Privacy Policy

The University of Bristol (“The University”) is committed to protecting your personal data and for keeping you informed about how information about you is used.
 

This Privacy Notice applies to individuals engaging with the University of Bristol’s online postgraduate programmes and outlines how we process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  

​

This notice should be read in conjunction with the University’s top level privacy notices.
    

Types of personal data processed and how we use it
  

Enquiries and Prospective Students 
 
When you request information or make an enquiry about an online programme, the personal data you provide will be used to respond to your request. 

Purpose of processing:
 

• Identify you 

• Respond to your enquiry 

• Provide programme information 

• Communicate with you regarding events or next steps 
   

Personal data processed may include:
 

• Name 

• Email address 

• Telephone number 

• Programme of interest 

• Country of residence 

• Professional background 

• Any information voluntarily provided 

 

Applications 
 
If you apply for an online programme, your application data will be processed to assess your suitability for admission. 
Purpose of processing:
 

• Process and assess your application 

• Verify qualifications and references 

• Communicate admissions decisions 

• Prepare enrolment documentation 

 

Personal data processed may include:
 

• Name 

• Date of birth 

• Contact details 

• Nationality and residency information 

• Educational history 

• Employment history 

• Personal statement 

 

Students 
 
If you enrol as a student, your personal data will be processed for the delivery and administration of your programme. 
Purpose of processing:
 

• Register you as a student 

• Deliver your programme of study 

• Record academic performance 

• Manage assessments and examinations 

• Provide academic and pastoral support 

• Process tuition payments 

• Comply with regulatory reporting obligations 

 

Personal data processed may include:
 

• Contact details 

• Student ID and academic records 

• Assessment results 

• Attendance data 

• Payment information 

• Welfare or support-related information 

 

If you have opted in, your personal data may be used to provide information about:
 

• Online programmes 

• Events and webinars 

• Updates and news 

• Alumni engagement 
     

You may withdraw your consent at any time by using the unsubscribe link in communications or by using the contact details below.  

 

How we collect your data
   

The information we process about you is primary collected directly from you when you apply to a programme or during your studies.

 

We will not use your personal data for automated decision making about you or for profiling purposes.

 

We will process your personal data either in ways you have consented to, or because it is otherwise necessary for a lawful purpose.  

The lawful basis for us to process your personal data for the above purposes is ….

 

• Consent – because you have agreed to the data being processed for specific purposes, including marketing  

• Contract - because we need to fulfil our obligations to you before, during and after our relationship with you 

• legal obligation – because it is necessary to use your personal data to comply with the law]  

• Public task – because we are undertaking activities in the exercise of our official authority or to perform tasks in the public interest
   

The special category data as listed above, specifically health data, is being processed for the above purposes under the following additional lawful basis:
 

• Explicit consent  

• Reasons of substantial public interest, including Equality of opportunity or treatment 

 

Sharing your personal data  

 
We may share your personal data with relevant internal departments at the University where this is necessary to support your enquiry, application, or studies. This includes:

 

• Admissions teams – to process and assess applications, verify qualifications, and communicate admissions decisions  

• Recruitment and marketing teams – to respond to enquiries, provide programme information, and (where consent has been given) share relevant updates, events, and opportunities  

• Faculty and academic departments – to deliver teaching, assess academic performance, and provide academic support  

• Student services and support teams – to provide pastoral care, wellbeing support, disability services, and academic guidance -  

• Finance teams – to manage tuition fee payments, invoicing, and financial records  

• Registry and academic administration – to maintain student records, manage enrolment, and ensure compliance with academic regulations  

 

What data is shared: 

Only the personal data necessary for each purpose is shared. This may include:

 

• Identification details (e.g. name, student ID)  

• Contact information  

• Application and admissions data  

• Academic records and assessment results  

• Engagement and attendance data  

• Payment and financial information  

• Welfare or support-related information (where relevant and appropriate)  

 

All internal sharing is carried out in accordance with data protection legislation and on a need-to-know basis.

 

Storage and retention of personal data

  

The University has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost or used, accessed, altered or disclosed in any unauthorised way.

   

Access to your personal data is limited to those that have a lawful and legitimate ned to access it.

   

During your engagement (enquiry, application, and study):

 

Your data may be stored in:

 

• HubSpot: Our primary Enterprise CRM used to manage enquiries, communications, and marketing preferences.  

• DreamApply: A dedicated admissions management system used to collect and process application data and supporting documentation. This portal can be accessed at online-applications.bristol.ac.uk. 

• Microsoft 365: These platforms are used for secure document hosting, internal collaboration, and administrative records.  

• ScoreApp: Used for prospect data collection, surveys, and qualification to inform best practices for offering tailored support. 

• Wix: Used for hosting our landing pages and managing content through a Content Management System (CMS). 

• RingCentral: A unified communications platform used for telephony and student outreach.   

• GoToWebinar: A platform used for delivering webinars and digital events to prospective students. 

• Blackboard: Used for programme delivery, assessment, and academic records where applicable. 

  

After your engagement (post-study or withdrawal):

 

• Your data will continue to be stored within University systems in line with the Records Retention Schedule  

• Some data may be retained for alumni engagement, statutory reporting, or legal obligations  

• Data is securely archived or deleted once it is no longer required  
   

Data location and international transfers

 

Your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA). To provide a resilient and scalable service, we utilise global SaaS providers, which involves the transfer of data to the following locations:

  

• United Kingdom: Primary location for our corporate operations, Microsoft 365 tenant, and ScoreApp hosting.  

• Germany & Ireland: Primary data-at-rest locations for HubSpot, DreamApply, RingCentral, and Wix.  

• United States: Used for processing analytics, metadata, and support services by providers including Microsoft, HubSpot and GoTo. 

• Israel: Utilised for redundancy and platform maintenance by Wix.
    

Where service providers operate outside the UK or EEA, appropriate safeguards are in place—including Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and Adequacy Rulings (such as the UK-US Data Bridge) to ensure your data is protected in line with UK GDPR.  

 

Security and access 

 

All systems used to store your data are cloud-native and benefit from industry-leading security certifications, including ISO 27001 and SOC 2 Type II. Security measures include:

  

• Access Controls: Mandatory Multi-Factor Authentication (MFA) for all administrative accounts.  

• Encryption: Data is encrypted both "at rest" within databases and "in transit" via SSL/TLS protocols.  

• Monitoring: Regular security monitoring and internal audits of our data estate. 

 
Your rights  

​

Under certain circumstances, you may have the following rights in relation to the data we process:  

​

• Right to request access to your personal data; 

• Right to request correction of your personal data; 

• Right to request erasure of your personal data; 

• Right to object to processing of your personal data; 

• Right to request restriction of the processing your personal data; 

• Right to request the transfer of your personal data; and 

• Right to withdraw consent. 
   

For more information on these rights please visit the University’s guidance here. To exercise any of the above rights please contact the Data Protection Officer via data-protection@bristol.ac.uk 

 

Questions, comments and complaints  

 

If you have any questions or comments regarding this Privacy Notice, please contact: online-enquiries@bristol.ac.uk   

 

You can also contact the University’s Data Protection Officer at: data-protection@bristol.ac.uk.  

 

If you are unhappy or have any complaints about how we process your personal data, we encourage you to follow our internal complaints procedure, as outlined here on our website. Should you remain dissatisfied after exhausting our internal complaints process, you have the right to raise your complaint with the Information Commissioner’s Office (ICO). 

​