Brasenose College GDPR ROPA – Security, Emergency & CCTV Processing Activities
Version 1.4 (Reviewed June 2023)
| ID | Category of personal data | Source of the data | Why we process it | How long we keep this data | Our lawful basis for processing | Details relating to lawful basis (where applicable) | Special category / public interest / criminal data |
|---|---|---|---|---|---|---|---|
| 1 | CCTV recordings and still images taken from recordings, records of who has accessed the CCTV images and recordings, and the reason for accessing them. | We obtain this data from the University of Oxford. | We hold CCTV recordings for the purpose of providing safety and security on campus and to assist with prevention and detection of crime or other unlawful activity. Where an incident is recorded we may capture images for investigations by the College or police. | For 12 months. | Necessary for legitimate interests and compliance with a legal obligation. | The College, its members and visitors have a legitimate interest in being in a safe and secure environment. Access logs are recorded to comply with security and accountability obligations under data protection law. | Processing is necessary for prevention or detection of an unlawful act and must be carried out without consent so as not to prejudice those purposes. |
| 2 | The College holds contact information for students, emergency contacts (e.g. parents of students) and staff, and bedroom numbers for students. | We obtain this data from the University of Oxford, from you, and we generate this data about you. | So that we can contact staff, students or their nominated emergency contacts in case of an emergency. | Whilst you are a registered student. | Necessary for legitimate interests. | The College, its staff and students have a legitimate interest in being able to communicate with each other in case of an emergency. | |
| 3 | Emergency medical information about students held by College security. | We obtain this data from you. | Where students inform us of a medical condition or disability that might be relevant in a medical emergency. | Whilst you are a registered student. | Necessary to protect vital interests; necessary for legitimate interests. | The College and its students have a legitimate interest in the College holding information which might help treat or prevent a medical emergency. | Processing is necessary to protect someone’s vital interests where the individual is incapable of giving consent. |
| 4 | Informing emergency contacts about any medical emergency. | We obtain this data from you and/or others who have information about you, depending on the nature of the emergency. | To inform your nominated emergency contact(s) in case of a medical emergency. | Whilst you are a registered student. | Necessary for legitimate interests. | The College and its students have a legitimate interest in ensuring emergency contacts are made aware in the event of a medical emergency. | Explicit consent. |
| 5 | Security access records for staff, students and visitors (e.g. contractors, conference delegates), including name, ID number (linked to key/fob or card), university card number, vehicle registration, and timing of access to buildings, as well as access rights assigned to each person. | We generate this data about you. | To assist with security, maintain records of who is on the premises in case of fire or emergency, prevent unauthorised access, and assist with issuing or replacing keys, cards and fobs. | For twelve months. | Necessary for legitimate interests. | The College, its members and visitors have a legitimate interest in maintaining College safety and security. | |
| 6 | College security holds contact details for contractors working on College premises, and information about the contracts they are working on. | We obtain this data from you. | So that we may contact those working on College premises to discuss work being undertaken or in an emergency. | Whilst work is ongoing or further work involving you is anticipated. | Necessary for legitimate interests. | The College and its contractors have a legitimate interest in being able to communicate about work being undertaken or in an emergency. | |
| 7 | Accident records containing information about the date and nature of the accident, who was involved, who witnessed it and any steps taken. | We generate this data about you. | To keep a record of accidents occurring on College premises and, where required, to report them to the relevant authority. | Five years from the date of the accident. | Necessary for legitimate interests and compliance with a legal obligation. | The College has a legitimate interest in creating and retaining accident records to manage health and safety risks. In some cases it is legally obliged to record and report accidents under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013. | Substantial public interest under the UK Data Protection Act 2018: protection of the public from health and safety risks, carried out without consent to avoid prejudice to such protection. |
| 8 | Records of keys and access cards/fobs issued, including the name of the person issued and the identity number of the fob. | We obtain this data from the University of Oxford and we generate this data about you. | To record who holds keys and access cards/fobs to support College security arrangements. | For as long as you hold the key/card/fob and 12 months after return. | Necessary for legitimate interests. | The College has a legitimate interest in maintaining the security of its premises. | |
| 9 | Room booking records consisting of room, date/time, booking description and the identity of the person or organisation booking the room, including decisions made under the College’s obligation to uphold freedom of speech within the law. | We obtain this data from you; we generate this data about you. | As part of providing College rooms and facilities for members of the College. | Until 12 months after the date of the event. | Necessary for legitimate interests and compliance with a legal obligation (where freedom of speech issues are involved). | The College has a legitimate interest in making rooms available for events. Where special category data is processed, it is done to meet statutory obligations concerning freedom of speech under the Education (No 2) Act 1986. |
Substantial public interest under the UK Data Protection Act 2018; the processing meets a condition in Part 2 of Schedule 1 to the Act. |
| 10 | Names and addresses for delivery of mail and other items, including parcel receipt and management records containing names of recipient, location of parcel and who signed for it. | We generate this data about you. | To manage delivery and receipt of mail and parcels. | For twelve months. | Necessary for legitimate interests. | The College and its members have legitimate interests in receiving deliveries and maintaining records to reduce the risk of lost items. | |
| 11 | Punt booking records consisting of the date and time of booking, and the name and purpose of booking. | We obtain this data from you; we generate this data about you. | To assist with administration and security of College punts. | For twelve months. | Necessary for legitimate interests. | The College has a legitimate interest in providing access to its punts. | |
| 12 | Pigeon hole management records consisting of the names of pigeon hole holders. | We generate this data about you. | To assist with delivering post and other items to pigeon holes. | For as long as you have the pigeon hole. | Necessary for legitimate interests. | The College and its members have a legitimate interest in operating a pigeon hole system for efficient mail delivery. | |
| 13 | Parking access request forms containing the applicant’s name. | We obtain this data from you; we generate this data about you. | To consider parking space applications and determine allocation. | For as long as you have the parking space. | Necessary for compliance with a legal obligation and for legitimate interests. | The College has a legitimate interest in supporting staff with disabilities and fulfilling obligations to make reasonable adjustments under equality law. | Substantial public interest under the UK Data Protection Act 2018: processing for compliance with duties under the Equality Act 2010, necessary to prevent a breach of that legislation and carried out without consent to avoid prejudice to the College’s legal obligations. |
Version control: Version 1.4 (Reviewed June 2023)