FAQ 469
Advice Zone Online Privacy Statement

The University of South Wales is the data controller with regard to information held and is committed to protecting the rights of individuals in line with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (GDPR). The University of South Wales has a Data Protection Officer who can be contacted through dataprotection@southwales.ac.uk.

What information do we collect?

The University collects the following information:

USW Student Number

Name and date of birth

University and personal email address

Term time and home contact details

Course details

Nationality

Domicile

Questions asked by the students within the Advice Zone and Advice Zone Online

Case notes and issues raised in general appointments

Information provided during online chat

•       Student casework

Record of appointments

Questions raised by the student are held within the system for staff to view and respond.  A history of all questions raised are visible to staff in a student support role.

Student appointments are held within the system and a history of all appointments are visible to staff in a student support role.

Information relating to student casework are only accessible to the appropriate teams.

Case notes will only be visible to staff within those services.

The system utilises free text boxes which allow the student to enter any information they choose.  The student can choose how much detail they wish to provide within the system, but when inputting their personal data they should be mindful that this information will be accessible to authorised University staff. 

Why we collect this information?

USW has to collect personal data to satisfy a number of requirements: 

administering finance (e.g. fees, scholarships and bursaries)

providing student support services 

safeguarding and promoting the welfare of students

the administration of student casework

What is our legal basis for processing?

In processing data for the purposes listed above the University relies upon the following legal basis as appropriate:

  • Processing is necessary for the performance of a contract with the individual.
  • Processing is necessary for the performance of a task carried out in the public interest.
  • Processing may also be necessary to protect the vital interests of the individual or another person.

Special category personal data is processed as it is necessary:

  • For reasons of substantial public interest, on the basis of Union or Member State law. 
  • For the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to conditions and safeguards 

Who are the recipients or categories of recipients?

Where necessary personal information will be shared internally within the faculties and departments across the University. Such sharing will be subject to confidentiality protocols and access restrictions(e.g. Health, counselling and mental health case notes will only be visible to staff within those services)

The University works with the NHS’s Mental Health University Liaison Service (MHULS) and where necessary students may be referred to their teams.  Any referral will be discussed with the student in the first instance and will only be made with their agreement. 

Where consent (and where appropriate explicit consent) has been obtained, personal data may be shared with those individuals specified within any agreement.

In certain circumstances personal information may be disclosed without consent under the following circumstances:

a)If the University has good reason to believe that someone may be at serious risk of harm. Unless the situation is an emergency, or it is considered otherwise inappropriate, efforts will always be made to discuss the matter with the individual beforehand.

b)The University may be legally bound to disclose personal information on certain occasions e.g. under a Court Order, as part of safeguarding responsibilities and prevention of terrorism.

Transfers to third countries and the safeguards in place

All personal data is processed within the UK or EU.  

Retention of data

All data held about USW activities and all personal data will be stored securely and appropriately in line with the University’s Retention Schedule 

This Schedule is reviewed periodically and it serves to determine how long certain information will be retained.

Security of data 

Data Protection legislation requires us to keep information secure. This means that confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to information will be authorised to do so. 

Student data is held in a secure database hosted by a third party. This data is made available to staff and students using an encrypted connection between web browser and server.

Information held in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. 

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with Data Protection legislation.

Individual rights 

Individuals have a right to access their own personal information, to object to the processing of their personal information, to rectify, to erase, to restrict and to port this data. 

Further information relating to individual rights are available on the University Data Protection webpages.

Any requests or objections should be made in writing to the University Data Protection Officer -

University Secretary’s Office,

University of South Wales

Pontypridd,

CF37 1DL 

Email: dataprotection@southwales.ac.uk 

Individuals who are unhappy with the way in which their personal data has been processed may in the first instance contact the University Data Protection Officer using the contact details above. 

Where individuals remain dissatisfied then they have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: 

Information Commissioner’s Office,

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF

www.ico.org.uk