Privacy Statement & Data Processing

What we do

The Information Security Team seeks to enable the University to deliver against its strategic aims by reducing the risk of significant security incidents and data breaches. The team achieves this through:

• Enabling secure research, collaboration, teaching and administration by promoting informed and security-driven decisions.
• Protecting University systems and data by monitoring and managing technical threats and incidents.
• Driving the design and implementation of secure ICT systems across the University.
• Sharing good practice and fostering a strong information security culture across the University.

Information we collect

We, the Information Security Team, collect information from you in two ways: directly from you during your ongoing relationship with us and/or with colleges; and/or from third parties providing us with services.

We may hold and process the following types of personal data about you:

Personal data, which may include:

• Name, title, primary contact details, and secondary (personal) contact details.
• For staff and students: student or staff ID, University affiliations, University card status, and ICT account details.
• Records of your personal interactions with us (e.g. correspondence and conversations).
• Investigation records for computer security incidents.
• For staff and students: operational data and metadata about your IT usage including device information. This could, for example, include network usage, authentication and authorisation events, email activity, endpoint security alerts, service transaction logs from University information systems.

Special category personal data, which may include:

• Criminal convictions, offences and allegations of criminal activity – we do not seek to obtain these categories of sensitive data. However, they may sometimes be identified during incident investigation and response.
• Race or ethnicity, religious beliefs, sexual orientation, political opinions – we do not seek to obtain these categories of sensitive data. However, they may sometimes be inferred from other data we hold, for example, your relationships, job titles, or affiliations.

How we use your data

Your personal data are used by us for the following purposes in support of information security activities:

For the detection and management of technical threats and incidents

• To prevent, detect, and respond to information security incidents across the collegiate University.
• To aggregate and correlate data from disparate data sources to identify anomalies and malicious activity.
• To respond to legitimate requests for personal data in line with University statutes and regulations.

For the provision of preventative services to the University

• To provide access to services.
• To respond to queries and support requests from individuals, colleges and departments.
• To identify individuals and groups for direct engagement and support.

For operational reporting, management reporting, and governance

• We may use your personal data for the purposes of reporting on information security services to the collegiate University. We will use only the data required and, wherever possible, we will use de-identified or pseudonymised data.

Where and how we share your data?

We may need to share your personal data within the collegiate University of Oxford or with third-parties working on our behalf. We will only do this in appropriate circumstances, by secure means, and with the relevant data sharing agreements in place.

Third parties will only process your personal data on our instructions and where they have agreed to treat your data confidentially and to keep it secure. We only permit them to process your personal data for specified purposes. We do not allow our third-party service providers to use your personal data for their own purposes nor to keep your data after the processing is complete. All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.

Whenever your information is shared, we will always seek to share the minimum amount of information necessary to fulfil the purpose, this includes the use of anonymised or pseudonymised data where that is sufficient.

Your data may be shared in the following ways:

Within the collegiate University of Oxford

We may share your data with colleges and departments that make up the collegiate University. We will do this only where it is necessary in order to carry out any of the purposes listed in this statement on data processing. For example, where the University is responding to an information security incident relating to an undergraduate student based within a college.

With third-party organisations engaged by the collegiate University of Oxford to provide services:

These include:

• Auditors and consultants supporting information security activities.
• Organisations providing ICT tools and services.
• With other third-party organisations to which we have legal obligations, like law enforcement agencies and regulators.

How we protect your data

The Information Security Team takes precautions to safeguard your personal information against loss, theft and misuse, unauthorized access, disclosure and destruction through the use of appropriate administrative, physical and technical security measures.

The Information Security Team’s ICT systems are hosted on University of Oxford infrastructure and are protected by logical access controls. Access is limited to individuals who need to see and use the data to carry out their duties, and access rights are restricted according to individual job roles in order to ensure that users only see information that is relevant to them. All Information Security Team staff receive appropriate training, including training on data privacy, before being granted access.

Transfers of your data outside of the European Economic Area (EEA) – although most of the information we collect, store and process stays within the UK, some information may be transferred to countries outside of the European Economic Area (EEA). This may occur if, for example, one of our third-party partners' servers are located in a country outside of the EEA.

Transfers outside of the EEA will only take place if one of the following applies:

• The country receiving the data is considered by the EU to provide an adequate level of data protection.
• The organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield.
• The transfer is governed by approved contractual clauses.
• The transfer has your consent.
• The transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract.
• The transfer is necessary for the performance of a contract with another person, which is in your interests.
• The transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent.
• The transfer is necessary for the exercise of legal claims.
• The transfer is necessary for important reasons of public interest.

If you require any information about these safeguards, you may contact us (see data protection officer email address below).

How long we keep your data

The Information Security Team operates in-line with the University of Oxford’s data retention policies. These permit the retention of personal data relating to staff and students for up to 6 years after the end of the relationship with the University.

We typically retain IT operational data and metadata about individuals for up to 3 years and when we no longer need to retain personal information, we ensure it is securely disposed of.

We may keep anonymised statistical data indefinitely, but you cannot be identified from such data.

The legal basis for processing your data

We will only use your personal data where the law allows us to do so and rely on the following legal bases for processing your personal data:

• Where we need to perform the contract we have entered into with you. Information processed for this purpose includes, but is not limited to, the information you provide when you join the University as a student or member of staff.
• Where we are required to comply with our legal obligations, such as for: statutory returns to the Information Commissioner’s Offices; when responding to requests under the Investigatory Powers Act 2016; and/or responses to FOI Requests, under the Freedom of Information Act 2000.

Change of purpose

We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Your legal rights and choices in connection with your data

Under certain circumstances, by law you have the right to:

• Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
• Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
• Request erasure of your data. This enables you to ask us to delete or remove your data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
• Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your data to another party.

Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop.

If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, please contact the University's Information Compliance Team at data.protection@admin.ox.ac.uk. The same email address may be used to contact the University's Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office at the ICO website[2].

Contact us

If you have any questions about this statement on data processing or about your personal data, want to provide updates to your data or make any changes to your communication preferences, please contact us at one of the following addresses:

University of Oxford Information Security Team
16 Wellington Square
Oxford, OX1 2HY, United Kingdom
Email: oxcert@infosec.ox.ac.uk

John Ireland, Interim Chief Information Security Officer

23rd November 2018, amended[3] 12th December 2018

Approved by IT Infrastructure Board 29th November 2018