Data Privacy

When we refer to data protection law we are referring to two major pieces of legislation:

• EU General Data Protection Regulation 2016/679 (known as UK GDPR)
• Data Protection Act 2018

These laws regulate how we as a data controller process personal data relating to individuals.

There are a number of other pieces of legislation relating to data, information and electronic communications which we may collectively refer to as 'other relevant legislation':

• The Environmental Information Regulations 2004
• The Privacy and Electronic Communications Regulations 2003 (EC Directive)
• The Freedom of Information Act 2000
• The Computer Misuse Act 1990
• The Copyright, Designs & Patents Act 1988

Throughout the statements we make relating to privacy, such as our privacy notices, we have used some specific words and phrases which are explained below:

1. "Personal Data" is any information which relates to a living person and can be used to identify them. It can include names, addresses, and contact details, as well as any other information relating to that person or a combination of information which allows that person to be identified.
2. "Special Category Data" is any personal data which describes a person's race, ethnic origin, religion, trade union membership, politics, biometrics, genetics, sex life, health and sexual orientation.
3. "Processing" is any activity relating to the use of personal data by an organisation, from collecting it, storing it and disposing of it, as well as everything in-between.
4. "Data Subject" is a term used to describe the individual whose personal data is being processed.
5. "Data Controller" is a term used to describe the organisation which is processing personal data and ensuring that it is done so in accordance with data protection law.

Falmouth University (the "University", "We", "Us") is the data controller for the personal data that we process in relation to you.

Occasionally, the University may be a joint data controller with other organisations, or we may be processing data about you on behalf of another organisation, but when this is the case, we will make sure you are aware of this when the information is collected.

As a data controller the University is required by data protection law to process personal data in accordance with specific principles. A key part is that personal data should be processed 'lawfully, fairly and in a transparent manner'. In keeping with this principle, the University will always tell you how we will deal with your information when it's collected using a document called a "privacy notice".

Depending on how you are interacting with the University, you will be subject to one or more separate privacy notices; whether you are a student, member of staff, alumni, visitor, etc. These are published on our website and are all linked to from this page.

The University processes a large amount of information about individuals and it is important that we are able to assure them that their personal data is handled, stored and disposed of in a confidential and secure manner. We have an obligation to protect the privacy of individuals that allow us to process their data.

All of our staff receive regular mandatory data protection training and we have in place a number of organisational and technical measures so that personal data is processed in accordance with the 6 principles of data protection as set out in data protection law.

The University is actively working towards an Information Security Management System based on ISO27001 with a range of controls covering the protection of personal information. All staff receive regular mandatory information security training and the University is accredited under the Payment Card Industry Data Security Standard.

All data subjects who have personal data processed by the University have the following rights prescribed by data protection law:

1. To access the personal data the University holds about you.
2. To correct any mistakes we have made in recording or processing your data.
3. To have your personal data deleted. This right is limited in how it applies, such as when the data is no longer required or where the processing has no legal basis.
4. To object to the processing of your personal data for marketing purposes.
5. To object to the processing of your personal data when that processing is based on specific criteria such as the public interest or other legitimate interest, unless we have compelling lawful grounds to continue.
6. To ask for the transfer of your data electronically to a third party.
7. To withdraw consent for processing where consent is the legal basis the University is using to carry out the process.