PART 1 – GENERIC PRIVACY NOTICE
Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in a number of ways, one of which is the publication of privacy notices. Our privacy notices comprise two parts – a generic part and a part tailored to the specific processing activity being undertaken.
Data Controller
The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact:
Information Governance Unit
Telephone: (0191 33) 46246 or 46103
E-mail: info.access@durham.ac.uk
Data Protection Officer
The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:
Amanda Wilcox
University Secretary
Telephone: (0191 33) 46144
E-mail:university.secretary@durham.ac.uk
Retention
The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.
Your rights in relation to your personal data
Privacy notices and/or consent
You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.
Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.
Accessing your personal data
You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage.
Right to rectification
If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.
Once we have determined what we are going to do, we will contact you to let you know.
Right to erasure
You can ask us to erase your personal data in any of the following circumstances:
- We no longer need the personal data for the purpose it was originally collected
- You withdraw your consent and there is no other legal basis for the processing
- You object to the processing and there are no overriding legitimate grounds for the processing
- The personal data have been unlawfully processed
- The personal data have to be erased for compliance with a legal obligation
- The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites).
Once we have determined whether we will erase the personal data, we will contact you to let you know.
Right to restriction of processing
You can ask us to restrict the processing of your personal data in the following circumstances:
- You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
- The processing is unlawful and you want us to restrict processing rather than erase it
- We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
- You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.
Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.
Making a complaint
If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: Information Commissioner’s Office
PART 2 – TAILORED PRIVACY NOTICE
This section of the Privacy Notice provides you with the privacy information that you need to know before you provide personal data to the University for the particular purpose(s) stated below.
Alumni Relations and Fundraising
Durham University’s Development and Alumni Relations Office (DARO) supports a global community of stakeholders (students, alumni, parents, donors, mentors, employers, researchers, policy-makers, and advocates) related to the research, engagement and outreach activities pursued by Durham University and its peer organisations. In order to deliver all of the related products, services and opportunities in a bespoke manner and to ensure each individual and constituency receives relevant information, DARO process personal data of stakeholders. This helps to ensure that you are getting the best contact available from DARO for your purposes. This also helps us, where appropriate, to ask for your support with the things we believe you care about the most.
Type(s) of personal data collected and held by the Development and Alumni Relations Office (DARO) and method of collection:
If you are a student/graduate, some of the personal data that DARO holds about you is transferred from your student record to the University’s alumni database, Raiser’s Edge. This personal data will have been collected from you as part of your studies application process or provided by you via updates to your department or college during your time as a student and will include:
- Your name, title, gender preference, nationality and date of birth;
- Your home or parental address, email address and telephone numbers;
- Your former school and/or university;
- Your familial relationships (parents, grandparents and siblings);
- UCAS Number.
Some of the personal data DARO holds about you has been created by us as part of your education record, namely:
- Mode of study (e.g. full-time, part-time, distance learning);
- Academic department and programme of study;
- Start, end and graduation dates;
- Reason for leaving, type and classification of degree;
- The college you attended and your membership of a Junior or Middle Common Room (JCR/MCR)/clubs/societies/sporting teams.
Some of the personal data DARO holds about you is provided by you during your transactions with us or authorised alumni volunteers (contact details updates, www.dunelm.org.uk website activity, event registration and attendance, volunteer activity or making/soliciting a donation), namely:
- Your bank account number, name and sort code (used for processing Direct Debits);
- Gift amount, purpose, date and method of payment including cheque numbers or payment references. At no point do we store payment card details if you donate, or pay for an event, using a payment card;
- Tax status and Gift Aid Declaration information;
- Your spouse/partner’s name and whether they are also a Durham alumna/nus;
- Updates to your contact details;
- Children’s names, gender and year of birth;
- Record of verbal or email conversations/meetings including any personal interests;
- Dietary preferences;
- Web activity whilst visiting www.dunelm.org.uk.
DARO may hold personal data relating to your professional history. This data may have been provided by you, or it may have been obtained from social media (e.g. LinkedIn, Facebook) or publicly available sources (Companies House and other business-related resources, the World-Wide-Web, publications and news articles such as Queen’s Honours List, Times Rich List, and the National Change of Address File and other services that provide email addresses and telephone numbers), namely:
- Your employment status (e.g. part-time, full-time, retired);
- Your current job title and work email address;
- Your previous role(s) and job title;
- Your current and past employers, name, address and telephone number;
- The dates that you have been employed in any particular role;
- Your photograph;
- Your income band.
DARO may hold personal data that has been created by Durham University from other personal data that we already hold (i.e. name, address, postcode, employment data), either through internal or external research/profiling, namely:
- Your estimated asset worth, property value and shareholdings;
- Qualification of prospective level of giving;
- Philanthropic interests and gifts to other charitable organisations;
- Internal classifications and ratings as a major gift prospect;
- A rating of your level of engagement which is created from a mix of your event attendance, donation history and other interactions with the University.
Legal Basis
When processing your personal data DARO relies on a combination of Consent, Contract, Legal Obligation or Legitimate Interests as the legal basis under the GDPR, as detailed in the table below. Where DARO relies on Legitimate Interest you have the right to object to your data being processed for the purposes stated (see section entitled How to object to DARO processing your personal data below). However, if DARO stops processing data for the stated purposes this may impact our ability to undertake certain activities that you have asked us to undertake, such as claiming Gift Aid on your donations if you object to your name and address being processed. If this is likely to happen, we may refer back to you to obtain clarification that this is what you intend.
The Legitimate Interests that are being pursued in the processing of personal data are:
- To establish, maintain and enhance our relationship with alumni in the pursuance of a life-long mutually beneficial partnership that benefits the alumni community and the University’s student community;
- To attract and retain donors and supporters in the pursuance of the University’s strategic objectives to generate philanthropic income and to diversify income streams.
Processing Activity
|
Legal basis
|
Creating your record in our relationship management system (Raiser’s Edge)
|
Legitimate Interests or Consent
|
Verifying your identity (alumni)
|
Legitimate Interests or Contract
|
Processing your contact preference forms
|
Consent
|
Meeting our obligations in relation to the Telephone Preference Service
|
Legal Requirement
|
Sending you direct mail by post
|
Legitimate Interests
|
Processing your gifts
|
Contract and Consent
|
Processing our Gift Aid claims
|
Consent and Legal
|
Event registration and management
|
Contract and Consent
|
Volunteer registration and management
|
Contract and Consent
|
Career mentor/mentee registration and management
|
Contract and Consent
|
Donor stewardship
|
Legitimate Interests, Contract and Consent
|
Conducting our telephone campaigns (fundraising)
|
Legitimate Interests
|
Identifying potential major gift supporters and qualifying prospective levels of giving
|
Legitimate Interests
|
Conducting due diligence on prospective major donors
|
Legal Requirement or Legitimate Interests
|
Major donor cultivation and solicitation
|
Legitimate Interests
|
Making legacy estimates/valuations
|
Legitimate Interests
|
Analysis of visits to our website www.dunelm.org.uk
|
Legitimate Interests
|
Analysis of the effectiveness of our email communications
|
Legitimate Interests
|
Reporting and benchmarking DARO performance
|
Legitimate Interests
|
Responding to our obligations in relation to the Higher Education Statistics Agency Destination of Leavers from Education Longitudinal Survey
www.hesa.ac.uk/data-and-analysis/publications/long-destinations-2012-13
|
Consent
|
Participating in higher education ranking or league tables providers with whom we hold a data sharing agreement
|
Consent
|
How personal data is stored by DARO
Personal data of alumni, donors and other stakeholders is stored by DARO in a propriety cloud-based database supplied by Blackbaud, Inc. called Raiser’s Edge (RE) under a contract for service. RE is hosted by Blackbaud on their servers located in the EEA. Access to personal data is restricted to the staff in DARO and any other member of staff who have a requirement to maintain a relationship with you, and is controlled through password protection and user security profiles. Blackbaud, Inc. do not permit their staff to have access to the personal data stored in RE.
The personal data of some alumni and supporters may be stored in a proprietary software application used to manage the telephone campaign. This software is hosted in the ‘cloud’ by the third party supplier company only for so long as is necessary for the period of the telephone campaign. Access to the software is restricted to students employed under a contract to make calls to alumni and supporters, the campaign manager and DARO staff and is controlled through username and password.
All University employees, contractors and volunteers that are given access to personal data receive mandatory Data Protection training and have a contractual responsibility to maintain confidentiality.
How personal data is processed by DARO:
Personal data is processed by DARO and the University’s colleges, departments and Durham Student Organisations to:
- Promote events;
- Send news and updates;
- Recruit alumni volunteers and mentors;
- Acknowledge gifts and to keep donors updated on the impact of their gift(s);
- Make fundraising appeals by email, direct mail, telephone and face-to-face meetings and ensure that we only send you communications about events or fundraising appeals that would be of interest to you;
- Report internally and externally and to undertake benchmarking.
Automated decision-making and profiling
Personal data is processed by DARO for a variety of purposes (detailed above) for which, in the interests of efficiency or effectiveness, or to meet the specific preferences of data subjects, profiling takes place. For example:
- To communicate with alumni from a particular college/department;
- To inform event hosts about attendees and their relationship to the University;
- To qualify prospective levels of giving;
- To undertake due diligence on prospective major donors;
- To produce summary data to report internally and to undertake benchmarking.
Automated decision-making takes place in only a limited number of instances (for example, to produce ask amounts for the periodic telephone campaigns) but there would be no legal or significant impact on you as a result of this decision making.
Who DARO shares personal with:
Personal data is shared with third party organisations in a limited number of instances.
If you are a member of the alumni community of, or have donated to, either of the independent colleges of St John’s and St Chad’s, which are charities in their own right, your personal data held by Durham University will be shared with those colleges under a Data Sharing Agreement which requires the colleges to provide assurances of protection of the data.
If you are a member of our alumni and/or donor community and our records show that you reside in the United States of America (USA), your personal data may be shared with the North American Foundation for the University of Durham (Dunelm USA) who have an independent 501c3 status in the USA, for the purpose of alumni relations and fundraising. For students, prospective students/parents, alumni and donors who have interacted with DunelmUSA, a reciprocal data sharing agreement is in place whereby the University may receive personal data relating to you.
The University is required to disclose some personal data of graduates to the Higher Education Statistics Agency (HESA) for the purpose of a survey of new graduates.
Additionally, we share data on a considered and confidential basis, where appropriate, with affiliated organisations and individuals which support and provide services to alumni and supporters, such as volunteer partners closely related to us (e.g. development and advisory board members).
DARO may share personal data with other third party organisations which carry out contracts on behalf of the University (such as a venue hosting a University event). DARO will only share personal data that is relevant and proportionate. The University’s partners are subject to contractual agreements which help to ensure compliance with Data Protection legislation. This will happen in the following circumstances:
- To send you a copy of our printed alumni magazine or other newsletters;
- To send you direct mail relating to our fundraising appeals;
- To maintain your contact details so that we can keep in touch by letter, email or telephone;
- To populate software used to manage our telephone campaigns;
- To assess prospective levels of giving;
- To provide consultancy services when undertaking a major fundraising appeal.
- To engage with higher education ranking/league table providers.
When DARO shares personal data as detailed above we ensure that security is maintained, using tools such as encryption and secure file transfer protocols.
Personal data is NEVER sold on to third parties.
How long personal data is held by DARO:
This information is additional to the information in Part 1 about Retention.
DARO considers its relationship with alumni, donors and other stakeholders to be life-long. This means that we will maintain a stakeholder record for you until such time as you tell us that you no longer wish us to keep in touch. In this instance DARO will delete the majority of your personal data it holds, but in the case of alumni will maintain basic personal data to ensure that we do not inadvertently create a new or duplicated record in the future.
How to object to DARO processing your personal data:
Individuals have the right to object to DARO processing their personal data for any or all of the purposes set out in this Privacy Notice; they may do so at any time. To exercise this right, please email
daro.privacy@durham.ac.uk giving clear details of the processing activities and/or types of personal data to which your objection applies (see sections above for descriptions).
Visitors to our websites/webpages:
When someone visits
www.dunelm.org.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Use of cookies by [Department/College/Service]:
You can read more about how we use cookies on our
Cookies page.
Links to other websites:
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice:
We keep our privacy notice under regular review. This privacy notice was last updated on 20 November 2018 and will be next reviewed in November 2019.
Further information:
If you have any questions which you feel have not been covered by this Privacy Notice, please do not hesitate to email us or write to:
Senior Data Officer,
Development and Alumni Relations Office,
Palatine Centre,
Durham,
DH1 3LE
daro.privacy@durham.ac.uk