Brasenose College ICT Systems Privacy Notice (v1.3)

Brasenose College is committed to protecting the privacy and security of personal data.

This notice applies to users of Brasenose College ICT systems, email, and telephones/mobile devices. It applies to anyone allowed to use such systems or devices, including staff, students, and visitors.

Separate privacy notices covering other aspects of processing (for example, staff, student and website user data) are available at:
https://www.bnc.ox.ac.uk/privacypolicies

This notice explains what personal data Brasenose College holds about you in relation to ICT system usage, how we use it, how we share it, how long we keep it, and what your legal rights are.

For personal data that you supply to us, this notice explains the basis on which you are required or requested to provide it. For personal data that we generate about you, or receive from others, it explains the source.

“Personal data” is information relating to you as a living, identifiable individual. “Processing” means collecting, recording, organising, using, disclosing, storing, or deleting data.

Data protection law requires us:

• To process your data in a lawful, fair, and transparent way;
• To collect your data only for explicit and legitimate purposes;
• To ensure the data collected is relevant and limited to those purposes;
• To keep your data accurate and up to date;
• To retain your data only as long as necessary; and
• To apply appropriate security measures to protect it.

The Data Protection Officer
Brasenose College
Radcliffe Square
Oxford OX1 4AJ
data.protection@bnc.ox.ac.uk

In most cases, the data you provide is a necessary requirement for using Brasenose College ICT systems. For example, a password is required to access College systems. If you do not provide such data, you may not be able to use the systems. Depending on circumstances, this may become a disciplinary matter that could lead to termination of your contract (for staff or students).

• The University of Oxford, which operates systems that Colleges can access (e.g. Single Sign-On data).
• Information generated during operation of the College’s ICT systems or obtained from third-party suppliers (e.g. telephone records).
• Your Internet Service Provider (ISP) if you use Remote Access Services from outside the University network.

• Where it is necessary for our legitimate interests (or those of a third party) and your rights do not override those interests;
• Where it is necessary to perform a contract we have entered into with you; or
• Where it is necessary to comply with a legal obligation.

We may also process your data to protect vital interests (for example, in emergencies).

“Special categories” of particularly sensitive data require higher levels of protection. These include racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

We may process such data where:

• We have your explicit written consent;
• It is necessary in the substantial public interest (e.g. prevention of unlawful acts or equal opportunities monitoring); or
• It is necessary for archiving, research, or statistical purposes under legal safeguards.

We also maintain appropriate policies and safeguards required by law. Less commonly, we may process such data for legal claims, to protect vital interests, or where you have made it public.

We may process such data on the same lawful grounds as special category data.

Our Record of Processing Activities (ROPA) sets out processing details, data sources, purposes, retention, and lawful bases. It can be found at:
https://www.bnc.ox.ac.uk/privacypolicies

We may monitor use of College telephones and ICT services, including (subject to safeguards) email content, internet usage, and call records, to ensure systems are not used for unlawful purposes or in breach of University ICT regulations. Safeguards are in place to ensure individual privacy is appropriately protected.

Lawful basis: legitimate interest in maintaining ICT integrity, investigating misuse, and preventing recurrence.

We do not sell your data. We only share it with third parties when legally required or permitted (e.g. reporting alleged criminal activity to the police).

Third-party service providers are required to comply with our Supplier Information Security Policy and process data only under our instructions. They cannot use your data for their own purposes.

More information on data recipients appears in the Brasenose Data Sharing table:
https://www.bnc.ox.ac.uk/privacypolicies

The law provides safeguards for data transferred outside the EU. Where no adequacy decision or safeguard exists, we may still transfer necessary data (e.g. for contract performance with staff or students). We will notify you before any such transfer and explain safeguards applied.

We do not make decisions about you based solely on automated means. If this changes, we will notify you in writing.

Retention periods are listed in our ROPA:
https://www.bnc.ox.ac.uk/privacypolicies

If legal, disciplinary, or criminal investigations are ongoing, deletion may be suspended until resolved. Anonymised statistical data may be kept indefinitely.

• Right to access a copy of your data and information about its use;
• Right to correct inaccuracies or complete incomplete data;
• Right to have data erased in certain circumstances;
• Right to restrict processing (for example, to verify accuracy);
• Right to receive and transfer your data to another controller;
• Right to object to direct marketing;
• Right to object to processing based on legitimate or public-interest grounds;
• Right to object to automated decision-making with legal or significant effects; and
• Right to withdraw consent at any time (where applicable).

Contact:

The Data Protection Officer
Brasenose College
Radcliffe Square
Oxford OX1 4AJ
data.protection@bnc.ox.ac.uk

Further guidance: https://ico.org.uk/

Complaints: You have the right to contact the Information Commissioner’s Office if you believe your data has been processed unlawfully.

We may update this notice from time to time if the law, technology, or College/University procedures change. If changes are material, we will provide at least two months’ notice so that you can exercise your rights before the change takes effect.

Past versions can be found at:
https://www.bnc.ox.ac.uk/privacypolicies

Version control: v1.3 (June 2023)

Last Review Date: June 2023
Next Review Date: June 2025