Privacy notice for General Public

This privacy notice is designed to help you understand how we use and protect the information obtained from any individual who:

• contacts the University of Dundee by any means
• provides services to University of Dundee
• visits or and uses University of Dundee’s website, e.g. www.dundee.ac.uk and its subdomains (the “website”)
• provides University of Dundee with unsolicited personal information
• takes part in activities or events organised by the University.

It applies to personal data provided to us, both by individuals themselves or by third parties and supplements any other University of Dundee privacy notices which may apply, for example the student privacy notice if you apply for a programme of study at the University.

This is a General Privacy Notice, and it may be superseded by a ‘Local Privacy Notice’ depending on what basis you are contacting the University of Dundee and whether you are completing additional web forms or applications.

About us

The University of Dundee incorporated by Royal Charter is the entity that determines how and why your personal data are processed.  In accordance with data protection legislation, we are a data controller, and this means that we are legally responsible for the personal data we collect and hold about you.

One of our responsibilities is to tell you about the different ways in which we use your personal data – what information we collect (and our legal basis for doing so), why we collect it, where we collect it from and whether (and with whom) we will share it.

We also need to tell you about your rights in relation to the information. This statement provides further details about all these issues.

What information you provide to us

Personal data, or personal information, means any information about an individual from which that person can be identified. In order to communicate with you, to provide you with services or information, we may collect, use, store and transfer different kinds of personal data about you. Depending on your relationship with us, this may include:

• Personal details (such as your name, contact details and email address) that you provide by contacting us, requesting information or submitting your information via the website.
• Personal details (such as names, titles and business contact information including addresses, telephone numbers and email addresses) for the employees and representatives of our suppliers and partners.
• Your responses to surveys which we ask you to complete for research purposes.
• Your responses to forms providing your details and supporting information in connection to University of Dundee student and staff awards.
• Your responses to forms providing details in relation to staff or student performance.
• Your responses to forms in relation to security incidents and accidents on University property and campuses.
• Information given when booking or attending events or other activities organised by the University.
• Any other information you post, email or otherwise send to us.
• How you use the website and where available, your IP address, operating system and browser type.

In some cases, you may choose to provide unsolicited personal and or special category information to us such as health information, criminal offence data etc. Where this is the case, this personal data will be handled with the same care as any other special category and personal data we process and in accordance with data protection legislation as laid out in this notice.

We will also collect personal information about website usage through cookies in accordance with our Cookies Policy.

How we will use the information

We will only use your personal data when the law allows us to do so.

Most commonly, we will use your personal data for the following purposes:

• to help you with your enquiry or request
• to manage the relationship with our suppliers and partners
• to comply with a legal or regulatory obligation
• to enable us to provide you with a product, facility or service we offer
• to process feedback and improve our services
• to make decisions in relation to the allocation of staff and student awards
• to monitor, report and take appropriate action in relation to incidents and accidents which have been reported to the University
• to manage and improve the web system and troubleshoot problems
• where personal information is collected on the University’s website, for instance through a web form, users will be informed as to what information is being captured, why and who (if anyone) it will be shared with, either via a Local Privacy Notice or in this General Privacy Notice.

Using your information in accordance with data protection laws

Data protection legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "legal basis" for the processing. These bases are explained below.

Consent: You have given us your consent for processing your personal data.

Performance of contract: The processing of your personal data may be necessary in relation to the contract we have entered into with you or an organisation you represent, to provide University of Dundee’s services to you, or because you have asked for something to be done so you can enter into such contract.

Public task: The processing of your personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Legitimate interests: The processing of your personal data may be necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or by fundamental rights and freedoms which require protection of personal data. It may be necessary for our legitimate interests to collect your personal data to enable us to manage certain operations of the University effectively.

Lawful interests: processing is necessary for compliance with a legal obligation to which the controller is subject.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

Principles

We will handle your personal data in accordance with the principles set out below.

Sharing your personal information

We may have to share your personal data with the parties set out below for the purposes outlined above:

• External third-party service providers: there may be times when external organisations use your personal information as part of providing a service to us or as part of checking the quality of our service, such as our auditors;
• Law enforcement or other government and regulatory agencies: we may be required by law to disclose certain information to the police or another relevant authority in circumstances e.g. where we think you or someone else is at serious risk of harm.

We may also receive requests from third parties with authority to obtain disclosure of personal data. We will only fulfil such requests where we are permitted to do so in accordance with applicable law or regulations.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes – we only permit them to process your personal data for specified purposes and in accordance with our instructions. We may use third party providers to deliver our services, such as externally hosted software or cloud providers, and those providers may involve transfers of personal data outside of the EU. Whenever we do this, to ensure that your personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, we require such third parties to agree to put in place safeguards, such as the Addendum to the New EU Standard Contractual Clauses or the UK International Data Transfer Agreement by signing the University template data sharing agreement or having in place equivalent adequacy measures.

How we will protect information about you

We do our utmost to protect your privacy. Data protection legislation obliges us to follow security procedures regarding the storage and disclosure of personal information in order to avoid unauthorised loss or access. As such we have in place the necessary security systems and procedures to protect information from unauthorised disclosure, misuse or destruction. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, and in accordance with the JISC Records Retention Guidance

Your rights

Under certain circumstances, you may have the following rights in relation to your personal data:

Right of access: A right to access personal data we hold about you.

Right to rectification: A right to require us to rectify any inaccurate personal data we hold about you.

Right to erasure: A right to require us to erase personal data we hold about you. This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right to object below).

Right to restrict processing: A right to restrict our processing of personal data we hold about you. This right will only apply where, for example, you dispute the accuracy of the personal data we hold; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims.

Right to data portability: A right to receive personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organisation.

Right to object: A right to object to our processing of personal data we hold about you.

Right to withdraw consent: A right to withdraw your consent, where we are relying on it to use your personal data.

Rights related to automated decision making and profiling: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.

If you wish to exercise any of these rights, please contact the Data Protection Officer by emailing dataprotection@dundee.ac.uk.

You have the right to lodge a formal complaint with the UK Information Commissioner's Office. Full details may be accessed on the complaints section of the ICO's website.

Other websites and the scope of this privacy notice

The University website contains links to and from the websites of third parties. This privacy notice applies to the University website only so if you follow a link to other websites, please note that these websites will have their own privacy policies and that we do not accept responsibility or liability for these policies. Please check these policies before you submit any personal data to these third-party websites.

Separate privacy notices are used whenever we collect personal information from you. The general privacy notices for staff, students and applicants can be found on the Data Protection page of our website.

Changes to our privacy notice

Our Privacy Notice may be updated from time to time. Any updates will appear on this webpage.

If you have any questions about our privacy notice, please contact the Data Protection Officer on dataprotection@dundee.ac.uk or by post at University of Dundee, Nethergate, Dundee, DD1 4HN.