This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects special category data and criminal offence data in relation to students and applicants. It applies to all students and prospective students.

We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.

You can access our Data Protection Policy here.

1. What personal information do we collect about you?

When you engage with the University in relation to studying with us, including through UCAS, we collect and retain relevant special category data or criminal offence data about you. This information is used for the purposes set out in Section 3 of this Privacy Notice.

We may process the following categories of special category data about you:

• Racial or ethnic origin
• Political opinion
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for uniquely identifying a natural person
• Data concerning heath
• Data concerning a natural person’s sex life or sexual orientation
• Information about spent or unspent criminal convictions and offences

If you choose not to submit any sensitive personal information when requested, we may not be able to provide you with specific services.

For example, if you are applying for a regulated course and will be required to undertake background checks as part of the application process. If you refuse, we will not be able to proceed with the application.

2. How do we collect your information?

The University may collect special category data about you through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect your sensitive personal information:

• Directly from you – when you fill in forms, submit applications, contact us, use our services or attend University events.
• From third parties – such as UCAS and government agencies.

3. How do we use your personal data?

The University may process special category data about you for the following purposes:

• Monitor Equal Opportunities
• Make Statutory Returns
• Assess a student’s fitness to undertake placements
• Support students with a declared disability, engaging with the fit to study process or with a medical condition
• Assess the right to study in the UK
• Meet the requirement to have due regard to the need to prevent people from being drawn into terrorism

As part of your engagement with the University we may collect criminal offence data about yourself. This may include:

• Information about spent or unspent criminal convictions and offences

We process criminal offence data about our applicants and students where there is a statutory requirement or to prevent or detect unlawful acts.

Our processing relates to the data we receive or obtain to undertake the following:

• Where the person applies for study related to a regulated profession or undertakes study or volunteering requiring engagement in regulated activity
• Where the person applies for residential accommodation

Where the person is subject to disciplinary action, including fitness to practise

4. The lawful basis we use to process your data

Where we process Special Category Data, we will do so under the following legal basis:

• Article 9(2)(a) Explicit consent
• Article 9(2)(b) Employment, social security and social protection (if authorised by law)
• Article 9(2)(c) Vital interests
• Article 9(2)(g) Reasons of substantial public interest (with a basis in law)
• Article 9(2)(j) Archiving, research and statistics (with a basis in law)

Where we process Criminal Offence Data, we will rely on:

• Article 10 Authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects

We have an Appropriate Policy Document in place which records our processing in relation to Special Category Data and Criminal Offence Data. If you are a student, you may access the document here.

5. Who do we share your personal data with

We may share special category data about you with trusted third-party service providers who act as data processors on our behalf. These partners are Simplicity, PCMIS, Cardinus and our placement providers who support with the delivery and operation of Wellbeing services, Health and Safety reporting and the facilitation of work placements. All third parties are required to handle your data securely and in accordance with data protection legislation.

We may also disclose your personal data where necessary to meet our legal or statutory obligations under the Data Protection Act 2018 and UK GDPR. This may include sharing information with government departments, regulatory bodies, funding agencies, or law enforcement authorities where disclosure is legally required.

Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.

6. How long do we keep your personal data

We retain special category data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018 and UK GDPR.

In relation to information relating to DBS disclosure and criminal convictions, we retain personal data for six months after checking, in line with our DBS requirements. Special category data is held in line with the Universities Student Retention Schedule. When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.

7. How do we protect and store your personal information

We are committed to safeguarding the special category data we process and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to sensitive personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with the administration and management of student and applicant records.

Where personal data is shared with third-party processors, such parties are contractually required to act solely on our instructions, implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act 2018 and UK GDPR.

8. The data controller and further information

Canterbury Christ Church University is the Data Controller for this personal data.

Please click the link below to access further information regarding:

• The Data Controller
• The name and contact details of the University Data Protection Officer
• Where to make a complaint
• Your Rights as a Data Subject
• How to contact the Regulator

 

Version control

Title: Use of Special Category Data of Students Privacy Notice

Process Owner: Head of Data Protection

Department responsible: Governance & Legal Services

Date approved: 8^th April 2026

Date of review: 8^th April 2028

Date last amended: 8^th April 2026