Privacy statement hub

Our core University privacy notices

• Students
• Prospective, Current and Former Employees, Workers and Contractors
• Visitors to our Campus
• Visitors to our Website and Use of Cookies Policy
• Research
• Council Privacy Statement (.pdf)
• Schools and Colleges (Outreach)
• Alumni
• Report and support interaction (under review)
• University Enterprise Zone
• Wivenhoe House Hotel
• Make Happen
• Institute for Social and Economic Research (ISER)

If you would like a privacy notice in another format (for example: audio or large print), please contact us.

2. Who we are

The University of Essex is an exempt charity, and our registered address is Wivenhoe Park, Colchester, CO4 3SQ. The University of Essex is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: Z699129X.

University of Essex Campus Services is a wholly-owned subsidiary company of the University. It is a private limited company and its company number is 02534817. University of Essex Campus Services is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: ZA559904.

Wivenhoe House Hotel is also a wholly-owned subsidiary of the University and its registered company number is 07075571. Wivenhoe House Hotel Limited is registered as a Data Controller with the UK’s Information Commissioner’s Office (ICO). Registration Number: ZA057051.

In these notices “we” means the University of Essex and our wholly owned subsidiaries University of Essex Campus Services (UECS) and WHH Ltd, and “you” can mean you as a member of staff, student, visitor or other individual depending on your relationship with the University.

3. Data protection principles

We will comply with UK General Data Protection Regulations and Data Protection Act 2018 which we refer to as “data protection law”. We will follow other jurisdiction’s data protection requirements where required. Data Protection law says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely

In addition to this, the ‘Accountability Principle’ requires that we take responsibility for how we comply with the principles and demonstrate that compliance.

4. Lawful basis for processing

We, and those that process personal data on our behalf, must have a lawful basis or ground for processing before we can process personal data. In each of our separate privacy notices we have set out the specific lawful basis for processing your personal data.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever we process your personal data:

1. Consent: you have given clear consent for us to process your personal data.
2. Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for us to comply with the law.
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

If we are processing special category data (sensitive data that require additional protection), we use additional legal bases. These additional lawful bases for processing are set out in Article 9 of the UK GDPR. At least one of these conditions must apply whenever we process your special category personal data:

1. Explicit consent
2. Employment, social security and social protection (if authorised by law)
3. Vital interests
4. (By) Not-for-profit bodies
5. Made public by the data subject
6. Legal claims or judicial acts
7. Reasons of substantial public interest (with a basis in law)
8. Health or social care (with a basis in law)
9. Public health (with a basis in law)
10. Archiving, research and statistics (with a basis in law)

If we are relying on conditions (b), (h), (i) or (j), we also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the Data Protection Act 2018. We may also process criminal offence data and are required to meet the legal basis in Article 6 as well as a specific condition for processing in Schedule 1 of the DPA 2018.

We have an Appropriate Policy Document (.docx) which sets out how we comply with the additional requirements on special category and criminal offence data.

5. Your personal data and your rights

Under data protection law, you have rights including:

You will generally not have to pay a fee to access your personal information (or to exercise any of the other rights). If you make a request, we have one month to respond to you. We may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Please see our policy on Data Rights for further information. If you wish to exercise any of your rights, or have any questions about your rights, please contact the Data Protection Officer at dataprotectionofficer@essex.ac.uk.

6. Data sharing

We may have to share your data with third parties, including third-party service providers and suppliers.

We require third parties to respect the security of your data and to treat it in accordance with the law.

If we have to transfer any of your personal data outside the UK we ensure the receiving country or organisation is deemed to have adequate data protection provision. Where a country or organisation does not have adequate protections we will put safeguards in place. Details of these safeguards can be provided to you upon request.

Our privacy notices will set out more details about whom we will share data with.

7. Data security

We have put in place measures to protect the security of your information.

Where third parties have access to your data, we will provide instructions for them to process your personal information only on in accordance with our instructions, and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a relevant business need. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. The University’s overarching approach to data protection is set out in our Data Protection Policy.

8. Links to other websites

This Privacy Policy does not apply to other advertisers or websites. Our website may contain links to other websites of interest which we might not own or operate. You should note that we do not have any control over websites outside our ownership. Therefore, we cannot be responsible for the protection and privacy of any information which you may provide whilst visiting such external websites accessed from links and these websites are not governed by this Privacy Policy. You should exercise caution and review the privacy statement applicable to the website in question.

9. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO at dataprotectionofficer@essex.ac.uk

10. International Transfers

If we have to transfer any of your personal data outside the European Economic Area (EEA) we ensure the receiving country or organisation is deemed to have adequate data protection provision. Where a country or organisation does not have adequate protections, we will put safeguards in place. Details of these safeguards can be provided to you upon request.

11. Unsolicited Marketing

We may contact corporate contacts with unsolicited marketing.  Our legal basis for this is legitimate interests and we comply with the Privacy and Electronic Marketing Regulations (PECR) by only contacting corporate subscribers and always offering an opt out.

12. Complaints

If you are dissatisfied with the way the University of Essex has processed your personal data, or if have any questions or concerns about your data please contact dataprotectionoffice@essex.ac.uk. If we are not able to resolve the issue to your satisfaction, you have the right to complain to the Information Commissioner’s Office (ICO). They can be contacted at https://ico.org.uk/make-a-complaint/

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113

13. Changes to this Privacy Notice

This privacy notice was published on Monday, 31 January 2022. We may change this privacy notice from time to time. Last revised 20 December 2023.