Work Experience Privacy Notice
NDORMS Work Experience
If you get in contact with the Work Experience team at NDORMS or complete a registration form you will have provided information about yourself (‘personal data’). We (the University of Oxford) are the ‘data controller’ for this information, which means we decide how to use it and are responsible for looking after it in accordance with the General Data Protection Regulation and associated data protection legislation.
How we use your data
We only process data for specified purposes and if it is justified in accordance with data-protection law. We will process your personal data for the following purposes:
- To correspond with you if you contact us with a query
- To register your interest in the NDORMS Work Experience Programme
- To ensure you meet the criteria of the work experience programme, to decide who joins the programme and to tell you if you have or have not been enrolled in the programme
- To liaise with your school work experience coordinator, Head of Sixth Form or other relevant staff member, where necessary and to report absence or any other issue during Work Experience week
- To contact your parent/carer in the case of an emergency, absence or any other issue during Work Experience week
- To make staff aware of any Special Educational Needs and medical needs that will affect participation in activities
- Where we have your explicit consent, to take videos or pictures during the work experience programme to use on the NDORMS website and/or social media streams
- To monitor equality and diversity of work experience programme.
We collect and use your personal information to carry out tasks with your consent. We rely on the following legal bases under UK GDPR:
- Article (6)(1)(f) - Legitimate interests: the processing is necessary for our, yours or a third parties legitimate interests.
- Article (6)(1)(a) - Consent: the individual has given clear consent to process their personal data for a specific purpose
When we collect or share special category personal data, we rely upon the following legal bases under UK GDPR:
- Article 9(2)(g) - Reasons of substantial public interest. We rely on the ‘equality of opportunity or treatment’ purpose condition from Schedule 1 of the Data Protection Act 2018 when relying on Article 9(2)(g) to process your special category data.
We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
Who has access to your data and where will we store your data?
Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above.
We collect and process your data using Microsoft 365. Your data will be stored on Microsoft 365 and on secure, access-controlled University systems. The systems we use have appropriate security measures to protect your data in line with our policies. We do not allow Microsoft to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
Limited information you provide us may be shared with the Oxford University Hospital Trust if the work experience activity involves patient contact. Where we share your data with a third party, we will seek to share the minimum amount necessary.
Retaining your data
We will retain the data you submit to us within electronic form for different lengths of time, but for the minimum length of time that is necessary:
- If you apply for the work experience programme and are not enrolled, we will store your data up until the work experience is due to commence in case a spot becomes vacant and then for a period of up to two months post programme.
- If you apply for the work experience programme and are enrolled, we will store your data for one calendar year after the work experience has taken place.
- We may store anonymised data (data that cannot be linked back to you in any way) about number of applicants, equality and diversity data for reporting beyond this point.
- We will store your photo and video consent form for as long as we are using photos that include you. When we are no longer using the photo or video data, we will destroy both the data and the consent form.
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website.
Information on your rights in relation to your personal data are explained here.
If you wish to raise any queries or concerns about our use of your data, please contact us at email@example.com. If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, you should contact the University’s Information Compliance Team (firstname.lastname@example.org) who will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the UK GDPR.
You also have the right to complain to the Information Commissioner's Office (ICO) about the way in which we process your personal data. You can make a complaint on the ICO's website.