Finance Privacy Notice

Your data and privacy

About this notice

This privacy notice provides information about how the University collects and uses your personal information in relation its financial processes and procedures. It explains why we hold this information, what we do with it, how long we keep it for and if we share it with third parties.

‘Personal data’ means any piece of information which can identify you, such that it would be clear to others that the information is about you. It can be a single piece of information, for example, your name. Or it can be separate pieces of information, which, when combined, would help others to identify you.  

About you

This privacy notice uses “you” to mean any individual about whom we collect and hold personal data, including staff, students, pensioners, customers, suppliers, alumni, funders, sponsors, parents or other stakeholders engaged with the University’s financial processes and procedures.

If you have made a payment to the University or received a payment from the University or been involved in a procurement process, you will have supplied personal information about yourself. This will be used by the University to administer its financial processes, protect against fraud and manage its finances.

What information may we collect about you?

We may collect, store and use the following categories of personal data:

  • your details including name, title, addresses, telephone numbers, personal  e-mail addresses, signature 
  • financial data, including bank account details, payment information, purpose of payment, debit/credit card information
  • other relevant personal information. For example, if you are booking a place at a conference or event, the conference organisers may ask you to provide other relevant information e.g. details of any dietary requirements or allergies
  • customer feedback. We may carry out customer research by providing customers with access to feedback questionnaires. Although this feedback is anonymous, the questionnaires provide the opportunity for free text comments, in which a customer may supply personally identifiable information about themselves, other customers or members of staff
  • IP address in relation to online payments made to the University
  • information needed to confirm employment status, including national insurance number, UTR  
  • personal information supplied as part of the procurement process

Sensitive personal data where consent is given in relation to :

  • an insurance claim or other legal matter

  • collection of income due to the University

     

How is your personal data collected?

Information you give to us.

You may give us your personal information through the information collected about you in order to make a payment to you, take a payment from you, respond to an email relating to an enquiry etc.  

Information transferred from third parties

Your personal data may be shared by third parties, for example, for the purposes of administering and managing finance.  

How we will use the information about you?

We need to hold personal data for the following reasons:

  • manage the payment processes between you and the University
  • maintain accurate and up-to-date records
  • event administration
  • report information to the University’s insurers in respect of accidents or incidents 
    • disclosures of sensitive personal data in this context would only be made where explicit consent has been obtained, disclosure is in the substantial public interest, or where necessary for the establishment, exercise or defence of a legal claim.
  • administer the repayment of debts, including use of third parties such as solicitors, debt recovery agents, tribunals and Courts
  • collect payments from externally hosted IT services
  • process any complaint you submit
  • to detect, investigate and prevent crime including fraud
  • for research and statistical purposes
  • maintain or develop systems and processes
  • meet legislative, statutory, contractual and audit requirements
  • improve service levels
  • as part of the procurement process

What is the legal basis for processing your personal information?

We must have a legal basis for processing your personal data (and special categories of your personal data). The legal basis is set out in data protection legislation. Some of the basis for processing will overlap with others, so there may be several grounds which justify us using your personal data.

We will process your personal data based on the consent that you have provided to us e.g. for the purposes of making an insurance claim.

We also have legal obligations to hold personal data, for example we must provide payment information to HMRC. We may therefore use your personal data to fulfil these obligations.

We may also process your data on the basis of our legitimate interests for example to accounting and auditing for administrative purposes, management information or statistical analysis purposes and for fraud prevention.

As we may process special category data (for example about your health for an insurance claim), we must also identify a special category condition for processing. We process special category data where we have your explicit consent.

Third Parties

Your personal data may be shared as permitted or required by law with a range of external organisations, including those set out in the table below. The University remains responsible for the information and will ensure it is kept securely.

Who we share your information withWhy we share your information
Financial Institutions including Brokers, Banks, Building Societies, BACS and other related payment service providersTo make or receive payments from you
Third party suppliers including document scanning service providers, software providers, bank detail validation servicesTo help deliver our service, we may share you personal data with external bodies subject to data sharing agreements which include data protection safeguards.
eMail service providersTo contact you
External agents of the University including (but not limited to) solicitors, debt recovery agents, tribunals and CourtsTo recover monies due to the University
Funders/Sponsors e.g.  United Kingdom Research and Innovation ("UKRI"), European Union, Charities, Commercial SponsorsTo verify funder terms and conditions have been met
Government agencies related to Higher Education including The Scottish Funding Council ("SFC"), The Office for Students ("OfS"), Student Loans Company ("SLC"), Student Awards Agency for Scotland ("SAAS"), Universities UK (UUK), and the Higher Education Statistics Agency ("HESA")For the purposes of carrying out statutory functions relating to the funding of education and for statistical analysis. These agencies should not identify individuals in any published results.
HMRCTo verify details or to provide information in relation to payments made
Insurers, brokers. solicitorsFor the provision of information relevant to insurance claims
The University’s professional advisers, including its external auditors and accountants

To enable the University to manage its affairs and to comply with legal and statutory reporting obligations

 

Individuals who exercise their legal right to access recorded information held by the University under information legislation, particularly the Freedom of Information (Scotland) Act 2002 and data protection law (General Data Protection Regulation (GDPR) and Data Protection Act 2018).To comply with legal obligations.
Third-party payroll service providers, benefits providers, pension administrationTo support financial administration and payments made to individuals

You should check the privacy policies of the relevant third party organisations mentioned above (available on their websites) in order to fully understand how they will process your data.

Cross border data transfers

Where permitted by applicable law, your personal date may be transferred outside the UK. Such transfers are carried out with appropriate safeguards to ensure that your personal data is adequately protected in accordance with applicable data protection law, and in particular Article 46 of the UK GDPR and the EU GDPR.

 

Storage of your personal data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Our website may, from time to time, contain links to and from websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet, and any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security measures to try to prevent unauthorised access.

Further information about the University’s Data Protection and Information Security policies can be found by clicking on the links below.

Data Retention

We will retain your personal data for as long as it is necessary to fulfil the purposes for which we collected it, including satisfying any legal, accounting, reporting or statutory requirements.

Data Retention Periods

Automated processing and profiling

We do not use profiling or automated decision-making processes. Some processes are semi-automated (such as anti-fraud data matching) but a human decision maker will always be involved before any decision is reached in relation to you.

Changes to this privacy notice

Please check back frequently to see any updates or changes to this Notice.

Contact

Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to Finance Department, Charles Stewart House, 9-16 Chambers Street, Edinburgh, EH1 1HT. You can also email us at: Finance.helpline@ed.ac.uk.

This privacy statement is continued at: https://www.ed.ac.uk/records-management/notice. 

This article was published on