Student Privacy Notice

1. Introduction

Aberystwyth University (AU) is the data controller and is committed to protecting the rights of students in line with the UK Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) introduced in 2018. 

The contact address of the data controller (AU) is:

Aberystwyth University
SY23 3FL

AU has a Data Protection Officer who can be contacted at

This statement explains how the University handles and uses your personal information during your time as an applicant, a student and after you graduate. The University is committed to protecting your information and being transparent about what information it holds. The University has a range of data protection policies and procedures in place which can be found here

Personal information may also be collected centrally, or by departments of the University, such as Student Support Services, and fair processing/privacy notices will be provided at the point of collection as required.

2. What information do we collect about you?

AU will collect information about you in the course of its dealings with you as a current or former student, for example, when you apply, when you enrol and as you progress through your course. We may also receive information about you from outside the University, such as information from UCAS relating to undergraduates' UCAS applications, as well as information supplied by referees.  The types of personal information processed include, though are not limited to, the following:

  • Contact details and other information submitted during the application and enrolment processes.
  • Details of courses, modules, timetables and room bookings, assessment marks and examinations.
  • Evidential information gathered in relation to academic support processes such as special circumstances, unacceptable academic practice investigations.
  • Financial and personal information collected for the purposes of administering fees and charges, loans, grants, scholarships and hardship funds.
  • Photographs, and video recordings for the purpose of recording lectures, student assessment and examinations.
  • Information about an individual’s engagement with the University such as attendance information and use of electronic services such as Blackboard, the University’s VLE (Virtual Learning Environment).
  • Contact details for next of kin, or others, to be used in an emergency (please note that you should inform those whose details you are supplying that this is being done)
  • Information related to the prevention and detection of crime and the safety and security of staff and students, including, but not limited to, CCTV recordings and data relating to breaches of University regulations.
  • Information gathered for the purposes of equal opportunities monitoring.
  • Information relating to the provision of advice, support and welfare, such as data relating to the use of the services offered by Student Support Services.
  • For international students: Copies of passports, visas and any other documents required to ensure compliance with Home Office requirements as well as biometric data for attendance purposes.
  • For UK and EU students: Copies of passports or any other documents required to ensure eligibility to receive financial support from the UK government and in compliance with right to study and identification requirements.

Some of this data may be categorized as sensitive data (or ‘special categories’ under GDPR).

3. How will your information be used?

Although it is not possible to state every purpose for which your information will be used, the following are examples of how it is likely to be used while you are a student and after you leave. Note that a core record will be retained after you graduate and will be used as outlined below. The number in brackets refers to the legal basis as defined by the General Data Protection Regulation and detailed in the section below, relied upon by the University, in order to lawfully process your data.

  • To administer your studies and record academic achievements (e.g. your course choices, examinations and assessments, and the publication of pass lists and graduation programmes) (i), (iv)
  • To assist in pastoral and welfare needs (e.g. the wellbeing service and services to disabled students) (ii)
  • To administer support for all your employability needs (e.g. accessing careers advice). Your information may be processed by a third party under contract in order to ensure you have access to a range of employability services that complement the University’s own resources. Your information will be held after you graduate in order to ensure you maintain access to the full career development support that the University offers all of its graduates (iii)
  • To administer financial aspects of your enrolment as a student (e.g. payment of fees, debt collection) (i)
  • To provide or offer facilities and services to students (e.g. accommodation, sporting facilities, computing facilities and the Library) (i), (ii,) (iii)
  • To carry out investigations in accordance with academic and misconduct regulations (i)
  • To operate security, disciplinary, complaint, quality assurance and estate management processes and for general identification purposes (e.g. identifying individuals, property, vehicles and for recording of associated incidents) (i), (iii)
  • To produce management statistics and to conduct research into the effectiveness of our programmes of study as well as produce statistics for statutory purposes (iv), (v)
  • To monitor engagement of students on Tier 4 Visas to ensure compliance with the terms of their sponsorship (iv)
  • To maximise individuals’ opportunities to succeed through the use of learning analytics which are used to monitor engagement with their studies. This will involve the processing of data such as attendance, assessment and VLE usage to develop an overall picture of engagement. Such processing will only take place where it is necessary for the pursuit of the legitimate interests of the University or the student and only where the processing is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the student. Sensitive / special category personal data will only be processed where the University is looking at trends and pattern analysis to produce management statistical reports (iii), (v)

For further information, see:

  • To monitor compliance with our responsibilities under equal opportunities policies and other legal obligations such as the Prevent agenda (iv), (v)
  • For Higher Education Statistics Agency (HESA) purposes - AU is required to send some of the information which we collect about students to HESA for statistical analysis purposes (iv), (v)
  • For Higher Education Statistics Agency (HESA) and/or a third party under contract, to conduct the Graduate Outcomes Survey after you graduate (iv)

Please note that details relating to the processing of your personal data by the Higher Education Statistics Agency can be found here:

  • For the Higher Education Achievement Report (Diploma Supplement) – to provide more detailed information about a student’s learning and achievement than the traditional degree classification system (iv)
  • For Council Tax exemption purposes or to help with voter registration where personal information is shared with Local Authorities (iii)
  • For inclusion in the graduation brochure produced for the Graduation Ceremony (iii)
  • To make contact with you after you graduate about alumni membership and events, about fundraising new developments at the University and to update your communication preferences to ensure your experience of the Alumni Association is as rewarding as possible (iii), (ii)
  • To verify awards, provide transcripts of marks and to provide academic references for career support after you have graduated (iii), (iv)
  • To assist the Students’ Union in their administration of elections and facilitate its running in a fair and democratic manner. Where consent has been provided, the University will also share ethnicity data to enable the Students’ Union to monitor and promote BME engagement (iii), (ii).


Legal basis for processing your information

(i) By commencing or enrolling as a student, AU will be required to collect, store, use and otherwise process information about you for any purposes connected with teaching, support, research, administration, your health and safety and for other reasons deemed necessary for the performance of your contractual agreement with the University. We will also use your information for certain purposes after you cease to be student. See GDPR Article 6(1)(b)

(ii) The University will obtain consent from you in order to assist with your pastoral and welfare needs (e.g. the counselling service and services to disabled students). See GDPR Article 6(1)(a).

(iii) Processing of your personal data may also be necessary for the pursuit of our legitimate interests or of a third party’s legitimate interests -but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the student See GDPR Article 6(1)(f).

(iv) Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University (see GDPR Article 6(1)(e)) and for statistical and research purposes (see GDPR Article 89).

(v) Processing of Special Categories data is necessary for the statistical and research purposes in accordance with article 89(1) based on the duties in the Equality Act 2010 (see GDPR Article 9(2)(j))

 4. Who receives your information?

Where necessary, personal information will be shared internally between academic and service departments across the University. Personal information is protected by the University and information will not be disclosed to third parties without consent, or, unless it is permitted by law. This section outlines the major organisations and the most common circumstances in which the University discloses information about students to third parties. Where this involves international transfer, information will only be transferred if it meets the conditions set down under current Data Protection legislation.

  • Higher Education Statistics Agency (HESA) - AU is required to send some of the information which we collect about students to HESA for statistical analysis purposes (see 4 above for details) and to conduct the Graduate Outcomes Survey.
  • The Higher Education Funding Council Wales (HEFCW) or relevant successor bodies in line with our statutory responsibilities.
  • The University is licensed to sponsor migrant students under Tier 4 of the points-based system. The University will provide data about students on the Tier 4 Student Visa to the Home Office and its departments in order to fulfil its duties under its license.
  • Sponsors and parents where consent has been provided.
  • Other Higher Education Institutions or Colleges if, for example, your programme of study involves spending a period of time at an institution outside AU, including at a higher education institution abroad or if you have come to AU as a visiting or exchange student, we may need to share information about you with the other institution involved in the exchange. This will be done for the administration of the visit, exchange or study abroad, and so that the other institution can carry out its duties in regard to your studies. Personal data may also need to be shared during the course of other collaborative projects, modules or circumstances whereby verification of qualifications or personal data is required.  In some cases students may be admitted through the University admission system, but study at another institution, and thus sharing of data will be necessary.
  • Professional bodies (e.g. in order to confirm qualifications and that a students has met the requirements for professional accreditation.
  • Work placement sites or educational partners involved in joint course provision.
  • The Student Loan Company to confirm enrolment, attendance and identity in order that students can access financial support.
  • Debt recovery and control companies in order to recover debt on behalf of the University, where internal debt recovery procedures have been unsuccessful.
  • Potential employers or providers of education that you have approached.
  • UK agencies with duties relating to prevention and detection of crime, collection of a tax or duty or safeguarding national security. Students should note that there is a statutory duty for higher education institutions to have due regard to the need to prevent individuals from being drawn into terrorism. This may mean that, in particular circumstances, the University will need to pass on personal data to co-ordinating bodies and partner organisations such as local government and the police. Also courts or Coroners’ Offices.
  • Plagiarism text matching service providers in accordance with the relevant contract. These service providers may be outside the EEA.
  • Local Authorities for purposes of council tax exemption where it is necessary for the pursuit of the legitimate interests of the Local Authorities or the student but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the student.
  • Local Authority Electoral Offices in order to facilitate self-registration. Please note that the University, itself, does not register you to vote. Students should check with the Council’s Electoral Office to ensure that they are on the electoral register. See:
  • Students’ Union where it is necessary for the pursuit of the legitimate interests of the Students’ Union or the student in order to take part in democratic processes, benefit from representation services, join sports clubs and societies and receive communications. Where consent has been provided, the University will also share ethnicity data to enable the Student Union to monitor and promote BME engagement. A data sharing agreement governs this process which facilitates the University’s obligations under section 22 of the Education Act 1994.
  • Auditors, solicitors, insurers, debt collection agencies and other agents of the University may require access to personal data from time to time where this becomes necessary.

Any other disclosures that the University makes will be in accordance with data protection legislation and your interests and rights will be carefully considered.

 5. Further information relating to your data

Automated decision-making, including profiling

The University may undertake automated decision making in only a limited number of circumstances, those usually relating to assessment of fees status, suitability for financial assistance and in the area of learning analytics.  If you have any queries relating to these processes please contact the Data Protection Officer.

Transfers to Third Party Countries outside the European Union/European Economic Area (EU/EEA)

In order to achieve the purpose for which we are processing your data, we may need to share your data with organisations outside the EU/EEA.  In these circumstances the University will ensure that appropriate safeguards are in place.  In most cases, transfers will be necessary for the performance of the contract between the student and the University and/or will be undertaken with the consent of the student.

Third party services

The University may use, under contract and agreement, third party suppliers or processors to provide particular services to students, such as email or data storage, or services to staff to aid teaching or marking.  These will involve transfer of your personal data to these parties/services.  These third parties will be compliant with GDPR and data will normally be processed within the UK or within the EU/EEA.  Similarly, the University or external organisations, may use third parties to undertake survey or other work which may involve these third parties having access to your data.  Also, in a limited number of cases you will be asked to enrol yourself and sign up to third party processors or service suppliers which will include adhering to their Terms of Service.  This will be expected as part of your contract with the University.

Non-UK based students

Information relating to students based at non-UK sites may also be provided to appropriate official bodies (equivalent or similar to those listed in 4 above) in those countries in which they are based.

Your rights

You have a right to access your personal information, to object to the processing of your personal information, to rectify, to erase, to restrict and to portability of your personal information. If you have provided consent to AU to process any of your data then you also have a right to withdraw that consent. Please visit the University Data Protection webpages for further information in relation to your rights:

Any requests or objections should be made in writing to the University’s Data Protection Officer.


Data protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant parts or all of your information will have authorised access. Information about you in electronic form will be subject to password and other security restrictions, and paper files will be stored in secure areas with controlled access.


The University retains your information in line with established higher education retention schedules. A core record showing your dates of attendance, details of your degree or other qualification or other outcome will be held permanently.  Most other personal data will be destroyed within 6 years of you leaving the institution.


As a student, you will be supplied with and Abercard which is used for a range of access, recording and identification processes.  The printed card will contain your photograph and name and you may be required to show this to University staff for identification purposes. For further details see:


If you are unhappy with the way in which your personal information has been processed you may, in the first instance, contact the University’s Data Protection Officer using the contact details above.

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: -

Information Commissioner’s Office,
Wycliffe House,
Water Lane,

Your responsibilities

You have a responsibility to keep your personal details up-to-date. During the course of your studies there are a number of circumstances in which you may have access to personal information about others, either at AU or elsewhere, such as at a work placement. You are expected to treat this in a responsible and professional manner and are legally required to do this under data protection legislation, as well as any professional ethics, codes of conduct or local rules and regulations.  If you are made aware of personal information in confidence then you are expected to not tell anyone without the individual’s consent, unless there are exceptional circumstances. You should also not seek to gain others’ personal data if you are not entitled to it. Disciplinary action will be considered for any University member who breaches data protection legislation or a duty of confidence.