Brasenose College Security, CCTV and Monitoring Privacy Notice (v1.4)

A summary of what this notice explains

This privacy notice applies to data processing activities undertaken by Brasenose College for security and monitoring relating to staff, students, and visitors to College premises, including CCTV, access control, and related processing.

Brasenose College is committed to protecting the privacy and security of personal data.

This notice applies to anyone who interacts with Brasenose College security, including the College Lodge and CCTV systems operated by the College — including staff, students and visitors.

Separate privacy notices cover other aspects of processing (for example, staff, student, and website users’ data) and are available at:
https://www.bnc.ox.ac.uk/privacypolicies

This notice explains what personal data Brasenose College holds about you, how we use it internally, how we share it, how long we keep it, and what your legal rights are in relation to it.

For personal data that you supply to us, this notice explains the basis on which you are required or requested to provide it. For personal data that we generate about you or receive from others, it explains the source of the data.

What is your personal data and how does the law regulate our use of it?

“Personal data” is information relating to you as a living, identifiable individual (“your data”). “Processing” your data includes various operations such as collecting, recording, organising, using, disclosing, storing, and deleting it.

Data protection law requires us:

  • To process your data in a lawful, fair and transparent way;
  • To only collect your data for explicit and legitimate purposes;
  • To only collect data that is relevant and limited to the purposes we have told you about;
  • To ensure that your data is accurate and up to date;
  • To ensure that your data is only kept as long as necessary for those purposes; and
  • To ensure that appropriate security measures are used to protect your data.

Brasenose College’s Contact Details

The Data Protection Officer
Brasenose College
Radcliffe Square
Oxford OX1 4AJ
data.protection@bnc.ox.ac.uk

Data that you provide to us and the possible consequences of you not providing it

In most cases, the data you provide will be a necessary requirement of entering or living on Brasenose College premises. If you do not provide such data, you may not be able to enter College premises. Depending on circumstances, this may become a disciplinary matter that could lead to termination of your contract (for staff or students).

Other sources of your data

We may also generate data about you — for example, if you use a Brasenose College fob or swipe card to access premises, the access control system will generate logs of your attendance.

The lawful basis on which we process your data

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
  • Where it is necessary to comply with a legal obligation; and
  • In limited cases, to protect your or another person’s vital interests (e.g. in an emergency).

How we apply further protection in the case of “Special Categories” of personal data

“Special categories” of particularly sensitive data require higher protection. These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

We may process such data where:

  • We have your explicit written consent; or
  • It is necessary in the substantial public interest — for example:
    • For the prevention or detection of unlawful acts (without consent so as not to prejudice investigations); or
    • For equal opportunities monitoring;
  • It is necessary for archiving, research or statistical purposes, under legal safeguards for your rights and interests.

Further details are in our Record of Processing Activities (ROPA): https://www.bnc.ox.ac.uk/privacypolicies

Less commonly, we may process such data for legal claims, to protect vital interests, or where you have made it public.

Criminal convictions and allegations of criminal activity

We may process data relating to criminal convictions and allegations on the same lawful bases as special category data.

Details of our processing activities, including lawful basis

Our ROPA sets out the data categories, sources, processing purposes, retention, and lawful bases: https://www.bnc.ox.ac.uk/privacypolicies

It includes:

  • CCTV monitoring: Used to provide safety and security on College premises, prevent crime, and support investigations. Disciplinary action may be taken if footage evidences breaches of staff or student policies. Monitoring follows the College’s CCTV policy, which includes privacy safeguards. Lawful basis: the College’s legitimate interest in maintaining safety and fulfilling legal obligations.
  • Movement records: Logs of staff, student, and visitor access (via fobs, cards, or manual records). Lawful basis: legitimate interest in maintaining safety and security.
  • Room bookings and event records: Including freedom of speech compliance under the Education (No. 2) Act 1986. Lawful basis: legitimate interest (and legal obligation for freedom of speech compliance).

How we share your data

We do not sell your data. We only share it where required or permitted by law, such as reporting criminal activity to the police.

Third-party providers must protect your data under formal agreements and process it only under our instructions. They cannot use your data for their own purposes.

Details of recipients appear in the Brasenose Data Sharing table: https://www.bnc.ox.ac.uk/privacypolicies

Sharing your data outside the UK / European Economic Area (EEA)

Data may flow between the UK and EEA without additional measures. We will not transfer your data outside these areas without notifying you and explaining applicable safeguards.

Automated decision-making

We do not make decisions about you based solely on automated means. If this changes, we will notify you in writing.

How long we keep your data

Retention periods are listed in the ROPA: https://www.bnc.ox.ac.uk/privacypolicies

We may keep anonymised statistical data indefinitely, but it cannot identify you.

If legal, regulatory, or disciplinary investigations are ongoing, deletion may be delayed until those are resolved.

Your legal rights over your data

  • Right to request access to a copy of your data and information about its use;
  • Right to correct inaccuracies or complete incomplete data;
  • Right to erase personal data in certain cases;
  • Right to restrict processing (e.g. to verify accuracy);
  • Right to receive and transfer your data to another controller;
  • Right to object to direct marketing;
  • Right to object to processing based on legitimate interest or public-interest tasks;
  • Right to object to automated decision-making with legal or significant effects; and
  • Right to withdraw consent at any time (where applicable).

Contact:

The Data Protection Officer
Brasenose College
Radcliffe Square
Oxford OX1 4AJ
data.protection@bnc.ox.ac.uk

Further guidance: https://ico.org.uk/

Complaints: You have the right to contact the Information Commissioner’s Office if you believe your data has been processed unlawfully.

Future changes to this privacy notice and previous versions

We may update this notice periodically due to legal, technological, or procedural changes. If changes are material, we will provide at least two months’ notice by email or notice in the College Lodge.

Past versions are available at: https://www.bnc.ox.ac.uk/privacypolicies

Version control: v1.4 (February 2024)

Last Review Date: February 2024
Next Review Date: February 2025