Universify and GDPR Compliance
What is the GDPR?
The General Data Protection Regulation (GDPR) imposes strict controls on how all organisations collect and process personal data within the EU and/or the personal data of EU citizens.
The enforcement of the GDPR is overseen by the UK’s supervisory authority, the Information Commissioner’s Office (ICO). It ensures that everyone is playing by the rules and that the rights of data subjects — the people whose data is being processed — are correctly protected.
Those individuals or institutions which determine the purposes and means of processing personal data are referred to as data controllers under the GDPR, whereas a data processor is responsible for processing data on behalf of the data controller.
The regulation outlines six key principles for organisations that process individuals’ personal information. These are that data shall be:
- processed lawfully, fairly and transparently
- collected for specified, explicit, and legitimate purposes
- adequate, relevant and limited to what is necessary for processing
- accurate and kept up to date
- retained only for as long as necessary
- processed in an appropriate manner to maintain security
What has Universify done to prepare for GDPR?
We’re constantly improving the technical and organisational security measures we have in place to protect your data and are committed to being fully compliant with GDPR. We will also support you with your own compliance obligations regarding any personal data held within Universify.
Here are some of the ways we are committed to GDPR compliance:
Awareness & accountability
We have an institution-wide commitment to compliance with the GDPR. Everyone working at Universify understands what their own responsibilities and those of the institution are.
We have undertaken an audit to clearly document what data we hold, where we hold it, where that data comes from and where it goes. This enables us to keep track of all data and helps us to make the right decisions when it comes to making sure that your data is always protected.
Data processing addendum (DPA)
Basis and consent
By joining Universify’s programme you are entering into an agreement which gives us a legitimate basis to process your data, in line with GDPR requirements. In other words, in order for the students to benefit fully from our programme, we need to process some personal data.
However, in order to keep you up to date with our news, we will need your explicit consent. We make sure it’s obvious where and how you can agree to this and you can unsubscribe from these updates at any time.
Under the GDPR you have the right to see a full copy of any data we hold about you, and also the right to request that it is fully deleted from our system (although we may be required to keep some records to ensure that you are not contacted in future, or to comply with any legal obligations).
However, to prove that Universify is working towards its charity objectives — outlined in its governing documents — we require personalised student data until every student is 24 years old, or has completed their first university degree, prior to turning 24. When a student reaches that age we will erase their data. All sensitive data, that is not required to track a student’s progress to higher education, such as medical and dietary information, will be deleted after the completion of the residential aspects of our programme. Students may also request the erasure of their data before this time, by emailing firstname.lastname@example.org.
We hold teacher information in order to co-ordinate student applications and the delivery of the programme to our students. We will ask teachers to provide contextual information to ensure students meet the eligibility criteria. We also ask for teachers to provide information on student’s attainment at GCSE to allow us to measure the impact of the programme. We will hold teacher information (name, school, email address and phone number) for as long as they act as a lead teacher, or if they ask for us to erase their information by emailing email@example.com, if this does not affect students signed up to an existing Universify programme. After two years we will delete the information of any lead teacher we have not had contact with.
The data you provide will be used to make statistical analysis of the impact Universify Education’s programme. Your personal data won’t be made public nor shared with partners without a DPA.
Keeping data secure
We are constantly improving our security measures to keep the information we hold within Universify safe and whenever we work with third parties (sub-processors) to help us provide our service, we ensure that their security processes are as robust as our own.
If you ever want to contact us about GDPR, data protection or to find out more about how we process your data, please feel free to drop an email to firstname.lastname@example.org and we will get back to you as soon as possible.
Where can I learn more about GDPR?
The UK Information Commissioner’s Office website is a great resource for GDPR information: https://ico.org.uk