Privacy notice: CPD courses
Please see below for the University's CPD courses privacy notice.
For more details please contact the Information Governance Manager.
This privacy notice tells you what to expect us to do with your personal data when you register on a CPD course run by the University. Personal data (or personal information) is any information which relates to and identifies you. Data protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA)) set out how we should handle your personal data.
The University of Lancashire (formerly the University of Central Lancashire) (the University) is the controller for the personal data we process, unless otherwise stated. We are registered with the Information Commissioner’s Office and our registration number is Z5512420.
There are many ways you can contact us, including by phone, email, social media and post. View our main contact details on our website.
You can contact your specific CPD course team using the information provided on the relevant registration form.
The University’s Information Governance Manager & Data Protection Officer can be contacted on DPFOIA@uclan.ac.uk. Further information and contact details can be found on our data protection web pages.
The University uses the information you give us on the registration form, as well as any additional information you give us directly before and during the CPD course. If your employer is sponsoring you to undertake the course, we will also use information provided to us by your employer. If your course is delivered by one of our overseas partners, we will also use information provided to us by the partner that is delivering your course.
Administration and communication
We use your information to register you on the course and collect your course fees, either from you directly, via your sponsor e.g. your employer, or via one of our partner universities that delivers our courses. We also use your information to deliver and administer the course; to manage any medical (including disability) requirements you tell us about; to investigate and respond to any complaints; and to issue certificates of completion.
If you attend a distance-learning course rather than a campus-based course, we will use your information to deliver the course via online platforms such as Microsoft Teams. Some of your information, such as your name and email address, voice and image (if you turn your camera on), may be visible to other individuals attending an online course.
If you attend a course delivered by one of our partner universities, which may be overseas, University staff may deliver part of your course but it will primarily be delivered by our partner university’s staff. We will use your information to administer the course, issue completion certificates and collect course fees from our partner university.
We will use your information to communicate with you about the CPD course. If you agree, we will also use your information to send you details of other University courses or events we offer that we think may be of interest to you. You can tell us to stop sending these additional communications to you at any time by contacting your CPD course team using the details previously provided to you or by following the ‘opt out’ instructions on the communication itself.
Security and crime prevention
The University operates a CCTV system for security and crime prevention purposes, which includes the use of body worn video devices. The CCTV system covers University buildings (inside and outside) and public areas across our campuses. Your images are likely to be captured by the CCTV system while you are on, in, or near University premises. CCTV footage will be used to maintain the security of the University community, enhance public safety, prevent and detect crime and apprehend and prosecute offenders. Where there is a lawful basis to do so, CCTV footage may be used in the investigation of complaints and allegations made under the University’s rules, regulations, procedures and codes of practice. Further information is available in our CCTV Privacy Notice.
The University will also use your information to maintain a safe environment around the University campus and investigate complaints or concerns regarding safety or security. We will produce internal reports about safety and security incidents and share them within the University on a need-to-know basis to help manage and ensure the safety, security and wellbeing of the University community.
Monitoring, compliance and research
We will use your information to ensure and monitor our compliance with legislation including laws relating to equality and health and safety. We will also use your information to monitor our compliance with regulatory requirements set by external agencies, as well as our own internal quality assurance standards.
Your information will also be used for research purposes, including research by University staff for planning, development, feedback and course evaluation purposes, and University researchers for the purposes of academic research.
The University relies on the following lawful bases from the UK GDPR to process information about you for the purposes set out in this notice:
Article 6(1)(b), which allows us to process personal data when it is necessary for the performance of a contract, or for steps taken with a view to entering into a contract. When you register and pay for your place on the CPD course, you enter into a contract with us (your contract). Under your contract, we deliver and administer the CPD course, monitor compliance with the CPD course terms and conditions, communicate with you and deliver facilities and services, among other things. We require you to provide any information we reasonably request for these purposes otherwise we cannot deliver your contract. If your course is delivered by one of our partner universities, we also rely on this lawful basis to process your personal data for the purposes of your contract with our partner university because for the purposes of that contract, we need to know who you are and that you have attended and paid for the course so we can issue you with a certificate of completion.
Article 6(1)(c), which allows us to process personal data when it is necessary to comply with a legal obligation. We are legally required to monitor compliance with laws relating to health and safety and equality, among other things.
Article 6(1)(e), which allows us to process personal data where it is necessary to perform a task in the public interest. Research; teaching; some monitoring and internal reporting; and auditing are carried out as part of our public tasks.
Article 6(1)(f), which allows us to process personal data where it is in our, or someone else’s, legitimate interests to do so and it does not unduly prejudice your rights and freedoms. We rely on this condition to, among other things:
- communicate marketing messages to you (unless you opt out). It is in the University’s legitimate interests to promote its services, courses and events to those who may be interested.
- provide a security service and CCTV monitoring. It is in the interests of the University community and the general public to make the University a safe and secure place to live and study.
- produce some internal reports, evaluations, research and statistics. It is in our legitimate interests to use these to evaluate, plan and assess how the University is operating and make any changes we think are appropriate and will benefit current and future learners and students.
We also process some information only if you provide your consent. In this case, Article 6(1)(a) applies, and Article 9(2)(a) applies where the information is special category data (special category data is information about your race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for ID purposes, health, sex life or sexual orientation). It will be clear where we are relying on your consent to collect and use your information because consent will be requested at the time you provide the information. When you are asked for consent, we will explain why we are asking for the information and how we will use it if you choose to provide it. Consent can be withdrawn at any time and we will explain how you can do this in each individual case.
Where we process special category data and data about criminal convictions for the purposes set out in this notice, we rely on the following additional lawful bases from the UK GDPR and DPA:
Article 9(2)(g) UK GDPR, which allows us to process special category data if the processing is necessary in the substantial public interest and there is a basis to do so in law. The law which allows us to rely on Article 9(2)(g) is section 10 DPA by virtue of Schedule 1 DPA, which also provides the lawful basis for processing data about criminal convictions. The specific conditions from Schedule 1 DPA on which we rely for this type of processing are as follows:
- Schedule 1(6), which allows us to process special category data and/or data about criminal convictions to comply with a statutory or legal function. Such functions include the duties set out in the Equality Act 2010 and the requirement to comply with the registration conditions imposed on us by the Office for Students under the Higher Education and Research Act 2017.
- Schedule 1(8), which allows us to process special category data to monitor equality of opportunity or treatment.
- Schedule 1(10), which allows us to process special category data and/or data about criminal convictions to prevent or detect unlawful acts.
- Schedule 1(11), which allows us to process special category data and/or data about criminal convictions to carry out protective functions to protect members of the public against dishonesty, malpractice or other seriously improper conduct, or unfitness or incompetence.
- Schedule 1(12), which allows us to process special category data and/or data about criminal convictions to comply with regulatory requirements which require us or another party to establish if you have been involved in dishonesty, malpractice or other seriously improper conduct. We rely on this to undertake activities for regulated courses to enable us to meet the regulatory requirements and good practice principles associated with your course.
- Schedule 1(18), which allows us to process special category data and/or data about criminal convictions to safeguard individuals at risk and children.
When processing special category data or data about criminal convictions in reliance on the above conditions from Schedule 1 DPA the University must have an appropriate policy document, which can be read here: Data Protection: Processing special category data and criminal convictions data.
Article 9(2)(j) UK GDPR, which allows us to process special category data for archiving, scientific or historical research purposes or statistical purposes, where there is a basis to do so in law. The law which allows us to rely on this basis is section 10 DPA by virtue of Schedule 1(4) DPA. We may also rely on Schedule 1(4) DPA if we process personal data relating to criminal convictions for archiving, research or statistical purposes.
We share your information with some external organisations and bodies, some of which are processing personal data on our behalf. We only share your personal data with another person or organisation where the law allows us to and we consider it to be appropriate under the circumstances. The external parties we will share information with include the following:
- University insurers: information, including accident forms, is shared with our insurers to provide insurance cover and to enable us to make and defend insurance claims.
- Internal and external auditors to provide assurance that the University is following its risk management, governance and internal control processes and to independently inspect our financial statements and records.
- Companies or organisations acting on our behalf: We use processors who are third parties who provide elements of services for us, such as those who produce certificates on our behalf. We have contracts in place with our processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct.
- Government agencies and authorities, including the police and DWP for the prevention and detection of crime, apprehension and prosecution of offenders, the collection of tax or duty and safeguarding national security, among other things.
- Executive agencies or non-departmental public bodies such as UK Visas and Immigration, HM Revenue and Customs and the Health and Safety Executive.
- Sponsors such as your employer. We may share information if a sponsor or similar can show they have a legitimate need e.g. in relation to your attendance, progress or course completion.
- Professional and regulatory bodies if this is relevant to your course. Information is shared for ‘fitness to practise’ purposes, to confirm your qualifications and for the accreditation of courses, as well as to comply with regulatory requirements which require us or another party to establish if you have been involved in dishonesty, malpractice or other seriously improper conduct; or to carry out protective functions to protect members of the public against dishonesty, malpractice or other seriously improper conduct, or unfitness or incompetence, among other things.
- Partner universities where your University course is delivered by one of our partner universities so that we can provide completion certificates, issue invoices and administer your course and associated fees.
Occasionally we may need to send your personal information outside the UK and/or the European Economic Area (EEA) e.g. to obtain a service from a processor. Where your course is delivered by one of our partner universities which is based outside the EEA, we will need to send a limited amount of information about you to the partner university. These transfers are usually carried out because they are necessary for us to deliver your contract or so our partner university can deliver your contract. All transfers are carried out with appropriate safeguards in place to protect your information and ensure it remains secure. For example, we share information on the basis of the UK International Data Transfer Agreement or UK International Data Transfer Addendum when we share information with processors based outside the EEA. A copy of these Agreements can be obtained from the University on request.
We will keep a copy of your information for six years after you complete your course. Following this, the majority of your information will be deleted but we will keep indefinitely information which is necessary to confirm that you studied here and a copy of your certificate.
If you register on the CPD course but you cancel your registration and obtain a refund; or you register and do not attend, we will keep the information from your registration form for two years. Records of any financial transactions, such as payments for course fees or refunds for cancelled places, will be retained for six years following the end of the financial year in which the transaction occurred.
If you opt in to receiving communications from us about other University courses and events, we will keep your information indefinitely or until you opt out of further communications.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Further information about each of these rights can be found on the Information Commissioner’s Office website. To make a request to exercise any of these rights, please contact the Information Governance Manager & Data Protection Officer on DPFOIA@uclan.ac.uk.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. For further information or to make a request, please see the data protection pages of our website.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to any processing we carry out, if we carry it out on the basis that it forms part of our public task or is in our legitimate interests. You also have the right to object to your personal information being used for direct marketing purposes.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information because we have your consent or because it is necessary for your contract and the processing is automated.
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact your University course team, or the Information Governance Manager & Data Protection Officer, and we will respond.
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office, which is the UK supervisory authority for data protection. Further information can be found on the data protection pages of our website.