Privacy Notice for Visitor Registration

This privacy notice explains what personal information the University holds about visitors. It explains why we hold this information, what we do with it, how long we keep it for and if we share it with third parties.

This privacy notice explains what personal information the University holds about you. It explains why we hold this information, what we do with it, how long we keep it for and if we share it with third parties.

For the purposes of this document and IT services you are classed as a visitor, a generic term which covers all users of IT services who are not on the staff payroll or applicants, students or alumni recorded in the systems of record for those users. The term does not necessarily imply that you are a visitor in the sense in general usage and includes many temporary or contractor staff, professors emeritus, employees of associated organisations, contractors and other types of people who require access to University IT services.

What information do we hold and why?

We collect and use your personal data for a number of purposes, but primarily in order to provide IT services that support your relationship with the University. The main pieces of information we hold are your personal details (name, address, email address, University provided email address if relevant) in order to provide you with services.

We also use individual visitor information to help us understand the make-up of the community we serve.  We use it to generate reports and to help us to make decisions which will impact visitors and the services you use.

The table below describes in full the information we hold, what we need it for, where we get it from and who we share it with.  It also explains the basis we can legally rely on to request and retain information about you. If you have a may be a specific contract (for instance if you are employed by the University as a contractor or via an agency) then that will be the basis or otherwise our legitimate interest in the provision of services if you have a different relationship with the University.

Use of your information

We will keep your personal data no longer than is necessary, your name and other identifying information will be retained for 7 years after the end of your engagement with the University so your account can be reactivated when you return.

We do not use profiling or automated decision-making processes.  This means that a human decision maker will be involved in every decision made about you.

General information about the University’s approach to data protection and to your rights can be found here

Where do we get your information?

Your information is provided via the department that sponsors your visit and authorises your use of University IT services. Please contact your department for more information.

IT Systems

The university is made up of many services and departments who collect, process and store your data in a variety of sub-systems to deliver their services. These local systems are part of the corporately-supported IT architecture which maintains a live service as well as copies of the live systems used for software development and testing. These development and testing systems will also contain your data and respect the University’s data retention periods. 

Your usage of IT services will be recorded in usage logs and audit trails as part of the normal operation of the services. This information may be used to support your usage of systems, investigate information security or data integrity incidents, or provide evidence in disciplinary procedures. The data may also be used to understand usage and performance of IT systems.

It is in the legitimate interest of the University to use your data in this way to ensure that the services you interact with are secure and provide the best (student) experience possible.

The University uses 3rd parties to provide a number of IT Services (such as Office 365 Email via Microsoft). While your data will be used by 3rd parties to deliver these services the University retains control of your data as part of these arrangements, and the 3rd parties will not be allowed to use your data for any other purpose.

Contact

If you have any questions, please contact your school Data Protection Champion.

If you write to us in Gaelic, we may be using a third party translator to translate your message into English and our response back into Gaelic.

Ma sgrìobhas sibh litir no post-d thugainn sa Ghàidhlig, tha e comasach gun cleachd sinn eadar-theangair airson do theachdaireachd eadar-theangachadh bhon Ghàidhlig gu Beurla agus freagairt air ais dhan a’ Ghàidhlig.

Additional privacy statements

The University maintains several other privacy statements that are specific to services delivered.

Information that we will process

The legal basis for processing will be determined on whether you have a contract with the Universtiy.

Data category

Short description/Why needed

Legal basis

Personal information about your identity

The University of Edinburgh will use data about you to be able to identify you as an individual when at or interacting with the University.

Performance of a contract or Legitimate Interest

Details of your ‘visits’ within the University, including start and end dates, sponsoring departments and services provided.

To administer your account at the University and provide you with access to IT services

Performance of a contract or Legitimate Interest

Information confirming you have read and understood our policies and procedures.

To confirm you have read and understood our policies and procedures.

Performance of a contract or Legitimate Interest

Swipe Card data.

This includes your name, your photograph and your access to buildings and facilities such as the library and the Centre for Sport and Exercise.

To allow you to access areas of the University that are not open to the public or only available to specific people.

To confirm your identity and that you have a relationship with the University.

To support the security and management of the estate.

Performance of a contract or Legitimate Interest

Correspondence to and from you (electronic or otherwise).

To keep records.

 

Legitimate Interest

Information that we may process depending on your circumstances

As well as the information listed above there is other information that we may process depending on the nature of your relationship with the University

Please check with the person sponsoring your visit or the Data Protection champion for that area of the University if you have any queries.

 

Data category

Short description/Why needed

Legal basis

Qualifications and Professional Memberships.

Where specific qualifications and memberships are required for your role.

Performance of a contract or Legitimate Interest

Bank account details

In order to make payments to you

Performance of a contract or Legitimate Interest

Information relating to your performance at work, including Annual Review (appraisal) documents and training needs.

To identity objectives and training needs to ensure you are meeting the requirements of your role.

Performance of a contract or Legitimate Interest

Your training record.

To ensure you have the appropriate skills, knowledge, qualifications and/or professional registrations required for your role, including those that are required by law.

To support your personal and career development aspirations

Performance of a contract or Legitimate Interest

Information about any medical or health conditions you may have, including your disability status.

To support your engagement with the University and in order to make any reasonable adjustments that are needed.

Performance of a contract or Legitimate Interest

Publicity photographs and/or video/digital images.

To promote your work and/or the work of the University. If you are the subject (i.e. not incidental) to the image you will be asked for your consent.

Consent

Information from exit questionnaires and interviews

To understand why people resign from their post and their experience of working for the University.

Consent

Your work pattern, including your days of work, hours worked and overtime.

To keep records to process your pay and benefits, such as annual leave.

Performance of a contract or Legitimate Interest

Your emergency contact details

To allow us to inform your contacts if you take ill or have an accident at the University.

Legitimate Interests

Data controller and contact details

For data collected under this privacy notice, the University of Edinburgh (the “University”) is the Data Controller (as that term is defined in the EU General Data Protection Regulation (Regulation (EU) 2016/679), registered with the Information Commissioner’s Office, Registration Number Z6426984.

The University's Data Protection Officer can be contacted at:

Data Protection Officer

Contact details

Our data protection policy is on our website.

University data protection policy

Data sharing

In addition to the primary purposes, we are also legally obliged to share certain data with other public bodies such as HMRC and will do so where the law requires this; we will also generally comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and proportionate. 

Transfers outside the European Economic Area

The University will only transfer data to countries outside the EEA when satisfied that both the party which handles the data and the country it is processing it in provide adequate safeguards for personal privacy. Details of such transfers and safeguards are on our website.

Your rights

You have the right to request access to, copies of and rectification or (in some cases) erasure of personal data held by the University and can request that we restrict processing or object to processing as well as (in some cases) the right to data portability (i.e. the right to ask us to put your data into a format that it can be transferred easily to a different organisation). If you wish to make use of one of these rights, please email your local contact.

If we have asked for your consent in order to process your personal data you can withdraw this consent in whole or part at any time. To withdraw consent, please email your local contact, who will explain the consequences of doing so in any particular case and initiate proceedings for withdrawing consent. 

Complaints

If you are unhappy with the way we have processed your personal data you have the right to complain to the Information Commissioner’s Office (ICO), but we ask that you raise the issue with our Data Protection Officer first.

For information about reporting a concern to the ICO see their website:

ICO guidance on reporting a data protection concern