Governor Privacy Notice

This Privacy Notice explains the types of personal data held by the University as data controller.

It explains what information we collect about you, how we will use that information, who we will share it with, when we will share it and the steps we will take to ensure it stays private and secure.

Introduction

This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects personal data in relation to the nomination or appointment of governors at the University. It applies to prospective governors, current governors and former governors.

We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.

What personal information do we collect about you?

When you engage with the University in relation to the role of Governor, we collect and retain relevant personal data. This information is used for the purposes set out in Section 3 of this Privacy Notice.

We may process the following categories of personal data about you:

  • Names
  • Addresses
  • Landline and mobile telephone numbers
  • Date of birth
  • Gender
  • Nationality
  • National insurance number
  • Next of kin/trusted contact
  • Name of spouse/partner
  • Educational and career background
  • Your CV and biography
  • Public and voluntary appointments
  • Bank details (for payment of expenses)
  • Vehicle registration
  • Dietary requirements
  • Photographs
  • Correspondence
  • Health and safety records
  • Terms of office
  • Feedback
  • Meeting attendance
  • Declarations
  • Related party transaction returns
  • Manifesto ballot details and results (for staff governors)
  • Other information about you that is given to us by you
  • Your image may be taken for reports and other publications; and
  • Audio recordings of meetings of the governing body and its committees at which you contribute might also be taken.
  • Data relating to your participation in the use of the virtual learning environment Blackboard and the library.
  • Usage data relating to University email accounts and other Microsoft 365 services.

You may also give us information about Special Category Data, including:

  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Health or sex life
  • Sexual orientation

How do we collect your information? 

The University may collect your personal data through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect your personal information:

  • Directly from you – for example, when you fill in forms and applications or where your communicate with us or when you correspond with us, by telephone, email, online or otherwise.
  • Through automated technologies – for example, your participation in and your use of the virtual learning environment (Blackboard), your University email address or the usage of other Microsoft 365 applications.
  • From third parties – for instance, references.
  • From publicly available sources – for example, LinkedIn or other website

How do we use your personal data?

The University may process your personal data for the following purposes:

  • Recruitment, selection, re-appointment and termination of governors
  • Compliance with companies and charities legislation, including if you are also a director of a subsidiary or connected undertaking, by electronic or other means
  • Management and transcription of minutes of meetings of the governing body and its committees
  • Maintenance of registers, including statutory registers and registers of interests, whether on-line or in hard form
  • Ensuring governors have not been disqualified in accordance with the Charities Act 2006
  • Inclusion in governing body minutes and reports
  • Succession planning
  • Sharing your contact details with other governors
  • Circulation of a statement to the electorate and production of ballot papers (for staff seeking election as staff governor)
  • Inclusion in the University’s annual report and financial statements
  • Audit and planning functions
  • Publication of governance information on the University’s website and elsewhere
  • Provision of reports and returns required by funding agencies, government departments and public bodies, including the Office for Students
  • Monitoring and promotion of equality and diversity
  • Inclusion in the University’s publication scheme
  • Funding bids to UK and international funding bodies and contracts
  • Protection of your vital interests
  • In connection with the University’s banking arrangements
  • Administration of your expense claims
  • Issuing of parking permits
  • Accommodation, dietary and access requirements
  • Booking of training with external organisations
  • To prevent and detect fraud, bribery, corruption, or other unlawful activities in accordance with the University's internal policies and legal obligations;
  • To comply with statutory and regulatory requirements, including those under the Data Protection Act 2018 and UK GDPR.

The lawful basis we use to process your data

Data protection law sets out reasons for collecting and processing your personal data. In this section, we outline the legal bases the University uses.

We will be processing your data under:

  • Article 6(1)(a) Consent "the data subject has given consent to the processing of his or her personal data for one or more specific purposes"

In specific situations, we might collect and process your data with your consent, for example, if we need to undertake a University survey. You may withdraw your consent at any time. You need not give a reason. To withdraw your consent, contact: gls@canterbury.ac.uk

  • Article 6(1)(b) Contract "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
  • Article 6(1)(e) Public Task "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
  • Article 6(1) (f) Legitimate Interests "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child"

In certain situations, we require your data to pursue our legitimate interests. We do this in a way that does not materially impact on your rights, freedom or interests. For example, you may be subscribed to mailing lists following participation to a University event. You will always be provided with the option to opt-out of the communication.

Once you are no longer with us, we may communicate with you from time to time, for example to invite you to attend key events relating to your previous tenure.

We may need to process your data in order to ensure we are complying with our statutory obligations and legal requirements.

  • Article 6(1)(c) Legal obligation "processing is necessary for compliance with a legal obligation to which the controller is subject"

If the law requires us to, we may need to collect and process your data. For example, we need to ensure we meet our statutory obligations including those related to filing details of your appointment with Companies House, Financial Conduct Authority and the Charities Commission. Failure to provide this data would result in your appointment not taking effect.

We may also need to process your data under this legal basis to ensure we comply with anti-fraud, anti-money laundering, and anti-bribery legislation, including the detection and reporting of suspected fraud or corrupt activity; for responding to lawful requests from regulatory bodies or law enforcement agencies, such as the Office for Students (OfS) or the Police.

We may need to process your personal data to protect your vital interests or those of another individual.

  • Article 6(1)(d) Vital Interests "processing is necessary in order to protect the vital interests of the data subject or of another natural person"

It will take place only where we cannot process your data under another lawful basis.

Where we process Special Category Data, we will do so under the following legal basis:

  • Article 9(2)(a) Explicit consent
  • Article 9(2)(b) Employment, social security and social protection (if authorised by law)
  • Article 9(2)(c) Vital interests
  • Article 9(2)(e) Made public by the data subject
  • Article 9(2)(g) Reasons of substantial public interest (with a basis in law)

Where we process Criminal Offence Data, we will rely on:

  • Article 10 Authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects

We have an Appropriate Policy Document in place which records our processing in relation to Special Category Data and Criminal Offence Data

 

Who do we share your personal data with

We may share your personal data with trusted third-party service providers who act as data processors on our behalf. These partners support with the provision and delivery of services to us or directly to you on our behalf. All third parties are required to handle your data securely and in accordance with data protection legislation.

We may also disclose your personal data where necessary to meet our legal or statutory obligations under the Data Protection Act 2018, UK GDPR, Information Act 2000, Limitation Act 1980, Charities Act 2011 and Companies Act 2006. This may include sharing information with government departments, regulatory bodies, funding agencies, or law enforcement authorities where disclosure is legally required. When you are appointed as a governor, we will share your information with the Office for Students, Charities Commission and Companies House as these are legal requirements.

Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.

How long do we keep your personal data

We retain personal data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018, UK GDPR, Information Act 2000, Limitation Act 1980, Charities Act 2011 and Companies Act 2006.

In relation to the Charities Act 2011, we retain personal data relating to claims and expenses for 7 years, in line with our legal and statutory requirements for tax and audit purposes. Identifiable records are securely disposed of or anonymised when they are no longer required for these purposes. Minutes of governing body meetings, annual reports, financial statements, biographies and photographs are kept permanently. Information relating to event bookings and parking permits will be retained for the period of office of each governor. Manifestos made by successful candidates are kept for their period of office. In the case of unsuccessful candidates, the retention period is six months after the election. Election results (votes cast, turn out) are retained for six years after the completion of the election.

When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.

 

Data Type

Retention Length

Relevent Legislation

Claims and expenses

7 years

Charities Act 2011

Limitation Act 1980

Companies Act 2006

Minutes of governing body meetings

Annual reports

Financial statements

Biographies

Photographs

Permanently

None

Event booking

Parking Permits

The period of office of each governor

None

Manifestos (successful candidates)

The period of office of each governor

None

Manifestos (unsuccessful candidates)

Six months after the election

None

Election results

Six years after completion of the election

Companies Act 2006

How do we protect and store your personal data

We are committed to safeguarding the personal data we process and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with management and administration of Governor records.

We are Cyber Essentials accredited, demonstrating our commitment to implementing industry-recognised cybersecurity practices to protect against common online threats and ensure a secure IT environment.

Where personal data is shared with third-party processors, such parties are contractually required to act solely on our instructions, implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act 2018 and UK GDPR.

The data controller and further information

Canterbury Christ Church University is the Data Controller for this personal data.

Please click the link below to access further information regarding:

 

Version control

  • Title: Governor Privacy Notice
  • Process Owner: Senior Corporate Governance & Regulatory Compliance Manager
  • Department responsible: Governance & Legal Services
  • Date approved: 24 September 2025
  • Date of review: 24 September 2027
  • Date last amended: 12 September 2025

In this section

Downloads

Governor-Privacy-Notice-2025

184.3 KB