Cranfield University is a specialist postgraduate institution with a worldwide reputation for excellence and expertise in Aerospace, Defence and Security, Environment and Agrifood, Energy and Power, Management, Manufacturing, Transport Systems and Water.
This policy also instructs you on what to do if you do not want your personal information collected or shared when you visit our websites, work or study with us. By using and visiting the website, you agree to this policy and the uses made of personal information as set forth herein or amended hereafter.
This policy is reviewed annually. From time to time, we may update the policy. We encourage you to review it regularly to stay informed.
Cranfield University Group includes a number of subsidiaries:
Cranfield Aerospace Solutions Limited
Cranfield Conference Centre Limited
Cranfield Defence and Security Services Limited
Cranfield Innovative Manufacturing
Cranfield Management Development Ltd
Cranfield Quality Services Ltd
Cranfield Regatta Limited
Cranfield Group Holdings Limited
Cranfield Airport Operations Limited
If you believe your personal information has been misused, or handled in such a manner contrary to the policy stated above, please send details to GDPR@Cranfield.ac.uk.
When you are using Cranfield University websites, Cranfield University is the data controller. Our Data Protection Officer can be contacted on GDPR@Cranfield.ac.uk or at the address below:
Data Protection Officer
Detailed privacy notices
Staff privacy notice
This notice explains how HR will collect and use, the personal data of our employees to manage the employment relationship. The notice also covers those who have a temporary or ongoing relationship with the University. Download the Staff Privacy Notice
Student privacy notice
In order to carry out its duties as a University, Cranfield must collect and process personal and sensitive data relating to its students. Download the Student Privacy Notice
Alumni privacy notice
Job application privacy notice
What personal data may Cranfield University collect
We process information about many different types of data subjects, which include staff, contractors, students, clients and the general public. We record further details on the types of data subjects we process information about and this information is available on request.
For those data subjects, we process a wide variety of categories - depending upon the purpose for the processing.
Information you voluntarily provide to us, such as your name, user name, address, phone number, email address and other contact information.
When you enter into a contract to study or work with us, we may collect financial, profile and preference information that you provide.
Cranfield University is a centre of transformational research in technology and management, and a wide range of personal data may be collected and processed for research purposes. This includes research into human behaviour and human factors and biometric data is collected through facial recognition cameras and other sensors (in particular for our research into digital aviation technologies). Facial recognition data is not used for employee performance monitoring.
When you attend a lecture or an event (either in person or virtually) we may also collect and record visual and audio images.
The University does not hold or process electronic card payments; these transactions, including all personal data, are transferred to external web payment services and are governed by their privacy policies and notices.
Some further examples of data we collect are given below and full information is available on request.
- access and control lists
- accommodation records
- attendance records
- complaints, incidents and accidents
- courts, tribunals and enquiries
- education, performance, training and achievement or award records
- grievance, disciplinary and appeals records
- health records
- licences and permits held
- information from publicly available sources
- lifestyle and social circumstances
- provision of university services including library, IT & room and conference facilities
- recruitment, education and employment records
- relatives, guardians and associates
- associations and professional body memberships
- survey responses
- vehicle details including vehicle registration and driver/ownership
- vetting checks
- visual images, personal appearance and behaviour
Cranfield Group uses Live Chat to and call back request features to facilitate and assist website visitors with any enquiries that have.
Explaining the legal reasons we rely on
In summary, we process personal information to enable us to:
- provide education and support services to our students, professional learners and alumni
- support and manage our employees; internal support functions; corporate administration and other business-related functions of the University
- maintain our accounts and records
- provide commercial activities to our clients
- undertake research
- advertise and promote the University and the services we offer
- publish University and alumni publications
- undertake fundraising
- carry out knowledge exchange activities.
When collecting your personal data, our intention is to be clear to you which data is necessary in connection with a particular service.
All information is processed under a legal basis to comply with UK Data Protection Legislation.
We have identified appropriate lawful bases for processing personal data and a schedule 1 condition for processing special category or criminal offence data. Information on these is given in the sections below.
In certain circumstances, we need your personal data to comply with our contractual obligations.
For example, if you study with us, we will process the information necessary for fulfilling the contract to provide a course of education in accordance with the agreed terms.
Failure to provide information requested under contract may result in you not being able to be considered to work or study with us.
If the law requires us to, we may need to collect and process your data. For example, to fulfil our legal obligations in relation to tax.
Occasionally processing may be necessary in order to protect your vital interests. For example, should you decide to work or study with us, in the case of a medical emergency we will share your data with the emergency services.
As a University, we are required to process information to carry out our duties as a public authority. For example, we may be required to share your details with Higher Education Statistics Agency (HESA) and Office for Students (OfS).
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we may use your address details to send you direct marketing information by post, telling you about products and services that we think might interest you.
We also have a legitimate interest to visually identify and record people on campus for the purpose of security.
In specific situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters.
We may use your personal information for marketing or research purposes. For instance, this could allow us to personalise information and increase its relevancy if we contact you, or to invite you to help us develop new products through your feedback. If you would prefer us not to contact you using the personal details you have supplied, please contact GDPR@cranfield.ac.uk.
Legal bases for special category and sensitive data
In addition to processing your personal data we also process special category data and data concerning criminal offences. This may include.
- Protected characteristics as outlined in the Equality Act 2010 and other relevant legislation
- Occupational health records
- DBS records
- Criminal convictions
- Biometric data collected through facial recognition cameras and other sensors for research and security purposes.
Conditions for processing special category and criminal offence data
We will only process such data in relation to you where the processing meets one or more of the conditions for processing such data, as set out in Data Protection legislation. For example:
- we have a number of employment law duties and obligations, which require us to process special category and criminal conviction data, including those relating to ensuring the fair treatment of employees, and maintaining a safe and secure working environment.
- where necessary, special category data will be processed for the purposes of preventive or occupational medicine, including in order to assess the working capacity of an employee.
- Certain processing may also be necessary including processing to enable the establishment, exercise or defence of legal claims, or for research and statistical purposes.
- We also request you to declare diversity data (protected characteristics) at the time of your application for a post and through equality monitoring exercises. Provision of this data, which is processed by us for statistical purposes, is optional.
- Explicit consent
- Employment, social security and social protection law
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims and judicial acts
- Public interest
- Health and social care
- Archiving, research and statistics
Who do we share your personal data with?
Where required, we share your information across the University and with our commercial subsidiaries.
The University will not sell, license or trade your personal information without your consent. We will not share your personal information with others unless they are acting under our instructions or we are required to do so by law (for example, to government bodies and law enforcement agencies, examining bodies, regulatory and investigatory authorities.)
We also sometimes share your personal data with trusted third parties. When sharing your data with third parties we require those organisations to keep your data safe and protect your privacy. That is;
• We provide only the information they need to perform their specific services
• They may only use your data for the exact purposes we specify in our contract with them
• We work closely with them to ensure that your privacy is respected and protected at all times
• If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Examples of the kind of third parties we work with are:
• Suppliers, service and support providers e.g. IT companies who support our website and other business systems
• Professional and legal advisors
• Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites. See our Cookies Notice for details.
• Data insight companies to ensure your details are up-to-date and accurate
• UKRI and other research councils and funding agents including Wellcome Trust, Royal Academy and other learned societies
• Ranking and accreditation agencies
• Our partners in research and teaching activities.
If requested to do so by a legitimate public authority, Cranfield University will share your name, contact details and time of visit for contact tracing purposes to control the spread of Covid-19.
We also share information with other parties at the specific request of, or consent by, the data subject.
For full information on sharing of your data please refer to the Staff Privacy Notice, Student Privacy Notice or email GDPR@cranfield.ac.uk
How long will we keep your personal data?
Cranfield University has reviewed our records and procedures regarding the retention of data. For the most part, data will be kept for a standard retention period of seven years in line with statute of limitations.
There will be some exceptions to this, and data may be kept for a shorter or longer period than seven years.
For example, employment applicant data will be kept for less time, while the categories of student name and qualification will be kept for the lifetime of the University. Some further data will be kept for more than seven years where there is a legal obligation to do so (e.g. pension information).
- The right of access - you have the right to request the personal data we hold about you, free of charge in most cases.
- The right to be forgotten - you have the right to request that we delete your data.
- The right to data portability - you have the right to request that we supply a copy of your data in a commonly-used and machine-readable format for you to transfer your data to another service provider.
- The right to be informed - you have the right to be informed about our processing of your data.
- The right of rectification - you have the right to request the correction of your personal data when incorrect, out of date or incomplete.
- The right to restrict processing - you can request that your data is not used for processing. Your record can remain in place, but not be used.
- The right to object - you have the right to stop the processing of your data for direct marketing.
- Cranfield University offers visitors to our website the opportunity to subscribe (opt in) to a number of electronic communications. You have the possibility at all times to tell us you no longer wish to subscribe to our electronic communication service (opt out). All e-communications you receive from us will provide clear instructions on how to unsubscribe from each service.
- You also have the right to object to the processing of your data where you believe a decision has been made about you by fully automated means, which has adversely affected you.
- The right to be notified - you have the right to be notified, without undue delay, if there has been a data breach which is likely to result in a high risk to your rights and freedoms. .
- Right to complain to the supervisory authority - you have the right to complain to the supervisory authority; in the UK, this is the Information Commissioner's Office (ICO) - see the ICO website for further information.
Where your personal data may be processed
Your personally identifiable information will normally be processed in our own databases located in the United Kingdom, but some data may be processed elsewhere through specific contractual agreements. Cranfield University is committed to keeping secure the data you provide us and will take reasonable precautions to protect your personally identifiable information from loss, misuse or alteration.
Cranfield University has made substantial investments in security technology and security management processes. These technologies are deployed to guarantee maximum security of the information you provide us with.
External website links
The links are provided as a courtesy, to be used or not at the discretion of the individual user. If users decide to follow these links, Cranfield University cannot be responsible for the Privacy Policies and content of those sites. Users should contact the co-ordinator of the particular site with any questions about those sites.
Data protection notice
Please note that any information supplied via this website may be stored on our computer system for the provision of information, marketing and analysis. We may also share this information with other third parties in line with our registration with the ICO.
We are registered with the Information Commissioners’ Office and our registration number is Z4690919.
For details of Cranfield subsidiary organisations registration please contact GDPR@cranfield.ac.uk
Send to a friend
Users can choose to electronically forward a variety of articles, abstracts, research papers and course details to someone else. Users must provide their email address as well as that of the recipient. The information is only used in the case of transmission errors and to let the recipient know who sent the email. The information is not used for any other purpose.
Cranfield University is a postgraduate institution and therefore will only process children’s personal data under very specific circumstances. For example, events supporting science-based projects in schools, attendees at the on-site pre-school and ‘Bring Your Child to Work Day’.
Where there is a need to collect information from a person under 16, then the University will need consent from a parent or guardian in order to process any data. In these circumstances, an email or postal address of this person will be needed so that we can write to them to collect this.