How we process and look after your personal data
Cranfield University is committed to protecting your privacy and keeping you informed on how your personal data is processed. This policy explains how we collect, store, use and protect your personal data and the rights you have. This policy is reviewed annually. From time to time, we may update the policy. We encourage you to review it regularly to stay informed.
- Personal data such as name, email address and other contact information.
- Financial and preference information that you provide when you enter into a contract to study or work with us.
- Visual and audio images recorded when you attend a lecture or an event, either in person or virtually.
- Occasionally, special category data, such as about your health.
- To enable us to carry out research, provide education and support to our students, professional learners and alumni.
- To support and manage our employees, maintain our accounts and administer our records.
- Personal data is shared when we are required to do so by law or regulation.
- We sometimes share information with trusted third parties who are required to keep your data safe and protect your privacy (when required we share the minimum amount of data necessary for the purpose).
- We do not sell or trade your personal data without your consent.
- Personal data is normally processed in our own databases located in the UK. If it needs to be processed elsewhere, we make sure it is protected properly, through contractual agreements.
- We are committed to keeping your personal data secure and have made substantial investments in security technology and security management processes.
- You have a number of data protection rights. For example, you can ask us for a copy of the personal data we hold on you, tell us to change information if it is wrong and you may also ask us to delete your data.
- We only process children’s personal data under very specific circumstances.
- Cranfield University is the data controller for this website.
- Information supplied via this website may be stored on our computer systems for the provision of information, marketing and analysis.
- All design, text and images are subject to copyright. More details can be viewed on our notice and takedown policy.
Have any questions? Or would like to exercise your data protection rights?
T: 01234 754536.Read more
Specific privacy notices
Staff Privacy Notice
This notice explains how People and Culture will collect and use the personal data of our employees to manage the employment relationship. The notice also covers those who have a temporary or ongoing relationship with us. Download the Staff Privacy Notice.
Student Privacy Notice
In order to carry out our duties as a university, we must collect and process personal and sensitive data relating to students. Download the Student Privacy Notice.
Alumni Privacy Notice
Job Application Privacy Notice
What personal data may we process?
We collect and process a wide variety of data categories – depending upon the purpose for the processing. When collecting your personal data, our intention is to be clear to you which data is necessary in connection with a particular service. Some examples of data we collect are given below. If you have any questions, please email GDPR@cranfield.ac.uk.
- Information you voluntarily provide to us, such as your name, email address and other contact information.
- Information from publicly available sources.
- Information from vetting checks where required.
The University does not hold or process electronic card payments; where an electronic card payment is to be made, customers are redirected to external web payment services where personal data is collected, and these are governed by their privacy policies and notices.
Depending upon your connection with us we will process other personal data. Some examples below.
- We process personal data to provide education and support to our students, professional learners, and alumni. For example, when you enter into a contract to study with us, we may collect financial and preference information that you provide and collect attendance, health, education, performance, training and achievement or award records.
- We process personal data to support and manage our employees. For example, when you enter into a contract to work with us, we may collect financial and preference information that you provide, and will collect recruitment, education, health, and employment records.
- When you attend a lecture or an event (either in person or virtually) we may also collect and record visual and audio images.
- We process personal data to enable us to carry out research. As a centre of transformational research in technology and management, a wide range of personal data may be collected and processed for research purposes. This includes research into human behaviour and human factors and biometric data is collected through facial recognition cameras and other sensors (in particular for our research into digital aviation technologies). Facial recognition data is not used for employee performance monitoring.
- We process data to maintain our accounts, administer our records, provide services, and keep individuals safe, including access and control lists, licences and permits held, surveillance camera images of visual images, audio recordings, personal appearance and behaviour, vehicle details including vehicle registration and driver/ownership, vetting checks and emergency contact information.
- We also process personal data to manage complaints, incidents, and accidents and to improve our processes, this includes grievance, disciplinary and appeals records, courts, tribunals, and enquiries.
Why do we process personal data?
We collect and process information for a number of different reasons, including to deliver and improve the opportunities and services we provide in a personalised manner. We also aim to ensure each individual receives relevant information and to meet our statutory, contractual, and legitimate business requirements in the most efficient and effective way. We also process data about many different types of people, this includes staff, contractors, students, clients, and other stakeholders.
We list below some examples of the reasons we process personal data.
- To provide education and support services to our students, professional learners, commercial clients, and alumni – for example, to deliver education, provide student support.
- To deliver IT, library, career development services and accommodation.
- To support and manage our employees and to provide services to them.
- To maintain our accounts, administer our records, and maintain our infrastructure (physical and electronic including our website).
- To manage internal support functions, corporate administration, and other business-related functions of the University.
- To keep individuals safe and maintain safe and secure campuses.
- To undertake research, including behavioural research.
- To manage complaints, incidents and accidents and improve our research, teaching and processes.
- To advertise and promote the University and the services we offer.
- To publish University and alumni publications.
- To undertake fundraising.
- To monitor examinations and tests, either online or face to face.
- We may occasionally carry out profiling or automated decision-making processes, for example, to direct you to the most appropriate web page for information, or to send you the most appropriate communication.
Legal bases for processing personal data
All information is processed under a legal basis to comply with UK Data Protection law. We have identified the appropriate lawful bases for our processing of personal data. See below for more information.
If the law requires us to, we may need to collect and process your data. For example, to fulfil our legal obligations in relation to:
- Health and safety,
- Visa and immigration,
- Tax and national insurance,
- Financial record keeping.
As a university, we are required to process information to carry out our duties as a public authority. For example:
- To enable education to be provided and keep a record of the award made.
- To publish materials as part of the University’s research or educational function.
- To monitor attendance and behavioural to maintain proper standards of conduct and behaviour.
In certain circumstances, we need to process your personal data to comply with our contractual obligations. For example:
- We will process the information necessary for fulfilling the contract for education or employment in the agreed terms. Failure to provide information requested under contract may mean we are unable to consider your application.
- We process contracts for research agreements, funding award applications, placements, licensing agreements and research programme activity.
- We process and share data as necessary with sponsors and employers.
In specific situations, we process your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business, and which does not materially impact your rights, freedom, or interests. For example:
- We may use your contact details to send you direct marketing to inform you about products and services that we think might interest you.
- We also have a legitimate interest to visually identify and record people on campus for the purpose of security.
- To showcase student work, theses, or research.
- To keep records of staff membership of professional bodies.
- To analyse the information we collect so that we can administer, support, improve and develop our websites, documentation, teaching and research and events and to ensure continuous improvement of all of our services.
We have carefully considered the use of consent and it is our policy to use other legal bases where appropriate. When we do use consent you have the right to withdraw your consent. Some examples of our use of consent are given below.
- When you take part in a research survey (see detailed privacy information provided on the survey).
- When you provide equal opportunities monitoring information.
- When you choose to opt in to receive information.
Occasionally, processing may be necessary in order to protect your vital interests. For example, in the case of a medical or other emergency we will share your data as necessary and proportionate with the emergency services or others.
Legal bases for processing special category or criminal offence data
Where necessary we may process some information about you that is classed as ‘special category’ data. Special category data requires and receives additional protection. The types of special category data are:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- Genetic data, biometric data for the purpose of uniquely identifying a natural person,
- Data concerning health,
- Data concerning a natural person’s sex life or sexual orientation,
- Data concerning criminal offences.
Some examples of this type of data we process are:
- Occupational health records,
- Disclosure and Barring Service (DBS) records,
- Criminal convictions,
- Biometric data collected through facial recognition cameras and other sensors for research and security purposes.
Conditions for processing special category and criminal offence data
We will only process this data in relation to you where the processing meets one or more of the conditions for processing these types of data, as set out in Data Protection legislation. For example:
- We have a number of employment law duties and obligations, which require us to process special category and criminal conviction data, including those relating to ensuring the fair treatment of employees, and maintaining a safe and secure working environment.
- Where necessary, special category data will be processed for the purposes of preventive or occupational medicine, to assess the working capacity of an employee.
- Certain processing may also be necessary including to enable the establishment, exercise, or defence of legal claims, or for research and statistical purposes.
- We also request you to declare diversity data (protected characteristics) at the time of your application for a post and through equality monitoring exercises. Provision of this data, which is processed by us for statistical purposes, is optional.
A complete list of ICO processing conditions is given below. For further details please see the links to specific privacy notices within this document, or email GDPR@cranfield.ac.uk.
a) An individual has given explicit consent to the processing of this data for one or more specific purposes.
b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
d) Where we are acting as a not-for-profit body and processing special category data for purposes as defined in our statutes.
e) Where we are processing data which has already been made public by the individual.
f) To the extent that a student or member of staff pursues legal action in relation to a disciplinary process, further processing of any special category data would be for the purpose of establishing or exercising University rights in relation to or defending those claims.
g) Where we are processing data for substantial public interest as part of a function conferred on us by equality law and may also be necessary for the protective function of protecting members of the public against dishonesty, malpractice, or other seriously improper conduct.
h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
i) Processing is necessary for reasons of public interest in the area of public health.
j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Who may we share personal data with?
Where required, we may share your information across the University and with our commercial subsidiaries.
We will share your personal data when required to do so by law or another regulatory requirement. For example:
- Government bodies including HM Revenue & Customs, Department for Health & Social Care etc,
- Law enforcement agencies, including the police and other regulatory and investigatory authorities,
- Higher education funding and regulatory bodies and their designated agencies including Higher Education Statistics Agency (HESA), Office for Students, Jisc and Graduate Outcomes,
- UKRI and other research councils and funding agents, including the Wellcome Trust, Royal Academy and other learned societies.
In the case of a medical or other emergency we will share your data as necessary and proportionate with the emergency services or others.
We may share your data with other trusted third parties when it is necessary to do so. If this sharing takes place, we will work closely with them to ensure that your privacy is respected and protected at all times. We will have an agreement in place which requires them to keep your data safe and protect your privacy, only use your data for specified purpose(s) and if we stop using their services, any of your data held by them will be deleted or made anonymous. Examples of the kind of third parties we work with are:
- Our partners in research and teaching activities, e.g. joint events, or dual degrees programmes,
- Suppliers, service, and support providers, e.g. IT companies who support our website and other business systems,
- End point assessment organisations for apprenticeship purposes,
- Ranking and accreditation agencies,
- Professional and legal advisors,
- Data insight companies to ensure your details are up-to-date and accurate,
- Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on your acceptance of cookies on our websites. See our cookies notice for details.
We will not sell, license, or trade your personal information without your consent. We also share information with other parties when specifically requested to do so by you. For full information on sharing of your data please refer to the specific privacy notice links earlier in this document, or email GDPR@cranfield.ac.uk.
How long do we keep personal data?
In most cases we keep personal data for a standard seven year retention period consistent with typical government guidelines on record keeping. There are exceptions to this, and some data will be kept for a shorter or longer period. For example, employment applicant data will be kept for less time, while the categories of student name and qualification will be kept for the lifetime of the University. Some further data will be kept for more than seven years where there is a legal obligation to do so (e.g. pension information).
Personal data will be kept as long as there is necessary purpose for doing so, these purposes include:
- To carry out business or support functions e.g. to provide proof of qualification.
- Under contractual terms, e.g. agreements with partners or funding organisations may require us to keep data for specific periods of time.
- To demonstrate compliance with audit purposes or legislative requirements.
We carry out a regular review of all categories of data held and have in place processes for the removal of data. At the end of the retention period, personal data will either be deleted or anonymised.
Where do we process personal data?
Your personal data will normally be processed in our own databases located in the United Kingdom. If data needs to be processed elsewhere, we make sure it is protected properly, through contractual agreement. This is to make sure than the safeguards which would be in place under UK data protection law are applied when processing is outside of the UK. For more information email GDPR@cranfield.ac.uk.
We have made substantial investments in security technology and security management processes. These technologies are deployed to guarantee maximum security of the information you provide us with. For further details see the Information Security Policy.
Under UK data protection law you have a number of rights regarding the personal data we process about you. Information is given below, please note that the rights described above do not apply in every circumstance. If you require further clarification, contact GDPR@cranfield.ac.uk.
The right to be informed.
The right of access (also known as Subject Access Request [SAR]).
You have the right to request the personal data we hold about you.
The right to rectification.
You have the right to request the correction of your personal data when incorrect, out-of-date or incomplete.
The right to erasure.
You have the right to request that we delete your data. However, there may be circumstances where the law or our contractual obligations mean we need to keep some of your data.
The right to restrict processing.
In certain circumstances you have the right to request that we restrict the processing of your personal data, for example while we consider your request under the right to rectification.
The right to data portability.
You have the right to request that we supply a copy of your data, which you supplied to us, in a commonly used and machine-readable format for you to transfer your data to another service provider.
The right to object.
You have the right to stop the processing of your data for direct marketing purposes. We offer visitors to our website the opportunity to subscribe (opt in) to a number of electronic communications. You have the possibility at all times to tell us you no longer wish to subscribe to our electronic communication service (opt out). All marketing e-communications you receive from us will provide clear instructions on how to unsubscribe from each service.
In certain circumstances you also have the right to request that your data is not used for processing. Your record can remain in place, but not be used.
Rights related to automated decision-making including profiling.
You also have the right to object to the processing of your data where you believe a decision has been made about you by fully automated means, which has adversely affected you.
The right to be notified.
You have the right to be notified, without undue delay, if there has been a data breach which is likely to result in a high risk to your rights and freedoms.
The right to withdraw consent.
Occasionally, we rely on your consent to process your contact details. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If at any point you want to withdraw your consent, please email GDPR@cranfield.ac.uk.
The right to complain.
We are committed to ensuring that any concerns are dealt with quickly and fairly, and with due concern for the individuals involved. However, the University recognises that individuals may continue to be dissatisfied. If you wish to complain about the University’s processing of your personal data you are entitled to complain to the Data Protection Officer who will nominate a Senior Officer of the University, who has not been involved in the original enquiry, to deal with your complaint.
Data Protection Officer,
Cranfield University, College Road, Cranfield, Bedford, MK43 0AL
T: +44 (0)1234 754536
The right to lodge a complaint with a supervisory authority.
You have the right to lodge a complaint about our management of your personal data with the supervisory authority. In the UK this is the Information Commissioner’s Office (ICO). The ICO will expect you to complain to us first and give us an opportunity to resolve the matter before contacting them. The ICO contact details are given below.
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Live chat service: ico.org.uk/livechat
ICO helpline: +44 (0)303 123 1113
For information on handling FOI requests see the Freedom of Information pages.
Data protection registration
We are registered with the Information Commissioners’ Office and our registration number is Z4690919. For details of our subsidiary organisations’ registration with the ICO please contact GDPR@cranfield.ac.uk.
Cranfield University is a postgraduate institution and therefore will only
process children’s personal data under very specific circumstances. For
example, events supporting science-based projects in schools, attendees at
the on-site pre-school and ‘Bring Your Child to Work Day’. We do not offer
online services directly to children.
Where there is a need to collect information from a person under 18, then we may need consent from a parent or guardian in order to process any data. In these circumstances, an email or postal address of this person will be needed so that we can write to them to collect this.
Please note that any information supplied via this website may be stored on our computer system for the provision of information, marketing, and analysis.
External website links
The links are provided as a courtesy, to be used or not at the discretion of the individual user. If users decide to follow these links, we cannot be responsible for the privacy policies and content of those sites. Users should contact the co-ordinator of the particular site with any questions.
We use Live Chat and other online web chat tools to and call back request features to facilitate and assist website visitors with any enquiries that have.
Cranfield University Group includes a number of subsidiaries:
Cranfield Conference Centre Limited
Cranfield Defence and Security Services Limited
Cranfield Innovative Manufacturing
Cranfield Management Development Ltd
Cranfield Quality Services Ltd
Cranfield Regatta Limited
Cranfield Group Holdings Limited
Cranfield Airport Operations Limited
If you believe your personal information has been misused or handled in such a manner contrary to this policy, please send details to GDPR@cranfield.ac.uk.
By using and visiting the website, you agree to this policy and the uses made of personal information as described. When you are using our websites, Cranfield University is the data controller. Our Data Protection Officer can be contacted on GDPR@cranfield.ac.uk or at the address below:
Data Protection Officer, Cranfield University, College Road, Bedford, MK43 0AL
Publish and review date
This version is dated August 2023, next review date July 2024.