Jump to accessibility statement Skip to content

Student Privacy Notice

Home / Privacy & Cookies / Privacy notice - Student

Data Controller Details


Data Controller Name: University of Sunderland

Data Protection Officer: Sam Seldon

ICO Registration Number: Z6120473

Registered Address:              

4th Floor Edinburgh Building
City Campus
Chester Road


Changes to this notice

From time to time the University will make minor modifications to this notice, where a more substantial change is required will we inform you of these changes and provide you with a link to the newest version of the notice.


Throughout this notice, “University”, “we”, “our” and “us” refers to the University of Sunderland and “you” and “your” refers to those expressing an interest in becoming a student at the University both prior to and at the formal applications stage, together with those who later become a registered student at the University.

The University of Sunderland needs to collect and process personal data in order to provide services to students, manage its operations and to meet certain legal requirements. This notice explains how we collect and use your personal data to do so.

The University obtains personal data about you from the following sources:

The University collects and processes a broad range of personal data about you in order to deliver our services to you as a student, manage our operations effectively and meet certain legal requirements. Examples of this personal data will include your name, student ID number, application information, attendance, assessment marks, address for correspondence, national insurance number, financial information, email address, contact telephone number, emergency contact details, and date of birth.

Personal data may also contain “Special Categories of data” as described under the GDPR. Such “Special Category Data” will include information about your racial or ethnic origin, religious beliefs, political opinions, membership of a trade union, physical or mental health. When you register to enrol with us, you have the option not to provide certain types of “special category data”.

The University will handle personal data in accordance with the University’s Data Protection Policy.

Please see Table 1 (below) for a full list of the specific processing activities undertaken along with our legal basis for doing so.

The University shares your information with a number of organisations and third parties, a list of these along with our legal basis for processing your data in this way can be found in Table 2 (below).

We may share your personal data with organisations within and outside of the European Union. Where we share your personal data with countries outside of the European Union we will ensure that there are appropriate safeguards in place to protect your personal data.

The University retains your personal data in accordance with the University’s Retention Schedule

Please note that some of the information you provide to us will be retained long after your studies have ended, for example so that we can verify your award. Steps will be taken to remove data which is no longer needed for specific purposes as soon as we identify the data is no longer required.

Your rights under GDPR

Under the General Data Protection Regulations, you have 8 fundamental rights as follows:

  1. The right to be informed - The University is obliged to provide you with information on how we plan to process your data, we do this by means of a privacy notice. The University does this in order to process your personal data in a transparent manner.
  2. The right of access - You as the data subject have a right to access the personal (and supplementary) information that we hold, you also have the right to be made aware of and to verify the lawfulness of processing undertaken.
  3. The right to rectification - If you find that we hold incorrect or incomplete data about you, then you have the right to request this information is rectified.
  4. The right to erase - This right enables you to request deletion or removal of your personal data when there is no longer a compelling reason for its continued processing.
  5. The right to restrict processing - Under certain (defined) circumstances you have the right to request that we restrict the processing we undertake using your personal data.
  6. The right to data portability - You have the right to request your personal data, which is held electronically, to be provided to you in a reusable format, such as a .csv file.
  7. The right to object - You have the right to object to processing based on legitimate interests or in the performance of a task in the public interest (including profiling). This also applies to direct marketing and purposes of scientific / historical research and statistics.
  8. Rights in relation to automated decision making and profiling - You have the right to object to your data being used in automated decision making or profiling.

If you wish to exercise one or more of your rights under GDPR, in the first instance we would ask that you contact the department within the University that is processing your personal information.

If you are unhappy with how your request has been handled or have not received a response, please contact the Data Protection Officer either by email or by post. The email address for the Data Protection Officer is dataprotection@sunderland.ac.uk

Postal Address:

Data Protection Officer,

University of Sunderland,

Room 202 St Peters Gate,

Charles Street,




Should you still feel that you request has been handled inadequately, you have the right to complain to the supervisory authority in the UK, this is the Information Commissioners Office, details of how to complain can be found at https://ico.org.uk/concerns/.



Table 1 – Legal Basis for Processing Student and Potential Student Personal Data

No Specific Purpose Legal Basis
1 Management of enquiries and communications with prospective students regarding our services, events and activities. Consent
2 Communicating with offer holder regarding the application and enrolment processes, including communicating information and services pertinent to their offer of study. Necessary for the purpose of entering into a contract.
3 Processing applications of study and enrolment as a student which can include the processing of criminal convictions data, DBS checking and health information. Necessary for the performance of a contract.
4 Administration of induction events, registration of students on courses and transfers to new courses. Necessary for the performance of a contract.
5 Evaluation of academic assessment and other coursework. Necessary for the performance of a contract.
6 The provision of University accommodation, this may include processing special category information if this is relevant to your accommodation, for example meeting the needs to health conditions or disabilities. Necessary for the performance of a contract. Explicit consent when processing special category information
7 Administration and management of your interactions with additional support services such as careers advice, counselling services, financial advice and access to sporting activities and car parking. Access is optional; therefore, consent will be gained, this will be explicit consent in relation to special category data. Consent Notices will be issued upon first contact with the relevant service
8 The provision of career advice and student employability initiatives via service management systems. Legitimate interest


Processing safeguarding concerns to ensure the safety and wellbeing of our students. Legitimate interest


Monitoring student attendance at lessons, the submission of assessments and engagement with course material available on Canvas.  Necessary for the performance of a contract 


To offer facilities and services central to your studies such as Library access and access to IT equipment. Necessary for the performance of a contract 


Granting of awards. Necessary for the performance of a contract 


Processing and recovery of University fees, including course and accommodation fees.  Necessary for the performance of a contract 


Administration and management of job applications and employment contracts where the student is employed by the University in schemes such as Student Ambassadors or Residential Support Assistants. Necessary for the purpose of entering into and the performance of a contract. 


To monitor our compliance with equalities legislation. Necessary for the performance of a task in the public interest 


Registration as a member of the University alumni upon graduation. Your data as an alumnus will be processed in accordance with the University’s alumni data protection notice.  Legitimate interest. 


Monitoring the use of IT services in accordance with our Acceptable Use Policy Legitimate interest.  


Administration of financial awards and prizes such as scholarships, bursaries and grants, including grants and scholarships provided by third parties. Legitimate interest.  


Provision of immigration welfare services for international students, including applications for visa extensions.  Legitimate interest.  


Administration of external and internal student surveys, including collection of feedback on distinct services such as Library services and careers services.   Consent 


Administration of complaints (including those complaints escalated to the University by partner institutions and Students Union) , investigations and disciplinary proceedings concerning student misconduct, including investigations into academic misconduct in accordance with the University’s procedure for handling academic misconduct, fitness to practice and fitness to study.  Legitimate interest.  


Administration of academic appeals issued by students brought against the University.  Necessary for the performance of a contract 


For research and statistical analysis into Learner Analytics. Legitimate interest.  


Production of statistical returns required by certain third-party bodies e.g. Higher Education Statistics Agency (HESA). Necessary for performance of a task in the public interest or legitimate interest or necessary to comply with a legal obligation. 


Production of student identification cards. Necessary for the performance of a contract 


Administration of the University CCTV system in accordance with the University’s CCTV policy.  Legitimate interest.  



Table 2 – Legal Basis for Transfer of Personal Data Released to Third Parties 

No Specific Transfer Legal Basis
1 To UCAS to administer the applications and clearing process. Necessary for the performance of a contract. 
2 To the Students Union of student details for registration of student as a member of the Union and provision of Union benefits and services. Legitimate interest. 
3 To international Agents and consultants employed by the University or contracted to recruit students to the University where there is a need for management information or to guide those students with which they have a relationship through the application process. Necessary for performance of a contract or legitimate interest. 
4 To the Higher Education Statistics Agency (HESA), the Office for Students (OfS) and Government Departments such as the Department for Education (DfE) for the analysis of student statistics and/or to enable them to carry out their statutory functions as applicable. For more information on the information shared with HESA please refer to HESA's privacy notice (this disclosure may include special category personal data about ethnicity, sexual orientation, gender reassignment and religion). Necessary for performance of a task in the public interest or legitimate interest or necessary to comply with a legal obligation. 
5 To close family or next of kin and emergency services where there is an emergency situation such as illness or serious injury. Processing necessary to protect vital or legitimate interest. 
6 To HESA for the purpose of conducting the Graduates Outcomes Survey, this transfer will occur approximately 15 months after your graduate. Please refer to the HESA Graduate Outcomes Privacy notice relating to the Graduates Outcomes Survey. Necessary for performance of a task in the public interest or legitimate interest or necessary to comply with a legal obligation. 
7 To other UK-based and international educational institutions which the University partners or collaborates with to deliver placements, exchange programmes, joint or dual awards or franchised or validated awards. Processing necessary for the performance of a contract or legitimate interest. 
8 To the police or other regulatory bodies where pursuant to the investigation or disclosure of a potential crime or national security matters such as Benefits or Tax Inspectors, UK Visas and Immigrations and the Foreign and Commonwealth Office. Processing necessary for the performance of a task in the public interest. 
9 To external examiners for the purpose of assessment. Processing necessary for the performance of a contract. 
10 To direct mail and marketing and events agencies who may assist the University in the administration of mailing to enquirers, applicants, offer holders, students and our alumni and the booking of events. Examples of such agencies include EventBrite, Hotcourses, Sterling, and Alto Digital.  Legitimate interest. 
11 To professional and industrial bodies (such as the Law Society and the General Pharmaceutical Council) wishing to communicate with students about career opportunities and membership of the body, including fitness to practice assessments and also where relevant to confirm your qualifications and accredit your course.  Consent or necessary for performance of a contract or legitimate interest. 
12 To external agents of the University in relation to the repayment of student debts, where internal recovery attempts have proven unsuccessful.  Legitimate interest. 
13 To any third party wishing to access a catalogue within the University’s library containing reference to student work. Consent or necessary for performance of a contract or legitimate interest. 
14 To the Home Office and other international and national government and regulatory bodies in connection with the assessment of students; immigration status.  Necessary for compliance with legal obligations or for the performance of public task. 
15 To other institutions, the University jointly conducts research work with or contracts to conduct research work on behalf of the University.  Necessary for scientific research or statistical purposes. 
16 To the University’s insurers in respect of accidents or incidents occurring with the institution and external auditors and external regulators such as the Health and Safety Executive. 

Legitimate interest

explicit consent or where there is a substantial public interest or necessary for establishment, exercise or defence of legal claim in relation to special category data. 

17 Disclosures to grant funding bodies to evidence allocation of grant funding payments, including payments of salaries and contact details of students undertaking grant funding work (examples of grant funding organisations will include Erasmus, the European Commission and International Embassies).  Legitimate interest. 
18 Disclosure to Student Loans Company and Student Finance to administer student fees and confirm enrolment on courses and payment.  Necessary for the performance of a contract or legitimate interest. 
19 Disclosure of apprentices’ attendance, conduct and progress data to Employers and organisations with which the University works with to deliver our apprenticeship programmes.  Legitimate interest  
20 Disclosure of apprentice data to Education and Skills Funding Agency (ESFA) and the Skills Funding Agency (SFA). More information about the data shared with the SFA is published in the ESFA Privacy Notice. Legitimate interest. 
21 To local authorities for council tax assessment purposes or electoral purposes and for processing of care leaver bursaries.   Legitimate interest. 
22 To organisations providing banking and online payment processing services such as Barclays and WPM. Legitimate interest 
23 To IT providers delivering externally hosted IT services or products to the University such as Microsoft Office, Google and Instructure. Legitimate interest. 
24 To external agencies offering plagiarism checking services such as TurnItIn and other academic institutions to identify instances of collusion in relation to plagiarism misconduct.   Legitimate interest. 
25 To fulfil requests for references regarding our students or graduates to external requesters.  Consent 


Author: Sam Seldon – Data Protection Officer

Notice last updated: 14th January 2020

Full review due: January 2022