This is a privacy notice to explain the way we manage personal data in relation to applications for University of Oxford graduate accommodation.
In the course of applying for the University of Oxford graduate accommodation, you have provided information about yourself (‘personal data’). We (the University of Oxford) are the ‘data controller' for this information, which means we decide how to use it and are responsible for looking after it in accordance with the General Data Protection Regulation and associated data protection legislation.
You can also download a pdf version of this Privacy Notice.
The types of data we collect
The information we hold about you may include the following:
- Contact information
- Bank details
- College membership
- Images collected from CCTV (only at certain sites)
We collect the vast majority of the information directly from you, through the tenancy application process. We may also collect additional information from your college. We will collect and generate additional information about you throughout the period of your tenancy.
We may also collect the names and contact information of family members and associates in order to maintain accurate records of visitors to the accommodation and emergency contact information.
Your personal data will be used in order for us to manage your tenancy agreement, including processing financial information for payment of rent, contacting you during your tenancy and in respect of references requested at the end of your tenancy agreement. We may supply your data, which will include your contact details both past and present, to utility suppliers, the local authority, authorised contractors; any credit agencies; reference agencies; the University’s legal advisers, debt collectors; and tracing agencies.
Personal data of families and visitors is recorded for the purposes of health, safety and security, including contact in the event of an emergency.
CCTV images are not continuously monitored. Images may be processed in the event of an incident requiring the involvement of the University’s Security Services, and only for the purpose of investigating such an incident.
The University is processing your data for this purpose in order to fulfil our contractual obligations to you or to take steps at your request prior to entering into a contractual relationship and to meet our legitimate interests relating to the management of University graduate accommodation and student related administration.
The University will share your data within the University with those who need to view it as part of their work in carrying out the purposes described above. We may also share your data with your college for the purposes described above.
We may share your data with companies who provide services to us, such as laundry and repairs and maintenance services. These companies are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
We may also share your data with the following organisations for the reasons indicated:
- Utility companies, who supply services to your accommodation. In order to ensure that you receive the services and that you are billed for those services;
- The local authority, to update them in respect of Council Tax;
- Credit agencies to consider your application for accommodation;
- Reference Agencies to consider your application for accommodation and where requested by you to provide a reference;
- The University’s Legal Advisers in the event of a breach of your tenancy agreement and if necessary in connection with our agreement;
- Debt Collectors and tracing Agencies in the event that you have failed to pay your rent or owe the University money in connection with your tenancy agreement.
Where we share your data with a third party, we will seek to share the minimum amount necessary. This may include the information and samples being transferred to, and stored at, a destination outside the European Economic Area. Such transfers will only take place with appropriate safeguards in place to ensure the confidentiality and security of your personal information. If you require any information about these safeguards, you may contact us (see data protection officer email address below).
We will retain your data for a period of 6 years from the time you cease to be a tenant in the accommodation in order to meet our purposes, including relating to legal, accounting, or reporting requirements. This also applies to personal data relating to family members and visitors.
CCTV data is kept for a period of 30 days before it is overwritten. Further information concerning the University’s use of CCTV can be found on the Estates Services website.
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website.
We store and use your data on University premises, in both a manual and electronic form.
Electronic data may be transferred to and stored at, a destination outside the European Economic Area ("EEA"), for example when we communicate with you using a cloud-based service provider that operates outside the EEA such as Survey Monkey.
Such transfers will only take place if one of the following applies:
- the country receiving the data is considered by the EU to provide an adequate level of data protection;
- the organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield;
- the transfer is governed by approved contractual clauses;
- the transfer has your consent;
- the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
- the transfer is necessary for the performance of a contract with another person, which is in your interests.
You may request access to any of your data, request that our processing is restricted, object to our processing or request that your data be corrected or transferred to another party, subject to certain restrictions.
You may also request that your data be deleted or ask for us to stop using it, and we will comply with your request as soon as possible. Depending on the circumstances, however, we may have legal grounds for continuing to process your data, for example where there is a contractual requirement for us to process your data or where processing is necessary for the performance of a task carried out in the public interest, in accordance with applicable data protection laws.
If you would like to exercise any of the rights mentioned above or if for any reason you are not happy with the way that we have handled your data, please contact the University’s Information Compliance Team at firstname.lastname@example.org. The same address can be used to contact the University’s Data Protection Officer. If you are still not happy, you have the right to make a complaint to the Information Commissioner’s Office.