Data Protection and Freedom of Information
Nothing is more important than your trust.
Falmouth University respects your privacy and values your trust; we will always process your data in a fair and lawful manner. This page is designed to answer your questions about how we collect and use any personal data you give to us, either directly or indirectly.
The linked pages describe how we collect and use data depending on how you are interacting with our institution as well as other useful information relating to data, information and privacy.
Below are some terms you will find used throughout these pages and a description of what we mean by each term.
Data Protection Law
When we refer to data protection law we are referring to two major pieces of legislation:
EU General Data Protection Regulation 2016/679 (known as GDPR)
Data Protection Act 2018
These laws regulate how we as a data controller process personal data
relating to individuals.
Other relevant legislation
There are a number of other pieces of legislation relating to data, information and electronic communications which we may collectively refer to as 'other relevant legislation':
- The Environmental Information Regulations 2004
- The Privacy and Electronic Communications Regulations 2003 (EC Directive)
- The Freedom of Information Act 2000
- The Computer Misuse Act 1990
- The Copyright, Designs & Patents Act 1988
Throughout the statements we make relating to privacy, such as our privacy notices, we have used some specific words and phrases which are explained below:
- "Personal Data" is any information which relates to a living person and can be used to identify them. It can include names, addresses, and contact details, as well as any other information relating to that person or a combination of information which allows that person to be identified.
- "Special Category Data" is any personal data which describes a person's race, ethnic origin, religion, trade union membership, politics, biometrics, genetics, sex life, health and sexual orientation.
- "Processing" is any activity relating to the use of personal data by an organisation, from collecting it, storing it and disposing of it, as well as everything in-between.
- "Data Subject" is a term used to describe the individual whose personal data is being processed.
- "Data Controller" is a term used to describe the organisation which is processing personal data and ensuring that it is done so in accordance with data protection law.
Falmouth University (the "University", "We", "Us") is the data controller for the personal data that we process in relation to you.
Occasionally, the University may be a joint data controller with other organisations, or we may be processing data about you on behalf of another organisation, but when this is the case, we will make sure you are aware of this when the information is collected.
As a data controller the University is required by data protection law to process personal data in accordance with specific principles. A key part is that personal data should be processed 'lawfully, fairly and in a transparent manner'. In keeping with this principle, the University will always tell you how we will deal with your information when it's collected using a document called a "privacy notice".
Depending on how you are interacting with the University, you will be subject to one or more separate privacy notices; whether you are a student, member of staff, alumni, visitor, etc. These are published on our website and are all linked to from this page.
How we protect personal data
The University processes a large amount of information about individuals and it is important that we are able to assure them that their personal data is handled, stored and disposed of in a confidential and secure manner. We have an obligation to protect the privacy of individuals that allow us to process their data.
All of our staff receive regular mandatory data protection training and we have in place a number of organisational and technical measures so that personal data is processed in accordance with the 6 principles of data protection as set out in data protection law.
The University is actively working towards an Information Security Management System based on ISO27001 with a range of controls covering the protection of personal information. All staff receive regular mandatory information security training and the University is accredited under the Payment Card Industry Data Security Standard.
All data subjects who have personal data processed by the University have the following rights prescribed by data protection law:
- To access the personal data the University holds about you.
- To correct any mistakes we have made in recording or processing your data.
- To have your personal data deleted. This right is limited in how it applies, such as when the data is no longer required or where the processing has no legal basis.
- To object to the processing of your personal data for marketing purposes.
- To object to the processing of your personal data when that processing is based on specific criteria such as the public interest or other legitimate interest, unless we have compelling lawful grounds to continue.
- To ask for the transfer of your data electronically to a third party.
- To withdraw consent for processing where consent is the legal basis the University is using to carry out the process.
Queries and exercising your rights
If you would like to ask us a question about your rights under data protection law, or you would like to exercise your rights or just find out more about how the University processes your data, please get in contact with our Information Governance Team.
Information Governance Manager
Call: 01326 255775
Make a complaint
If you wish to make a complaint please contact our Data Protection Officer.
Mr Ben Bull
Information Governance Manager
Call: 01326 255755
You can also make a complaint directly to the Information Commissioner's Office about the way in which we process your personal data: www.ico.org.uk