¹û½´ÊÓƵ¹ÙÍø

How we process and look after your personal data

¹û½´ÊÓƵ¹ÙÍø is committed to protecting your privacy and keeping you informed on how your personal data is processed. This policy explains how we collect, store, use and protect your personal data and the rights you have. This policy is reviewed annually. From time to time, we may update the policy. We encourage you to review it regularly to stay informed.

Detailed Privacy Policy

Specific privacy notices

This privacy policy includes general information about how we process your data, more specific information is available depending upon your connection with us – please see links below.

Staff Privacy Notice

This notice is available to colleagues via The Hub, and explains how People and Culture will collect and use the personal data of our employees to manage the employment relationship. The notice also covers those who have a temporary or ongoing relationship with us.

Student Privacy Notice

In order to carry out our duties as a university, we must collect and process personal and sensitive data relating to students. Download the Student Privacy Notice.

Alumni Privacy Notice

The privacy notice is supplementary to the University's Privacy Policy and applies specifically to information held about alumni, supporters, and friends of ¹û½´ÊÓƵ¹ÙÍø. Download the full Alumni Relations & Development Privacy Notice.

Job Application Privacy Notice

Our Job Application Privacy Notice explains how we will collect and use the personal data relating to our job applicants. Download the Job Applicant Privacy Notice.

What personal data may we process?

We collect and process a wide variety of data categoriesÌý– depending upon the purpose for the processing. When collecting your personal data, our intention is to be clear to you which data is necessary in connection with a particular service. Some examples of data we collect are given below. If you have any questions, please email GDPR@cranfield.ac.uk.

• Information you voluntarily provide to us, such as your name, email address and other contact information.
• When you visit our websites, we may also collect information including, but not limited to, metadata including geolocation, browser type, pages visited, device type and time and date of visit. We may use cookies or similar technology to collect such information. Information gathered by cookies or similar technologies may be used for our business purposes such as analytics, research, digital advertising, and operation purposes. You may set your browser to notify you when a cookie is sent or refuse cookies altogether but certain features of this site may not work without cookies.Ìý.

  a) An individual has given explicit consent to the processing of this data for one or more specific purposes.

  b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

  c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

  d) Where we are acting as a not-for-profit body and processing special category data for purposes as defined in our statutes.

  e) Where we are processing data which has already been made public by the individual.

  f) To the extent that a student or member of staff pursues legal action in relation to a disciplinary process, further processing of any special category data would be for the purpose of establishing or exercising University rights in relation to or defending those claims.

  g) Where we are processing data for substantial public interest as part of a function conferred on us by equality law and may also be necessary for the protective function of protecting members of the public against dishonesty, malpractice, or other seriously improper conduct.

  h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

  i) Processing is necessary for reasons of public interest in the area of public health.

  j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  Who may we share personal data with?

  Where required, we may share your information across the University and with our commercial subsidiaries.

  We will share your personal data when required to do so by law or another regulatory requirement. For example:

  • Government bodies including HM Revenue & Customs, Department for Health & Social Care etc,
  • Law enforcement agencies, including the police and other regulatory and investigatory authorities,
  • Higher education funding and regulatory bodies and their designated agencies including Higher Education Statistics Agency (HESA), Office for Students, Jisc and Graduate Outcomes,
  • UKRI and other research councils and funding agents, including the Wellcome Trust, Royal Academy and other learned societies.

  In the case of a medical or other emergency we will share your data as necessary and proportionate with the emergency services or others.

  We may share your data with other trusted third parties when it is necessary to do so. If this sharing takes place, we will work closely with them to ensure that your privacy is respected and protected at all times. We will have an agreement in place which requires them to keep your data safe and protect your privacy, only use your data for specified purpose(s) and if we stop using their services, any of your data held by them will be deleted or made anonymous. Examples of the kind of third parties we work with are:

  • Our partners in research and teaching activities, e.g. joint events, or dual degrees programmes,
  • Suppliers, service, and support providers, e.g. IT companies who support our website and other business systems,
  • End point assessment organisations for apprenticeship purposes,
  • Ranking and accreditation agencies,
  • Debt collection agencies,
  • Professional and legal advisors,
  • Data insight companies to ensure your details are up-to-date and accurate,
  • Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on your acceptance of cookies on our websites. See our .

    How long do we keep personal data?

    In most cases we keep personal data for a standard seven year retention period consistent with typical government guidelines on record keeping. There are exceptions to this, and some data will be kept for a shorter or longer period. For example, employment applicant data will be kept for less time, while the categories of student name and qualification will be kept for the lifetime of the University. Some further data will be kept for more than seven years where there is a legal obligation to do so (e.g. pension information).

    Personal data will be kept as long as there is necessary purpose for doing so, these purposes include:

    • To carry out business or support functions.
    • Under contractual terms, e.g. agreements with partners or funding organisations may require us to keep data for specific periods of time.
    • To demonstrate compliance with audit purposes or legislative requirements.

    We carry out a regular review of all categories of data held and have in place processes for the removal of data. At the end of the retention period, personal data will either be deleted or anonymised.

    Where do we process personal data?

    Your personal data will normally be processed in our own databases located in the United Kingdom. If data needs to be processed elsewhere, we make sure it is protected properly, through contractual agreement. This is to make sure than the safeguards which would be in place under UK data protection law are applied when processing is outside of the UK. For more information email GDPR@cranfield.ac.uk.

    Security

    Cranfield are committed to keeping your personal data secure and have made substantial investments in security technology and security management processes. We hold Cyber Essentials and Cyber Essentials Plus for IT systems that process student personal data, and are committed to protect the information you provide us with. For further details see the University’s Information Security Policy.

    Your rights

    Under UK data protection law you have a number of rights regarding the personal data we process about you. Information is given below, please note that the rights described above do not apply in every circumstance. If you require further clarification, contact GDPR@cranfield.ac.uk.

    The right to be informed.

    You have the right to be informed about how we collect and use your personal data. This privacy policy provides detailed information. We are happy to provide more specific information on request.

    The right of access (also known as Subject Access Request [SAR]).

    You have the right to request the personal data we hold about you.

    The right to rectification.

    You have the right to request the correction of your personal data when incorrect, out-of-date or incomplete.

    The right to erasure.

    You have the right to request that we delete your data. However, there may be circumstances where the law or our contractual obligations mean we need to keep some of your data.

    The right to restrict processing.

    In certain circumstances you have the right to request that we restrict the processing of your personal data, for example while we consider your request under the right to rectification.

    The right to data portability.

    You have the right to request that we supply a copy of your data, which you supplied to us, in a commonly used and machine-readable format for you to transfer your data to another service provider.

    The right to object.

    You have the right to stop the processing of your data for direct marketing purposes. We offer visitors to our website the opportunity to subscribe (opt in) to a number of electronic communications. You have the possibility at all times to tell us you no longer wish to subscribe to our electronic communication service (opt out). All marketing e-communications you receive from us will provide clear instructions on how to unsubscribe from each service.

    In certain circumstances you also have the right to request that your data is not used for processing. Your record can remain in place, but not be used.

    Rights related to automated decision-making including profiling.

    You also have the right to object to the processing of your data where you believe a decision has been made about you by fully automated means, which has adversely affected you.

    The right to be notified.

    You have the right to be notified, without undue delay, if there has been a data breach which is likely to result in a high risk to your rights and freedoms.

    The right to withdraw consent.

    Occasionally, we rely on your consent to process your personal data. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If at any point you want to withdraw your consent, please email GDPR@cranfield.ac.uk.

    The right to complain.

    We are committed to ensuring that any concerns are dealt with quickly and fairly, and with due concern for the individuals involved. However, the University recognises that individuals may continue to be dissatisfied. If you wish to complain about the University’s processing of your personal data you are entitled to complain to the Data Protection Officer.

    Data Protection Officer,

    ¹û½´ÊÓƵ¹ÙÍø, College Road, Cranfield, Bedford, MK43 0AL

    E: GDPR@cranfield.ac.uk

    T: +44 (0)1234 754536

    The right to lodge a complaint with a supervisory authority.

    You have the right to lodge a complaint about our management of your personal data with the supervisory authority. In the UK this is the Information Commissioner’s Office (ICO). The ICO will expect you to complain to us first and give us an opportunity to resolve the matter before contacting them. The ICO contact details are given below.

    Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

    Web page: https://ico.org.uk/make-a-complaint/data-protection-complaints/">https://ico.org.uk/make-a-complaint/data-protection-complaints/>https://ico.org.uk/make-a-complaint/data-protection-complaints/

    ICO helpline: +44 (0)303 123 1113

    FOI requests

    For information on handling FOI requests see the Freedom of InformationÌý±è²¹²µ±ð²õ.

    Data protection registration

    We are registered with the Information Commissioners’ Office and our registration number is Z4690919. For details of our subsidiary organisations’ registration with the ICO please contact GDPR@cranfield.ac.uk.

    Children

    ¹û½´ÊÓƵ¹ÙÍø is a postgraduate institution and therefore normally will only process children’s personal data under very specific circumstances. For example, events supporting science-based projects in schools and ‘Bring Your Child to Work Day’. We do not offer online services directly to children.

    Where there is a need to collect information from a person under 18, then we may need consent from a parent or guardian in order to process any data. In these circumstances, an email or postal address of this person will be needed so that we can write to them to collect this.

    Website information

    Please note that any information supplied via this website may be stored on our computer system for the provision of information, marketing, and analysis.

    External website links

    The links are provided as a courtesy, to be used or not at the discretion of the individual user. If users decide to follow these links, we cannot be responsible for the privacy policies and content of those sites. Users should contact the co-ordinator of the particular site with any questions.

    Live Chat

    We use Live Chat and other online web chat tools to and call back request features to facilitate and assist website visitors with any enquiries that have.

    Our subsidiaries

    ¹û½´ÊÓƵ¹ÙÍø Group includes a number of subsidiaries:
    Cranfield Conference Centre Limited
    Cranfield Defence and Security Services Limited
    Cranfield Innovative Manufacturing
    Cranfield Management Development Ltd
    Cranfield Quality Services Ltd
    Cranfield Group Holdings Limited
    Cranfield Airport Operations Limited

    Contacting us about our Privacy Policy

    We welcome comments and suggestions regarding our Privacy Policy. Please send these toÌýGDPR@cranfield.ac.uk.

    If you believe your personal information has been misused or handled in such a manner contrary to this policy, please send details toÌýGDPR@cranfield.ac.uk.

    By using and visiting the website, you agree to this policy and the uses made of personal information as described. When you are using our websites, ¹û½´ÊÓƵ¹ÙÍø is the data controller. Our Data Protection Officer can be contacted onÌý³Ò¶Ù±Ê¸é°ª³¦°ù²¹²Ô´Ú¾±±ð±ô»å.²¹³¦.³Ü°ìÌýor at the address below:

    Data Protection Officer, ¹û½´ÊÓƵ¹ÙÍø, College Road, Bedford, MK43 0AL

    Publish and review date

    This version is dated May 2025, next review date July 2026.