Your data and privacy
Alumni, friends and supporters play an important role in the life of the University of St Andrews contributing to our achievements and ensuring we continue to be known across the globe as a world leader in education.
The Development Office at St Andrews is here to support our alumni, friends and supporters, keeping you informed as to what is happening at the University and beyond: engaging with you on relevant activities which we hope will be of interest to you. This includes sharing University, alumni and supporter news and activities, events, reunions, fundraising campaigns, networking, career and volunteering opportunities.
The Development Office cannot reach out to you, without making use of your personal data, which, more often than not, will involve your contact details.
The protection of personal information collected and processed by the University is legislated through the European and UK legislation, notably through the General Data Protection Regulations (more commonly known as the GDPR), the Data Protection Act 2018 (“the DPA”) and through rules on direct marketing activities as provided by Privacy and Electronic Communication Regulations 2003 (“the PECR”). The University takes its obligations to protect personal information and to uphold the rights and freedoms of individuals seriously.
One of the core principles of data protection legislation is that personal data is processed fairly. Fairly, in this context, is concerned with individuals being informed as to how their personal information will be used. It is important that the University is clear about how personal data will be used to support development and alumni related activities, so that you can let us know if you wish for the University to act differently.
The purpose of this statement is therefore to inform alumni and friends how their personal information will be used by the University, and to set out our promise to you that –
The University will work at all times to protect your privacy. We will only make use of your personal data for clearly stated purposes and we will always respect and uphold your rights.
2. Our work
The Development Office exists to communicate the University of St Andrews’ activities, institutional views, latest news and points of excellence with staff, stakeholders, students, alumni, friends and current and past supporters of the University and to raise philanthropic funds to support key capital projects, scholarships and widening access programmes, academic research and a range of projects to enhance the teaching and learning environment for our students and the St Andrews community. We do this by providing information through a range of online and offline channels including publications, events, press releases, social media and email.
In order to do this, we maintain a database that contains personal data collected by the University during the course of our relationship with our stakeholders, staff, students, alumni and friends. The vast majority of the information we hold will have been obtained directly from you via our website’s sign-up form or other hard copy information returns and also via letter, email and telephone updates from you.
This Privacy Notice:
- Introduces the University’s responsibilities and obligations as a data controller – the organisation responsible for protecting and determining how your personal data will be used to support alumni and development activities at St Andrews;
- Explains how your personal data will be used and the legal basis which the University will draw upon when using your personal data responsibly;
- Provides an overview as to how your personal data will be used;
- Informs you who has access to your personal data and the limited conditions under which your personal data may be made available to a third party;
- Identifies other organisations and/or individuals that personal data may be shared with (recipients);
- States how long personal data will be retained, or, where that is not possible, the criteria used to determine this;
- Explains your privacy rights and the steps you can take to exercise these; and
- Explains how the University will protect your personal data, keeping this safe and secure.
4. Who collects and decides how your personal data will be used: the identity and contact details of the data controller?
It is important that individuals understand the identity of the organisations/entities who collect and decide how personal data are to be used, as without that understanding it can be difficult for people to exercise their rights. In data protection terms, the organisation that determines the purposes for which personal data is to be used is the data controller. The data controller is also responsible for upholding your privacy rights, as provided for in European and UK data protection legislation. In this instance, the identity and contact details of the data controller are:
- University of St Andrews, College Gate, North Street, St Andrews, KY16 9AJ, Fife, Scotland, UK. The University is a charity registered in Scotland, No SC013532.
5. The contact details of the University Data Protection Officer
Some organisations are required to appoint a Data Protection Officer (“DPO”). A DPO is an independent position; tasked with supporting organisations in complying with data protection legislation. The contact details for the University’s DPO are:
- Mr Christopher Milne, Head of Information Assurance and Governance, University of St Andrews, Butts Wynd, North Street, St Andrews, KY16 9AJ, Fife. Email firstname.lastname@example.org
6. How do we collect your personal data?
6.1 After you graduate
Core alumni information is carried over from your student record:
- Your name, title, gender, date of birth;
- Your student number and username;
- Your home or parental address, email address and telephone number(s);
- Your education record including course, school, type and classification of award.
- A list of your student sports clubs memberships and achievements;
- Membership of student societies;
- Scholarship award and prizes information and other achievements;
- Up to date business information and contact details shared through SaintConnect and other Careers Centre activities.
6.2. When engaging with the Development Office
In most instances, the Development Office will collect data from Alumni and friends of the University directly when engaging with you; or you may have provided your details to the University, along with your consent for their use, at your request via our sign-up form, letter, or email.
6.3. Payment processing
We collect bank or credit/debit card details in order to process event ticket or donation payments but we will not store bank or credit/debit card details beyond the requirements for processing the payment. This may involve using third parties to assist in setting up Direct Debit payments and processing your donations or ticket payments.
6.4. Via a third party who has asked your permission to pass on your details to the Development Office
On occasion, we may receive your details from independent event organisers e.g. Just Giving. These independent third parties will only provide us with your details, on your consent, when you have confirmed that you wish to support the University of St Andrews. You may wish to request and check the privacy notices of such third parties, to ensure that you understand fully how your details will be used and that you are happy with any decisions made.
6.5. When using our Web site and similar services
Some of the University’s web pages, with a user’s consent, will log how a person has explored the content that is made available. This information is used, where provided, so that we can understand how to improve our services.
Some of the emails we send, allow us to understand where communications have been read or unopened. Where emails are unread, we may then ask people if they wish to hear from us via that medium.
For more information on log files, see ‘Data protection and privacy server’ at https://www.st-andrews.ac.uk/terms/
7. The purposes for which the University will make use of alumni/donor personal data
The personal data stored and processed by the University (depending on how you engage with the University) may include:
- Biographical information such as name, title, date of birth and gender;
- Your contact details including address(es), email address(es) and phone number(s);
- Information about your time at the University including graduation details;
- Your professional activities; current interests and preferences;
- Your business and career details including your philanthropic propensity and capacity to aid meaningful fundraising;
- Records of communications sent to you by the Development Office or received from you.
The University may use your personal data, to support the following activities:
7.1. Our range of communications with alumni and friends
We aim to keep people informed about our work or our activities and the positive impact this has on students and the University community. This might include sending you e-newsletters, publications (Campaign Magazine, Chronicle etc.), invitations to events, meetings and to highlight suitable volunteering opportunities.
We offer a postal/email messaging forwarding service for alumni whereby we will pass on communications on your behalf until permission for you to connect directly is received e.g. organising a class reunion and wish assistance issuing invitations, or where you have lost contact with an alum.
7.2. Keeping you up to date via email
Where you have provided your email address to us, we will make use of that to contact you for the specific purposes, which you have consented to. In every email we send, we will give you the opportunity to opt-out from receiving further emails, until such time as you may decide to ask for us to contact you again via that medium.
7.3. Keeping you up to date via post
We may reach out to you, by posting materials that you have requested or expressed an interest in. Where we may have lost touch with people, we may, where it is acceptable in terms of your and our interests, try and reach you by post. If you decide you do not want to receive post from us, please tell us.
Where appropriate, we may employ the use of National Change of Address supress and update services for participating countries (“NCOA”). These services allow us to cut down on wasted mailing costs and help ensure the accuracy of our address data.
7.4. Understanding the career progression of our alumni
From time to time we can lose track of where people work as their careers progress. The Development Office undertake some research to understand where people have moved onto in their careers; we may then use that information i.e. business contact details to reach out to you, normally via post, to ask if we can update your details and continue to stay in touch with you.
We may, where appropriate, ask you to help us raise money or donate money to the University of St Andrews, but always in accordance within the regulations and best practise guidelines set out by the bodies including the Scottish Charities Regulator OSCR, and the Independent Fundraising Standards & Adjudication Panel for Scotland .
All of our fundraising activities are managed within the University’s Gift Acceptance Policy .
We may use your personal data for some or all of the following, depending on individual circumstances and how you engage with us:
- To create an account for you if you register with us through SPARC and/or upon graduation, or have an external connection with us.
- For administration purposes for example we may contact you about a donation you have made or event you have expressed an interest in or registered to attend.
- To facilitate payments made by credit card, direct debit or standing order.
- To reclaim gift-aid from the tax authority.
- We may assess your personal information for the purposes of credit risk reduction or fraud prevention.
- To ask you for your permission to use the story of your experience with the University of - St Andrews to promote our work (via printed or online publications).
- For internal record keeping, including the management of any feedback or complaints.
We want to make sure we use the University’s resources as effectively as possible to help us engage with our community of alumni and supporters appropriately. In order to achieve this we may undertake a range of background research; this will help us to gain a better understanding of your interests, of how you engage with us, which in turn will help us to decide whether an approach to you is likely to be of interest. Such research helps us to better target our conversations about fundraising and therefore generate philanthropic funds cost-effectively; to assess the capacity of various stakeholder groups to support the University.
When conducting research, we always do this in-house, with University staff who work within set guidelines and standards. Open source materials are used i.e. publicly available sources and or subscription based sources, including social media, directories such as the electoral register, and business and financial reference sources. The research that we undertake, along with the legal basis for doing so, have been disclosed to the UK data protection regulator, the Information Commissioner’s Office. The Development Office do not undertake what is commonly referred to as third party wealth profiling.
We may employ data mining and predictive modelling techniques to forecast the probability of successful support approaches.
From time to time, we may undertake research using the records held by the Development Office to understand demographic, philanthropic, and business trends. We do this to help understand whether we are reaching people efficiently and effectively, and/or to help ensure that relevant communications are sent to you.
If you do not wish your data to be used in any of the ways listed above or have questions about this, please contact the Development Office.
8. Using your personal data lawfully: the legal bases for processing personal data
The University can only make use of personal data with reference to one of the stated legal bases for processing, as listed in the GDPR and the DPA. The most common legal bases that the University will rely upon for the lawful processing of alumni/donor personal data for the purposes/activities introduced, above, are outlined below:
- In most instances, the University will ask you for your consent before it makes use of your personal data. Consent is and will always be optional. Individuals are under no compulsion to provide their consent.
- If consent is withdrawn, the University will stop making use of your personal data, unless there is a requirement to do so under law.
8.2. Legitimate interests
- In a small number of instances, the University may make use of personal data when this is judged to be in the legitimate interests of the University and by doing so there is no detriment to you.
8.3. Legal obligations
- In a small number of instances, the University may be required to make use of personal data in instances where there is a statutory obligation to undertake particular activities e.g. ensuring that donations are not subject of fraudulent acts.
The University maintains a catalogue of the purposes of processing personal data and the corresponding legal basis. For full details please see www.st-andrews.ac.uk/Data-Protection, or email email@example.com.
9. Who will make use of your personal data?
9.1. Within the University
On a day to day basis your personal data will be used by staff in the University’s Development Office. Some personal data may be passed to the University’s Finance Office for audit, accounting and regulatory purposes.
9.2. Outwith the University i.e. to third parties
The University will never share your personal data with another charity or similar third party to use for their own purposes, unless we are required to do so by law, e.g. where served with a court order or for the purposes of prevention of fraud or other crime. The University will never sell your personal data.
The University may from time to time, pass some of your personal data to third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. Those tasks can include event ticket and donation payment processing, the management of mailing and distribution, the preparation of phone appeals or event management.
On the occasions that we use third party service providers, we will only disclose the minimum information necessary to deliver that service, and there will always be a contract in place to ensure that the selected service provider will only make use of your information for the purposes set out by the University and that they have in place measures to protect and keep your details secure.
In some instances the University will pass some of your details on to a third party, with your permission, for publicity purposes or to register your association with the University. This may include placing details of your name in the University Donor Roll.
In addition to the above, the University may disclose certain personal data to external bodies as categorised below. At all times, the amount of information disclosed and the manner in which it is disclosed will be in accordance with the provisions and obligations of European and UK data protection legislation. Please note this is not an exhaustive list.
|Disclosure to for the purposes of||Details|
|Courts of law and Tribunals||The University will provide personal data to a named entity or person, when instructed to do so by Court Order or decree, unless a successful challenge to such an order is made.|
|Government agencies and local authorities, with statutory powers to obtain information from the University as a higher education institution and/or a registered charity.||For the purposes of meeting external regulatory requirements.|
|HM Revenue and Customs (“HMRC”)||To reclaim gift aid.|
|Law enforcement agencies||The University may provide personal data to law enforcement agencies, where there is just cause, for the: prevention and detection of crime; apprehension and prosecution of offenders; assessment or collection of any tax or duty or imposition of a similar nature; or any matters pertinent to national security. Prior to the release of personal data to the Police or a relevant authority, for the purposes noted, above, the University will first satisfy itself that a request is legitimate and that the disclosure of the personal data is lawful. In this regard, the University will make reference to the provisions from relevant data protection legislation.|
|Media outlets||The University may pass on personal data to the media in terms of press releases, which may provide details of a person’s relationship and/or work at the institution.|
10. Details of transfers of personal data to countries outwith the EEA
The University may transfer alumni/donor details outwith the EEA, for the purpose of organising events to which individuals have opted to attend.
11. How long will the University make use of your personal data to support alumni and development activities?
Unless individuals direct otherwise, the University’s relationship with alumni, friends, donors and other stakeholders is considered to be life-long. The University will retain your personal data to support the alumni/development activities outlined herein, until you ask us to do otherwise.
Please note that in some circumstances, so that the University can continue to meet its other legal obligations it may be required to retain personal data in accordance with tax and accounting rules, and charity law.
The University follows best practice records retention periods, notably those published by the Joint Information Systems Committee (“the JISC”) to help determine the relevant storage times. Details of JISC recommended retention periods are available from: http://bcs.jiscinfonet.ac.uk/he/default.asp.
12. How will the University protect and secure your personal data?
The University puts in place a series of technical and organisational measures to protect and safeguard all data it holds. For example, data is securely stored in dedicated data centres, where appropriate data and devices are encrypted, staff receive training and briefings on information security and data handling. The effectiveness of those measures is routinely tested by the University Court (via its Audit and Risk Committee), and through internal and external audit.
13. Your rights
European and UK data protection legislation provides individuals with a number of rights regarding the management of their personal data, these rights are:
- The right of access to your personal data, commonly referred to as a subject access request, which involves the following being carried out within a calendar month:
- Confirmation that personal data is being processed.
- Access being given to your personal data (provision of a copy), unless an exemption(s) applies; and
- The provision of supplementary information e.g. an explanation of how your personal data is processed and who this is shared with.
- The right to rectification, which may involve:
- The University working to correct any inaccuracies in personal data or to address any omissions, which may require personal data to be annotated to acknowledge that this is incomplete.
- The right to erasure (the deletion of personal data, in specific circumstances), which is commonly referred to as the ‘right to be forgotten’, which may involve:
- The University destroying specific personal data.
- The right to restrict processing, which may involve:
- The University agreeing to stop making use of specified personal data e.g. where those data are contested, in terms of accuracy.
- The right to data portability, which may involve:
- The University providing you with a copy of elements of your personal data that exist in machine readable form that you have given to the University.
- The right to object. Individuals have the right to object to the University making use of personal data where:
- Either legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling) is the legal basis that the University has relied on for making use of the said data; and
- The data in question is used for direct marketing (including profiling) – in such circumstances the use of personal data must stop when an objection is received.
- Further details on the right to object are available from the University website
In many instances, the rights introduced above are qualified i.e. in certain circumstances they are limited or they may not be available, and these may be further constrained by UK legislation, e.g. where personal data is only used for research or statistical purposes. Details of note include:
- The right of subject access can be refused or an administrative fee charged, where a request is found to be manifestly unreasonable or excessive. In addition, where a request is found to be complex or numerous requests are made, then the University can extend the time for compliance by 2 months.
- The right of erasure does not provide an absolute right to be forgotten. This right is only available in limited circumstances – notably where the legal basis for processing personal data is for the performance of a contract or linked to a statutory requirement, then the said right is not available. The University does not have to comply with a request for erasure where personal data is processed for the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- In many instances the University processes personal data for the performance of its public tasks e.g. teaching, learning and research.
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research, historical or statistical purposes; or
- The exercise or defence of legal claims.
- The data portability right is only available to personal data which an individual has directly provided to the University and where the legal basis for processing that data is either contract or consent, and where the said personal data are processed by automatic means.
These rights have to be met by the University and any other organisation that takes decisions about how or why your personal data is used. Details on how to access those rights are available from the University website, or you can contact firstname.lastname@example.org.
14. Where processing is based on consent (or explicit consent), the right to withdraw consent at any time
Circumstances may arise where it will be necessary for the University to seek the consent of donors and/or alumni; most notably in how we communicate with individuals via electronic means such as email, telephone, or text when advising people of Development activities and donor initiatives.
Where it is necessary to seek consent to process their personal data, this will be made clear to individuals at the point of data collection. Consent is optional. Individuals are under no compulsion to provide their consent, and where consent is provided, you will have the right to withdraw consent at any time, from which point the University’s use of your personal data will stop.
15. The right to lodge a complaint with a supervisory authority
If you believe that the University has not made use of your personal data, in line with the requirements of data protection law, you have the right to raise this with the regulator i.e. the UK Information Commissioner Office’s (“the ICO”).
Details on how to contact the ICO are available online, at:
16. Whether there is a statutory or contractual requirement to provide personal data and the consequence where no personal data are provided
Staff from the Development Office will advise if such situations arise.
17. Revision of the Privacy Notice
The details as to how personal data are used to support alumni and development activities at the University will be reviewed annually – the University may make changes to the associated Privacy Notice from time to time. Any significant change to relevant legislation, University policy or procedures primarily concerned with the protection of personal data may trigger an earlier review. If we make any significant changes in the way we work with your personal information we will make this clear on the Alumni section of the University’s website or by contacting you directly.
This Privacy Notice will be published on the University website, and copies may also be distributed to alumni via mailings of publications such as Chronicle. Should a copy of this Privacy Notice be required in another form, including orally i.e. an audio recording, please contact email@example.com.
19. Further information
If you have enquiries about this Privacy Notice, or wish to exercise any of your privacy rights, please contact the Development Office or direct these to the Mr Christopher Milne, University Data Protection Officer by e-mailing firstname.lastname@example.org.
Date: 14 June 2018