedback, including feedback from Customer events, decision making processes and behaviour. MRA may use third-party service providers for the purposes of conducting market research. We will always make this clear in such cases and full details of these providers will be given. The survey software provider that may process personal data for the purposes of market research is Alchemer.

    • Online Advertising: MRA use several advertising platforms to inform you about courses, events, news and other information that may be of interest to you. These providers may process personal data to better target our advertisements to you. Personal data may also be processed to inform the University about the performance of advertising campaigns. Service providers that may process personal data for the purposes of advertising include: Bing (Microsoft); Google; IDP Connect; LinkedIn; Meta; Net Natives; NextRoll; Reddit; Snap Inc. (Snapchat); TikTok; The Student Room; Twitter; UCAS; Uni Compare.

      • How to opt-out of personalised online advertising We may use Bing (Microsoft); Google, LinkedIn, Meta, Reddit, Snapchat, TikTok and Twitter remarketing features to support promotion of our courses and other services you have shown an interest in, if you are a user of these platforms. This may be based on hashed (anonymised) personal data (see section 4 on the data we may collect for marketing), or other anonymous information collected by cookies when you visit our website, such as things like your mobile device location (if location features are turned on), browser cookie ID, mobile device identifier, and IP addresses. This helps us provide you with relevant adverts if you have a Bing (Mircosoft), Google, LinkedIn, Meta, Reddit, Snapchat, TikTok or Twitter account. You can choose to opt out of receiving these adverts by changing your account settings for Bing (Microsoft); Google, LinkedIn, Meta, Reddit; Snapchat, Tik Tok and Twitter. You can also opt out by enabling the 'Limit Ad Tracking' setting (on iOS devices), or the setting to 'Opt out of Interest-Based Ads' (on Android).

    • Online Messaging Platforms: MRA at the University of Chester use third-party service providers to enable prospective students and applicants to chat online to existing students and staff of the University. Personal data may be processed by these providers for the purposes of enabling these conversations to take place on these platforms, enabling the University to monitor and track these conversations, and also keep you updated on the University. The service provider that may process personal data for the purposes of online messaging services is Unibuddy.

    • Postal: MRA use third-party service providers for the purposes of sending postal communications. Personal data may be processed by these providers to send postal communications such as prospectuses, letters, postcards and other materials to you on behalf of the University. Service providers that may process personal data for the purposes of sending postal communications include: Belmont Press; Linney; MailChimp; Royal Mail; Sterling Solutions. Other third parties may also be used, subject to the University’s Procurement Policy. Details of these third parties can be obtained by emailing enquiries@chester.ac.uk.

    • SMS/Text Messages: MRA use third-party service providers for the purposes of sending SMS/text messages. Personal data may be processed by these providers for the purposes of sending SMS/text message invitations to events or updates on applications on behalf of the University. Service providers that may process personal data for the purposes of SMS/text messages include: Gecko Labs Limited; TextMagic.

    • Social Media/News Monitoring: MRA use third-party service providers for the purposes of sending, monitoring, and responding to social media messages. Personal data may be processed by these providers to collect, store and transmit messages to you that are posted either publicly on social media networks, or privately to the University by direct message. These providers may also monitor the wider internet, such as news websites, blogs and forums for mentions of University Customers for the purposes of news sourcing, alumni relations and reputation management. Service providers that may process personal data for the purposes of social media/news monitoring include: Mention; Sprout Social.

11. Cookies: Cookies are small pieces of information which online services provide when a user visits them. As you interact with our website, we will automatically use cookies and other similar technologies to collect technical data about your equipment, browsing actions and patterns. Please see our cookie policy for further details.

How will the University keep this data secure?

12. MRA use carefully selected platforms and services to store and process your personal data. These providers have negotiated Data Processing Agreements and Service Level Agreements with the University and use encrypted, hashed, pseudonymised and anonymised techniques to protect the integrity of personal data. Personal data is only made available to employees who are authorised to use it, and those employees are required to take appropriate security precautions and receive continual training on best security practices. Where it is necessary to transfer data outside of the UK or EEA, any such transfers are carried out within the UK adequacy regulations or where appropriate safeguards are in place to ensure the confidentiality and security of your personal information.

Your duty to inform us of changes

13. It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes.

What Rights do you have as a Data Subject?

14. As a data subject of the University, under Data Protection legislation, you have a number of rights with regards to your data, dependent upon the legal basis for processing that data. As such you have the right to: 
    • Withdraw consent - where the University has used consent as the legal basis for processing;
    • Be informed – about how the University, collects and uses your data;
    • Access your personal data that the University holds and process;
    • Rectify or correct any inaccuracies in your personal data that we hold;
    • Be forgotten by requesting that your details are removed from the University systems;
    • Restrict the processing of your data whilst it is being verified or corrected;
    • Ask that we transfer the personal data that the University holds to another organisation, or to you;
    • Object to certain processing by the University including direct marketing, automated decision making, profiling, scientific/historical research and statistics.

​​​​​​​The above rights are not absolute and may be qualified or limited in some circumstances, such as being dependent upon which lawful process has been used or whether an exemption may apply.

15. The following table details the rights that accompany each lawful basis.

*If consent is the lawful basis, you do not have the right to object but you do have the right to withdraw consent.

You may contact the University’s DPO as necessary regarding your rights at dataprotection@chester.ac.uk. 

Who is the Data Controller and who is the Data Protection Officer (DPO)?

16. The Data Controller is the University of Chester, Parkgate Road, Chester, CH1 4BJ. 
17. The DPO is Laura Gittins.You can contact the DPO at the University's address and also by email at dataprotection@chester.ac.uk.

How to raise questions, comments, concerns, or complaints.

18. Should you have any questions, comments, concerns or complaints regarding the use of your personal data you can contact the University’s DPO at dataprotection@chester.ac.uk.
19. You may also raise any concerns or complaints with the Information Commissioner’s Office who can be contacted as follows:

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113.
www.ico.org.uk

Changes to this Notice

20. We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. This version was last updated in June 2023. We may also notify you in other ways from time to time about the processing of your personal information.