This guide is for prospective students, applicants and their families. In order to respond to your enquiries about the University and process your application to study with us, we need to collect, hold and use your personal information. This guide explains what we do with your data and why. If you go on to enrol as a student with us, you can find further information.
This page provides you with information on:
Who is the Data Controller
Heriot-Watt University is the Data Controller for personal data we hold about you. If you contact Edinburgh Business School (EBS) or apply to study with EBS for a Heriot-Watt University (HWU) award, HWU and EBS are joint data controllers. If you contact EBS or apply to study with EBS for a course, EBS is the data controller.
Where we use the term ‘University’, this includes all members of the Heriot-Watt University Group, including EBS. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulation and other privacy laws, such as the Malaysia Personal Data Protection Act, 2010, that apply in the countries in which the University operates.
What personal information do we collect and use
- Personal and family details including date of birth and contact information;
- Your enquiries about the University
- Attendance at open days on campus or participation in online chat rooms and social media events
- Any goods or services provided e.g. catering at open days
- Visual images, personal appearance and behaviour if captured on CCTV or film at open days and events on our campuses
- Any information you choose to give us about your personal circumstances that may be relevant to your enquiry or application; this may include your interests, educational background, any dietary, health, welfare or access needs; this may include sensitive personal data
If you apply to study with us
In addition to the above information we also need to collect and hold the following personal information for the purposes set out in this guide:
- Education and student records including transcripts, examination certificates and references
- Any relevant employment details
- Financial information; eligibility for fees and financial support
We may also need to process sensitive information, also known as special categories of data, where this is necessary:
- To accommodate a special need you have disclosed to us such as dietary requirements or a disability
- To meet a legal obligation such as immigration, health and safety law
- For monitoring our compliance with equality law, only for applicants to UK courses, and where we have your consent
This data may include:
- Racial or ethnic origin
- Religious or other similar beliefs
- Physical or mental health details
- Offences and alleged offences
- Criminal proceedings, outcomes and sentences
- Sexual life
Why we collect and use personal data
- Where we have your consent. You can withdraw your consent at any time
- Where we need to take steps at your request prior to entering into a contract, if you apply to any of our programmes or are considering purchasing one of our EBS online distance learning courses
- For academic purposes, the University Charter and Statutes gives us legal authority to process your data where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University and EBS as Data Controllers;
- To fulfil our contract with you, if you have purchased one of our EBS online distance learning courses
If you apply to us through the Universities and Colleges Admissions Service (UCAS), a partner institution, like one of our international learning partners or one of our agents, we will receive the information that you have provided to these bodies.
We collect and use your information to:
- Consider and respond to your application and enrol you as a student if you are successful
- Contact you about an incomplete application
- Give you access to services on-campus and/or online
- Seek your feedback on our programmes and facilities Give access to distance learning courses
- Process scholarship applications
3. For administrative and financial management purposes: to administer fees and paid-for services
What's our legal basis?
- If you pay fees for any of our services or the use of our facilities we need to process your data to fulfil a contract you have entered into with us
4. To meet our duty of care to you and our legal obligations when you visit one of our campuses
What's our legal basis? Where this is necessary to:
- Comply with a legal obligation
- Protect vital interests in an emergency
- Exercise or defend legal claims or comply with court judgements
- Provide medical and health services
- Protect public health
We collect and use your information to:
- To meet our legal duty of care to you under health and safety and safeguarding laws
- To protect your vital interests or someone else’s e.g. in a medical emergency
- To comply with a statutory obligation e.g. under tax or immigration law To meet our obligations under equality law. Under the UK Equality Act 2010, we need to collect sensitive personal data about our applicants and students on UK campuses to assist with monitoring equality of opportunity and eliminating unlawful discrimination. We hold this information in strictest confidence and only disclose it, again in confidence, to bodies with a statutory duty to collect it, like HESA. You can choose whether you want to provide information for this purpose. If a student or applicant declares that they have a disability, we have a duty to disclose this information on a need-to-know basis to staff to ensure that reasonable adjustments are made, enabling disabled students to meet their full academic potential.
5. For public safety and the prevention and detection of crime
What's our legal basis?
- Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security
Processing for these purposes includes:
- Use of CCTV systems to monitor and collect visual images
- Monitoring use of IT facilities
- Applying security, welfare and other procedural measures where necessary for the safety and security of visitors, students and the wider University community under health and safety and other relevant laws.
6. To promote the University Group
What's our legal basis? Where we have your consent
- Where necessary for archiving purposes in the public interest.
We may take photographs, and other images and recordings of open days, recruitment fairs and other University activities for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of some promotional material in the University Archive as a record of University life down the years.
7. For archiving and research
What's our legal basis?
- Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
While always protecting your rights to privacy we may:
- Retain copies of promotional material and other records of University community life that may include images and other data about prospective students and other visitors
- Produce management and statistical information to monitor and improve our performance and our services to you and inform strategic planning, e.g. for recruitment; or for academic research. Wherever possible we will anonymise this information and will maintain strict confidentiality of any statistical data that could potentially identify individuals. We will not use this data to take measures or decisions that could affect you
Who your information may be shared with and why
- Recruit students to a programme or course via a recruitment agent or regional manager
- Recruit students to a programme or course managed collaboratively or jointly between the University and a partner institution, such as an approved learning partner or collaborative partner (information about our partners is available)
- Confirm your attendance, progress and attainment at your current or previous place of study
- Verify your academic qualifications, and to obtain references
- Confirm your sponsorship status of funding arrangements where relevant
If you have taken part in one of our widening access programmes such as the Lothians Equal Access Programme for Schools (LEAPS) or the Scottish Wider Access Programme (SWAP) which provide advice and support to help eligible students to enter Higher Education, we may share limited information with such organisations about your progress and outcome of your studies, in order to improve services for future participants.
2. To meet our legal obligation to you and other organisaitions, we will:
- Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s e.g. in a medical emergency
- Submit statistical returns to governments or their agencies, such as the Scottish Funding Council, and other official bodies, such as the Higher Education Statistics Agency (HESA). This may include sensitive data for equality monitoring purposes. You can find a copy of the HESA Data collection notice
- Meet a statutory or regulatory obligation, e.g. a court order
- Confirm your eligibility for tuition fee funding with agencies including the Student Awards Agency for Scotland, the Student Loans Company or your sponsor
- Comply with immigration laws. This involves disclosure and data sharing with UK Visas and Immigration; about applicants and students to UK campuses who are subject to immigration law and about students and applicants to our Dubai and Malaysia campuses to the relevant government authorities
- Provide limited information necessary to an organisation with a statutory function, such as the police, where this is necessary for law enforcement
International data transfers
- Make sure that appropriate safeguards are in place to protect your information and your rights under privacy law
- Apply the same high standards of privacy and security wherever we process your data
Automated decision making
How long we keep your personal data
- You would like us to keep in touch with you if you are thinking about studying with us
- We need to consider and respond to your application and comply with our legal and audit obligations
Our arrangements for keeping your personal data are as follows:
- If you do not apply or enrol with us we will normally destroy your personal data securely a maximum of two years after you last contacted us
- If you apply to us but do not enrol with us we will destroy your data within one year of the end of the academic year for which you applied
- If you enrol with us we will use the information you have provided as the basis of your student record
More information about how long and why we keep your personal data.
You have the right to:
- Ask us to stop sending you information about the University if you don’t want to apply to us. You can do this any time by clicking the unsubscribe button at the end of our emails or contacting us using the details below
- Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request. We may make a charge for additional copies of the same information;
- Ask us to correct inaccurate or incomplete data.
If you think we are acting unfairly or unlawfully you can:
- Object to the way we are using your data;
- Complain to the UK Information Commissioner’s Office.
Under certain conditions you also have the right to ask us to:
- Restrict the use of your data e.g. if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns;
- Erase your information or tell us to stop using it to make decisions about you;
- Comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing;
- Provide you with a portable electronic copy of data you’ve given us.