Privacy policy

The University of Oxford¹  is the “data controller" for the information that you provide to us when using our services. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.

Access to your personal data within the University will be provided to those staff who need to view it as part of their work in connection with the operation of these services. It will also be shared with third parties as described in this document.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. We may update this policy at any time.

By visiting our site and using our services you are accepting and consenting to the practices described in this policy.

¹ The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford.

We will collect, store, and use the following categories of data when you use our services including:

• Name
• Single Sign On identifier
• Address (room hirers and non-University delegates)
• Email address
• Mobile phone number
• Any dietary or accessibility requirements
• Status (e.g. member of University/external)
• Role at University (e.g. staff/student)
• Affiliation at University (department/college)
• Invoicing information (room hirers and externals)
• If you visit our site or systems, we may automatically collect certain technical information, for example, the type of device (and its unique device identifier) you use to access our site or systems, the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, mobile network information and platform.
• We may automatically collect information about your visit to site or systems including the full Uniform Resource Locators (URL), clickstream to, through and from Websites (including date and time), pages you viewed, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
• We may take video and images of our services being used (e.g. workshops and courses) and use those to promote our services. We also collect CCTV images for safety and security purposes.

We will collect data about you when you:

• Login to the CoSy course booking system to search, book and pay for  course
• Access the IT Learning Portfolio and the University’s Virtual Learning Environment (VLE)
• Correspond with us by phone or e-mail
• Subscribe to our mailing list
• Contribute to a training needs analysis
• Provide course feedback
• Subscribe/Unsubscribe to our Digital Capabilities mailing lists
• Attend a course (face to face of online), workshop or event (e.g. course attendance registers)

We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.

Please note that we may process your data without your knowledge or consent, in compliance with the conditions set out here, where this is required or permitted by law.

We will use your data to provide you with the services you have requested and to review and improve our services. We collect and store data for the purposes of:

• Course and event administration
• Thames Suite (internal IT Services use) administration
• Requirements gathering
• Analysis and Evaluation
• Communication
• Payment for courses
• Management information
• Statistics and reporting

We are processing your data for this purpose only because you have given us your consent to do so, by:

• Booking a course or placing yourself on a course waiting list
• Attending a course or other learning event
• Accessing the IT Learning Portfolio and the University’s VLE
• Requesting to use the Thames Suite
• Sending an enquiry
• Completing a training needs analysis
• Completing a course evaluation survey
• Attending a workshop, course or event (face to face or online)

This processing is necessary to provide you with our services.

Marketing

We would like to send you information by email about services which may be of interest to you. We do this only where you have specifically indicated that you consent to receive such communications, for example, by selecting  ‘Yes’  to receiving IT Learning Centre communications during the course booking process. We will ask whether you would like us to send you marketing messages each time you book a course. You will have the opportunity to select what messages you wish to receive.

You can withdraw your consent at any time by contacting us at skills@it.ox.ac.uk.  In this event, we will stop any processing as soon as we can. However, this will not affect the lawfulness of any processing carried out before your withdrawal of consent and you may no longer be able to use the site in the same way you did before. 

We will not provide your data to other businesses so they can use it for marketing purposes. 

Video and images that we collect of our activities may be used to promote our services. At the time of recording, you will be informed that recording is being carried out and given the opportunity not to be featured in any of the video or images. CCTV video is used solely for the purposes of enhancing the safety and security for users of the Thames Suite and is not used for any other purpose.

Access to your data within the University will be provided to those who need to view it as part of their work (e.g. managers, administrators and trainers) in carrying out the purposes described above.  The CoSy booking system is used by CoSy administrators in other departments across the University and your data can be viewed by these administrators.

Where a course has been organised on behalf of a department the names of participants, attendance reports and feedback will be passed to the department.

Course records will be routinely shared with other people within the University who we believe have a legitimate need to know, including heads of departments and departmental administrators and HR managers. The mechanism to share data is via the Self-Service Training Data Reports Service.

Project training records will be shared on request with project roles (as identified by project managers) where there is a legitimate project requirement.

We also share your data with companies who provide services to us, such as for the course booking system, payment gateways, and survey tools. These companies are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

Where your data is shared with third parties, we will seek to share the minimum amount necessary.  Information about how your data in Nexus365 is here.

We may also share your personal data with third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our site terms of use or to protect the rights, property or safety of our site, our users, and others.

Some of our services such as the Resource Finder contain links to and from various third party websites.  If you follow a link to any of these websites these websites will have their own privacy policies and we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these websites.

Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website.

We store data collected by our services manually and/or electronically.  The data is stored securely in accordance with University data security policies.  This may be on premise or using approved off-site storage.

Electronic data may be transferred to, and stored at, a destination outside the European Economic Area ("EEA")

Such transfers will only take place if one of the following applies:

• the country receiving the data is considered by the EU to provide an adequate level of data protection;
• the organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield;
• the transfer is governed by approved contractual clauses;
• the transfer has your consent;
• the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
• the transfer is necessary for the performance of a contract with another person, which is in your interests.

We will only retain your data for as long as we need it to fulfil our purposes, including any relating to legal, accounting, or reporting requirements.

Information on your rights in relation to your personal data is explained here.

Inaccuracies in data will be resolved as they arise. If it becomes apparent that inaccurate information is held, this data can be corrected by emailing: skills@it.ox.ac.uk

You may ask to receive a copy of the data stored about you. Applications should be made to skills@it.ox.ac.uk

For Digital Skills courses, current university members can check their own records by logging into My Dashboard.