Data Protection Information
Student Wellbeing Service data protection notice for personal and sensitive personal data.
Aberystwyth University (AU) is the data controller and is committed to protecting the rights of students, staff and third parties in line with the UK Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) introduced in 2018.
Information on how the University is committed to protecting your information, and being transparent about what information it holds through the range of data protection policies and procedures in place, can be found here:
https://www.aber.ac.uk/en/infocompliance/dp/
You can also find out more about how your data is collected, stored and used here:
https://www.aber.ac.uk/en/infocompliance/dp/declaration/
The Student Wellbeing Service Data Protection Notice, set out below, details what and how we collect, store and use the personal and sensitive personal data we receive about you.
What information do we collect about you?
We collect personal and sensitive information about you: which will include your name, email, telephone number and address, your AU login and student ID, area and year of study. We may also ask for equality information, for example; gender, date of birth, disability along with information about your GP, any history that links to your current situation, medication, any previous specialist support and what your current issues are. Case note information may be gathered through face to face meetings, by emails, telephone conversations, raising concerns forms and third party information and will be recorded electronically.
How we collect your information
The Mental Health Specialists, Counsellors, and Mental Health Mentors within our service take notes, during any meeting, telephone conversation or email and will store your information on the Student Support Services electronic data base, along with any completed online forms, registration forms and or raising concerns forms. This may be information provided by yourself or by someone internal or external to the University.
How we use your information
Access to your records is carefully controlled and restricted to only those staff who may reasonably need to know this information in order to provide support. All staff are committed to respecting and protecting confidentiality and privacy and work in accordance with the AU confidentiality policy. Access to the records helps with the level of support we provide. It may also help with evidencing special circumstances, complaints or any possible student finance issue. The information in the records is also used anonymously for statistical, analytical or survey purposes, so that we can improve services.
How long we keep your information
The Student Wellbeing Service will retain information and case notes for a student up to six years after a student either leaves, or graduates, from the Aberystwyth University. These records will then be destroyed confidentially.
The legal basis in which our service collects data:
It is essential for records, of our engagement with students and third parties, to be held as we have:
- A contractual duty for student information to be held in order to ensure that appropriate high quality support is provided and the data held will help to provide information in the public interest.
- To ensure that the legitimate interest of students and third parties are considered through information disclosed.
- Counsellors, Mental Health Specialists and Mental Health Mentors are required by their professional accreditation bodies to record and maintain case notes.
- Where possible, and in line with GDPR, consent to collect, store and use information will be sought.
Information from third party sharing and/or receiving information
Our staff are committed to protecting confidentiality and privacy in accordance with the AU confidentiality policy, and we will encourage students to self-disclose relevant information to third parties where appropriate. Wherever possible we will seek consent from students to share/receive information, unless:
- Consent from the student has already been gained to disclose the information (e.g. from Accessibility Services, GP, Mental health Services, Personal Tutor). If no consent has been gained to share information with us, then we require the information to be provided anonymously and we would advise the third party on how to best advise the student.
- There is a civil legal responsibility to share information
- There is a known risk of significant harm to self or others, in which case only those people on a ‘need to know’ basis, internal or external to the University, will be informed; in line with the confidentiality policy.
- Our staff also have a duty under the Counter-Terrorism and Security Act 2015 to have due regard to the need to prevent people from being drawn into terrorism. This duty may involve the passing of certain information to senior staff and possibly the police / security services.
- Where information is required by the police: for the prevention or detection of crime or the apprehension or prosecution of an offender, and not providing the information would prejudice the investigation. In these cases staff will share information in accordance with policy.
- On a ‘need to know basis’, the sharing of information is deemed necessary: to ensure that the University are able to provide a robust and appropriate level of support (e.g. share with Accessibility Services, Accommodation, Personal Tutor).
Data security practices
Staff contracts set out how the sharing of personal and sensitive information will comply with GDPR and we store information on secure electronic systems. Only relevant staff have access to system areas, to ensure accurate record keeping, and appropriate support is provided. ‘Student of concern’ case studies may be discussed by staff during supervision, and in team meetings, during these times the student’s identity is not disclosed. We send information by email that contains personal information, and possibly sensitive information, and we will gain your consent for this.
Automated decision making
The Student Wellbeing Service does not currently use automated systems for decision making.
User rights
As a data subject, you have rights under the Data Protection Act. You have a right to access your personal information, to correct information, to prevent processing of your personal data, to prevent unsolicited marketing, to prevent automated decision making; to claim compensation, no third party access, the right to be informed, the right to restrict processing, the right to data portability. For more information regarding your rights, see:
https://www.aber.ac.uk/en/infocompliance/dp/data-subject-rights/
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/
Any requests or objections should be made in writing to the data protection controller- infocompliance@aber.ac.uk
The contact address of the data controller (AU) is:
Aberystwyth University
Reception
Aberystwyth
Ceredigion
SY23 3FL
If you are unsatisfied with the University response or processing of personal data then you may complain to the data protection manager. If your matter remains unresolved then you can apply directly to the information Commissioner for a decision:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
International data transfers
The Student Wellbeing Service does not currently carry out international data transfers.
Other specifics such as minors/cookies/video or photography
We may also use images of students and feedback from students within promotional materials such as videos and printed literature. Any feedback will be rendered anonymous and your specific consent for your visual presence will be sought in accordance to AU policy at the time of capture.