97É«É«Ó°Ôº

How we process and look after your personal data

ÀÏ˾»ú¸£ÀûÉç is committed to protecting your privacy and keeping you informed on how your personal data is processed. This policy explains how we collect, store, use and protect your personal data and the rights you have. This policy is reviewed annually. From time to time, we may update the policy. We encourage you to review it regularly to stay informed.

What we may collect and process ⇩ Why we process personal data ⇩ Who we share data with ⇩ How long we keep it ⇩ Where it is processed ⇩ Data security ⇩ Your rights ⇩ Children ⇩ Website ⇩ Get in touch ⇩

Detailed Privacy Policy

Specific privacy notices

This privacy policy includes general information about how we process your data, more specific information is available depending upon your connection with us – please see links below.

Staff Privacy Notice

This notice explains how People and Culture will collect and use the personal data of our employees to manage the employment relationship. The notice also covers those who have a temporary or ongoing relationship with us. .

Student Privacy Notice

In order to carry out our duties as a university, we must collect and process personal and sensitive data relating to students. Download the Student Privacy Notice.

Alumni Privacy Notice

The privacy notice is supplementary to the University's Privacy Policy and applies specifically to information held about alumni, supporters, and friends of ÀÏ˾»ú¸£ÀûÉç. Download the full Alumni Relations & Development Privacy Notice.

Job Application Privacy Notice

Our Job Application Privacy Policy Notice explains how we will collect and use the personal data relating to our job applicants. Download the Job Applicant Privacy Notice.

What personal data may we process?

We collect and process a wide variety of data categoriesÌý– depending upon the purpose for the processing. When collecting your personal data, our intention is to be clear to you which data is necessary in connection with a particular service. Some examples of data we collect are given below. If you have any questions, please email GDPR@cranfield.ac.uk.

• Information you voluntarily provide to us, such as your name, email address and other contact information.
• When you visit our websites, we may also collect information including, but not limited to, metadata including geolocation, browser type, pages visited, device type and time and date of visit. We may use cookies or similar technology to collect such information. Information gathered by cookies or similar technologies may be used for our business purposes such as analytics, research, digital advertising, and operation purposes. You may set your browser to notify you when a cookie is sent or refuse cookies altogether but certain features of this site may not work without cookies.ÌýFind out more about the use of cookies on our website.
• Information from publicly available sources.
• Information from third parties, for example references from previous employers, vetting checks where required, etc. When we obtain personal data about you from third party sources, we will aim to ensure that the third party has lawful authority to provide us with your personal data.

The University does not hold or process electronic card payments; where an electronic card payment is to be made, customers are redirected to external web payment services where personal data is collected, and these are governed by their privacy policies and notices.

Depending upon your connection with us we will process other personal data. Some examples below.

• We process personal data to provide education and support to our students, professional learners, and alumni. For example, when you enter into a contract to study with us, we may collect financial and preference information that you provide and collect attendance, health, education, performance, training and achievement or award records.
• We process personal data to support and manage our employees. For example, when you enter into a contract to work with us, we may collect financial and preference information that you provide, and will collect recruitment, education, health, and employment records.
• When you attend a lecture or an event (either in person or virtually) we may also collect and record visual and audio images.
• We process personal data to enable us to carry out research. As a centre of transformational research in technology and management, a wide range of personal data may be collected and processed for research purposes. This includes research into human behaviour and human factors and biometric data is collected through facial recognition cameras and other sensors (in particular for our research into digital aviation technologies). Facial recognition data is not used for employee performance monitoring.
• We process data to maintain our accounts, administer our records, provide services, and keep individuals safe, including access and control lists, licences and permits held, surveillance camera images of visual images, audio recordings, personal appearance and behaviour, vehicle details including vehicle registration and driver/ownership, vetting checks and emergency contact information.
• We also process personal data to manage complaints, incidents, and accidents and to improve our processes, this includes grievance, disciplinary and appeals records, courts, tribunals, and enquiries.

Why do we process personal data?

We collect and process information for a number of different reasons, including to deliver and improve the opportunities and services we provide in a personalised manner. We also aim to ensure each individual receives relevant information and to meet our statutory, contractual, and legitimate business requirements in the most efficient and effective way. We also process data about many different types of people, this includes staff, contractors, students, clients, and other stakeholders.

We list below some examples of the reasons we process personal data.

• To provide education and support services to our students, professional learners, commercial clients, and alumniÌý– for example, to deliver education, provide student support.
• To deliver IT, library, career development services and accommodation.
• To support and manage our employees and to provide services to them.
• To maintain our accounts, administer our records, and maintain our infrastructure (physical and electronic including our website).
• To manage internal support functions, corporate administration, and other business-related functions of the University.
• To keep individuals safe and maintain safe and secure campuses.
• To undertake research, including behavioural research.
• To manage complaints, incidents and accidents and improve our research, teaching and processes.
• To advertise and promote the University and the services we offer.
• To publish University and alumni publications.
• To undertake fundraising.
• To monitor examinations and tests, either online or face to face.
• We may occasionally carry out profiling or automated decision-making processes, for example, to direct you to the most appropriate web page for information, or to send you the most appropriate communication. If you have specific questions on this please email gdpr@cranfield.ac.uk.

Legal bases for processing personal data

All information is processed under a legal basis to comply with UK Data Protection law. We have identified the appropriate lawful bases for our processing of personal data. See below for more information.

Legal obligations

If the law requires us to, we may need to collect and process your data. For example, to fulfil our legal obligations in relation to:

• Health and safety,
• Visa and immigration,
• Tax and national insurance,
• Financial record keeping.

Public task

As a university, we are required to process information to carry out our duties as a public authority. For example:

• To enable education to be provided and keep a record of the award made.
• To publish materials as part of the University’s research or educational function.
• To monitor attendance and behavioural to maintain proper standards of conduct and behaviour.

Contractual obligations

In certain circumstances, we need to process your personal data to comply with our contractual obligations. For example:

• We will process the information necessary for fulfilling the contract for education or employment in the agreed terms. Failure to provide information requested under contract may mean we are unable to consider your application.
• We process contracts for research agreements, funding award applications, placements, licensing agreements and research programme activity.
• We process and share data as necessary with sponsors and employers.

Legitimate interest

In specific situations, we process your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business, and which does not materially impact your rights, freedom, or interests. For example:

• We may use your contact details to send you direct marketing to inform you about products and services that we think might interest you.
• We also have a legitimate interest to visually identify and record people on campus for the purpose of security.
• To showcase student work, theses, or research.
• To keep records of staff membership of professional bodies.
• To analyse the information we collect so that we can administer, support, improve and develop our websites, documentation, teaching and research and events and to ensure continuous improvement of all of our services.
• To inform a member of staff, or a student’s nominated emergency contact that we are worried about you.

Consent

We have carefully considered the use of consent and it is our policy to use other legal bases where appropriate. When we do use consent you have the right to withdraw your consent. Some examples of our use of consent are given below.

• When you take part in a research survey (see detailed privacy information provided on the survey).
• When you provide equal opportunities monitoring information.
• When you choose to opt in to receive information.

Vital interest

Occasionally, processing may be necessary in order to protect your vital interests. For example,Ìýin the case of a medical or other emergency we will share your data as necessary and proportionate with the emergency services or others.

Legal bases for processing special category or criminal offence data

Where necessary we may process some information about you that is classed as ‘special category’ data. Special category data requires and receives additional protection. The types of special category data are:

• Racial or ethnic origin,
• Political opinions,
• Religious or philosophical beliefs,
• Trade union membership,
• Genetic data, biometric data for the purpose of uniquely identifying a natural person,
• Data concerning health,
• Data concerning a natural person’s sex life or sexual orientation,
• Data concerning criminal offences. We do not routinely ask for criminal records information from student enquirers or student applicants. For some staff roles, we are obliged to seek information about criminal convictions and offences.

Some examples of this type of data we process are:

• Occupational health records,
• Disclosure and Barring Service (DBS) records,
• Criminal convictions,
• Biometric data collected through facial recognition cameras and other sensors for research and security purposes.

Conditions for processing special category and criminal offence data

We will only process this data in relation to you where the processing meets one or more of the conditions for processing these types of data, as set out in Data Protection legislation. For example:

• We have a number of employment law duties and obligations, which require us to process special category and criminal conviction data, including those relating to ensuring the fair treatment of employees, and maintaining a safe and secure working environment.
• Where necessary, special category data will be processed for the purposes of preventive or occupational medicine, to assess the working capacity of an employee.
• Certain processing may also be necessary including to enable the establishment, exercise, or defence of legal claims, or for research and statistical purposes.
• We also request you to declare diversity data (protected characteristics) at the time of your application for a post and through equality monitoring exercises. Provision of this data, which is processed by us for statistical purposes, is optional.

Where we process criminal records data we will do so in line with legal bases listed below. This information will be processed because it is necessary for our obligations in relation to employment law, due to the nature of the course studied, or for our agreements with UK government bodies and others We will consider on a case by case basis whether the information needs to be retained.

A complete list of ICO processing conditions is given below. For further details please see the links to specific privacy notices within this document, or email GDPR@cranfield.ac.uk.

a) An individual has given explicit consent to the processing of this data for one or more specific purposes.

b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

d) Where we are acting as a not-for-profit body and processing special category data for purposes as defined in our statutes.

e) Where we are processing data which has already been made public by the individual.

f) To the extent that a student or member of staff pursues legal action in relation to a disciplinary process, further processing of any special category data would be for the purpose of establishing or exercising University rights in relation to or defending those claims.

g) Where we are processing data for substantial public interest as part of a function conferred on us by equality law and may also be necessary for the protective function of protecting members of the public against dishonesty, malpractice, or other seriously improper conduct.

h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

i) Processing is necessary for reasons of public interest in the area of public health.

j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Who may we share personal data with?

Where required, we may share your information across the University and with our commercial subsidiaries.

We will share your personal data when required to do so by law or another regulatory requirement. For example:

• Government bodies including HM Revenue & Customs, Department for Health & Social Care etc,
• Law enforcement agencies, including the police and other regulatory and investigatory authorities,
• Higher education funding and regulatory bodies and their designated agencies including Higher Education Statistics Agency (HESA), Office for Students, Jisc and Graduate Outcomes,
• UKRI and other research councils and funding agents, including the Wellcome Trust, Royal Academy and other learned societies.

In the case of a medical or other emergency we will share your data as necessary and proportionate with the emergency services or others.

We may share your data with other trusted third parties when it is necessary to do so. If this sharing takes place, we will work closely with them to ensure that your privacy is respected and protected at all times. We will have an agreement in place which requires them to keep your data safe and protect your privacy, only use your data for specified purpose(s) and if we stop using their services, any of your data held by them will be deleted or made anonymous. Examples of the kind of third parties we work with are:

• Our partners in research and teaching activities, e.g. joint events, or dual degrees programmes,
• Suppliers, service, and support providers, e.g. IT companies who support our website and other business systems,
• End point assessment organisations for apprenticeship purposes,
• Ranking and accreditation agencies,
• Debt collection agencies,
• Professional and legal advisors,
• Data insight companies to ensure your details are up-to-date and accurate,
• Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on your acceptance of cookies on our websites. See our cookies notice for details.

We will not sell, license, or trade your personal information without your consent. We also share information with other parties when specifically requested to do so by you. For full information on sharing of your data please refer to the specific privacy notice links earlier in this document, or email GDPR@cranfield.ac.uk.

How long do we keep personal data?

In most cases we keep personal data for a standard seven year retention period consistent with typical government guidelines on record keeping. There are exceptions to this, and some data will be kept for a shorter or longer period. For example, employment applicant data will be kept for less time, while the categories of student name and qualification will be kept for the lifetime of the University. Some further data will be kept for more than seven years where there is a legal obligation to do so (e.g. pension information).

Personal data will be kept as long as there is necessary purpose for doing so, these purposes include:

• To carry out business or support functions e.g. to provide proof of qualification.
• Under contractual terms, e.g. agreements with partners or funding organisations may require us to keep data for specific periods of time.
• To demonstrate compliance with audit purposes or legislative requirements.

We carry out a regular review of all categories of data held and have in place processes for the removal of data. At the end of the retention period, personal data will either be deleted or anonymised.

Where do we process personal data?

Your personal data will normally be processed in our own databases located in the United Kingdom. If data needs to be processed elsewhere, we make sure it is protected properly, through contractual agreement. This is to make sure than the safeguards which would be in place under UK data protection law are applied when processing is outside of the UK. For more information email GDPR@cranfield.ac.uk.

Security

We have made substantial investments in security technology and security management processes. These technologies are deployed to guarantee maximum security of the information you provide us with. For further details see theÌýInformation Security Policy.

Your rights

Under UK data protection law you have a number of rights regarding the personal data we process about you. Information is given below, please note that the rights described above do not apply in every circumstance. If you require further clarification, contact GDPR@cranfield.ac.uk.

The right to be informed.

You have the right to be informed about how we collect and use your personal data. This privacy policy provides detailed information. We are happy to provide more specific information on request.

The right of access (also known as Subject Access Request [SAR]).

You have the right to request the personal data we hold about you.

The right to rectification.

You have the right to request the correction of your personal data when incorrect, out-of-date or incomplete.

The right to erasure.

You have the right to request that we delete your data. However, there may be circumstances where the law or our contractual obligations mean we need to keep some of your data.

The right to restrict processing.

In certain circumstances you have the right to request that we restrict the processing of your personal data, for example while we consider your request under the right to rectification.

The right to data portability.

You have the right to request that we supply a copy of your data, which you supplied to us, in a commonly used and machine-readable format for you to transfer your data to another service provider.

The right to object.

You have the right to stop the processing of your data for direct marketing purposes. We offer visitors to our website the opportunity to subscribe (opt in) to a number of electronic communications. You have the possibility at all times to tell us you no longer wish to subscribe to our electronic communication service (opt out). All marketing e-communications you receive from us will provide clear instructions on how to unsubscribe from each service.

In certain circumstances you also have the right to request that your data is not used for processing. Your record can remain in place, but not be used.

Rights related to automated decision-making including profiling.

You also have the right to object to the processing of your data where you believe a decision has been made about you by fully automated means, which has adversely affected you.

The right to be notified.

You have the right to be notified, without undue delay, if there has been a data breach which is likely to result in a high risk to your rights and freedoms.

The right to withdraw consent.

Occasionally, we rely on your consent to process your personal data. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If at any point you want to withdraw your consent, please email GDPR@cranfield.ac.uk.

The right to complain.

We are committed to ensuring that any concerns are dealt with quickly and fairly, and with due concern for the individuals involved. However, the University recognises that individuals may continue to be dissatisfied. If you wish to complain about the University’s processing of your personal data you are entitled to complain to the Data Protection Officer who will nominate a Senior Officer of the University, who has not been involved in the original enquiry, to deal with your complaint.

Data Protection Officer,

ÀÏ˾»ú¸£ÀûÉç, College Road, Cranfield, Bedford, MK43 0AL

E: GDPR@cranfield.ac.uk

T: +44 (0)1234 754536

The right to lodge a complaint with a supervisory authority.

You have the right to lodge a complaint about our management of your personal data with the supervisory authority. In the UK this is the Information Commissioner’s Office (ICO). The ICO will expect you to complain to us first and give us an opportunity to resolve the matter before contacting them. The ICO contact details are given below.

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Web page:ÌýÌý±è²¹²µ±ð²õ.

Data protection registration

We are registered with the Information Commissioners’ Office and our registration number is Z4690919. For details of our subsidiary organisations’ registration with the ICO please contact GDPR@cranfield.ac.uk.

Children

ÀÏ˾»ú¸£ÀûÉç is a postgraduate institution and therefore normally will only process children’s personal data under very specific circumstances. For example, events supporting science-based projects in schools, attendees at the on-site pre-school and ‘Bring Your Child to Work Day’. We do not offer online services directly to children.

Where there is a need to collect information from a person under 18, then we may need consent from a parent or guardian in order to process any data. In these circumstances, an email or postal address of this person will be needed so that we can write to them to collect this.

Website information

Please note that any information supplied via this website may be stored on our computer system for the provision of information, marketing, and analysis.

External website links

The links are provided as a courtesy, to be used or not at the discretion of the individual user. If users decide to follow these links, we cannot be responsible for the privacy policies and content of those sites. Users should contact the co-ordinator of the particular site with any questions.

Live Chat

We use Live Chat and other online web chat tools to and call back request features to facilitate and assist website visitors with any enquiries that have.

Our subsidiaries

ÀÏ˾»ú¸£ÀûÉç Group includes a number of subsidiaries:
Cranfield Conference Centre Limited
Cranfield Defence and Security Services Limited
Cranfield Innovative Manufacturing
Cranfield Management Development Ltd
Cranfield Quality Services Ltd
Cranfield Regatta Limited
Cranfield Group Holdings Limited
Cranfield Airport Operations Limited
MK:U Ltd

Contacting us about our Privacy Policy

We welcome comments and suggestions regarding our Privacy Policy. Please send these toÌýGDPR@cranfield.ac.uk.

If you believe your personal information has been misused or handled in such a manner contrary to this policy, please send details toÌýGDPR@cranfield.ac.uk.

By using and visiting the website, you agree to this policy and the uses made of personal information as described. When you are using our websites, ÀÏ˾»ú¸£ÀûÉç is the data controller. Our Data Protection Officer can be contacted onÌý³Ò¶Ù±Ê¸é°ª³¦°ù²¹²Ô´Ú¾±±ð±ô»å.²¹³¦.³Ü°ìÌýor at the address below:

Data Protection Officer, ÀÏ˾»ú¸£ÀûÉç, College Road, Bedford, MK43 0AL

Publish and review date

This version is dated August 2024, next review date July 2025.