CRM - Privacy Policy
Gardens, Libraries and Museum Contacts
We are processing your data for the purpose detailed within this policy only because you have given us your consent to do so by signing up to receive communications from us. You can withdraw your consent at any time by contacting us at:
- Ashmolean Museum membership - membership@ashmus.ox.ac.uk | 01865 278016
- Bodleian Libraries membership - fob@bodleian.ox.ac.uk | 01865 277 234
- History of Science Museum membership - data.protection@GLAM.ox.ac.uk
- Oxford Botanic Garden and Arboretum membership - data.protection@GLAM.ox.ac.uk
- Oxford University Museum of Natural History membership - data.protection@GLAM.ox.ac.uk
- Pitt Rivers Museum membership - membership@prm.ox.ac.uk | 01865 613000
Alternatively, please get in touch with data.protection@GLAM.ox.ac.uk
A) Who is using your personal data?
The University of Oxford is the “data controller" for the information that we collect . This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
Access to your personal data within the University will be provided to those staff who need to view it as part of their work in connection with the operation of the CRM. It will also be shared with the third parties described in Section E.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. We may update this policy at any time.
B) Glossary
Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified. It does not include data where your identity has been removed (anonymous data).
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure, deletion or retention.
C) Types of data we collect about you
Biographical information, which may include:
- Name, title, contact details, date of birth, gender, marital status, spouse, partner and family details.
- For current or past students: student ID, programme of study, department, college, matriculation or start date, graduation date, degree conferred.
Details of our ongoing relationship and your engagement with us, which may include:
- Records of your personal interactions with us (e.g. correspondence, notes of meetings or conversations).
- Your communication preferences; records of communications you have received from us, incl. copies of letters, emails or appeal literature sent, and of activities in which you have been included .
- Data obtained through cookies and similar technologies such as pixels, tags, web beacons, and other identifiers. These help us understand how you interact with our email communications, websites and other online services we provide. You will find a link to the relevant cookie policy on each of our websites.
- Your attendance (and that of your guests) on visits to, or at events across the collegiate University, including details of any payments made, and photographs, audio and video recordings in which you may be included.
- Details of benefits and services provided to you.
- Your connections to other alumni, students, staff, friends, groups or networks, donors and supporters within the collegiate University community.
- Membership of college or University social media groups e.g. Facebook, LinkedIn.
- A record of offers of voluntary support you have made
Information about your giving, which may include:
- Current and past donations and pledges, documentation relating to these gifts and records of the projects you have supported.
- Financial information required to process your gifts.
- If you have given it, an indication of your intent to leave a legacy, including copies of wills or sections of wills.
- Any requests you have made for anonymity in relation to your giving.
- Thank you letters, donor reports provided relating to gifts you have made, correspondence and notes of meetings.
- Plans for activities and future interactions.
- Records of membership of any societies or groups related to your giving.
- Your relationship to friends and patrons groups associated with, or providing support to, the collegiate University.
- Your relationship to relevant trusts, foundations and corporates, e.g. membership on board of trustees.
Information relating to your willingness or financial capacity to support our charitable objectives, which may include:
- Our understanding of your likely philanthropic interests, and a note of particular projects we think may be of interest to you. This understanding may be provided by you or from information in the public domain.
- Information about your giving to other organisations, and other support that you provide (e.g. volunteering roles, trusteeships), where this information is given to us by you or publicly reported, and where it helps us to understand your interests and capacity to provide support.
- Other information which may give an indication of the scale of any potential philanthropic gift you may be able to give, such as information about earnings and assets, including property, or publicly reported estimates of wealth.
- Any estimate we may make regarding the potential scale of your support on the basis of the above information and your previous giving.
- Personal recommendations, where made by other supporters, that you may be willing and able to provide support.
D) How we use your data
For alumni and supporter engagement
- To manage our ongoing relationship with you and to provide a record of your interactions and contributions to college and University life.
- To offer and manage a varied programme of events tailored to your interests, including networking events, subject reunions, Gaudy dinners, sports events, concerts, seminars and lectures.
- To ensure you are aware of the wider programme of events, lectures and seminars taking place across the collegiate University which we believe may be relevant to you and that you may have an interest in attending.
- To keep you up to date with news from your college, department, or other areas in which you have shown an interest, e.g. by making a donation, attending an event, or becoming a member/friend.
- To provide you with information about benefits and services.
- To let you know of volunteering opportunities across the collegiate University, including linking current students with alumni for careers advice and internships, or speaking opportunities.
- To provide the most relevant content and best possible user experience when you are interacting with our digital communications and platforms.
- To identify and profile potential volunteers, alumni ambassadors and event attendees.
- To accept and process commercial revenue, e.g. for merchandise or event tickets.
- To undertake surveys and market research.
- To create classifications and groupings (through manual or automated analyses) in order to best direct engagement activities.
- To analyse the success of our engagement activities, collect feedback, and manage complaints.
For all fundraising and donor stewardship
- To help ensure that our fundraising efforts are conducted as efficiently as possible, and that our approaches to potential donors are respectful, professional, and made, as far as possible, based on evidence and an understanding of what may interest you.
- To ask you for your support for our fundraising programmes, always mindful of fundraising best practice, and according to the fundraising promise.
- To accept and process philanthropic revenue.
- To provide acknowledgement, recognition and stewardship of your gift.
- To inform you of the impact of your gift.
- To create classifications and groupings (through manual or automated analyses) in order to best direct fundraising activities.
- To support peer-to-peer fundraising campaigns.
- To inform fundraising, marketing and donor stewardship strategies.
For fundraising for major gifts
- In addition to analysing data shared with us, we may use publicly available information and recommendations from staff and supporters to identify individuals who we believe may have the interest and financial capacity to make a major gift.
- Where we have reason to think a potential donor may possess an interest and financial capacity to donate, we may research and collate additional information from sources in the public domain, typically concerning a potential donor's interests in so far as they may coincide with our work, their philanthropic activity, financial capacity and networks in order to substantiate this. We may undertake this research ourselves or use the services of a third-party partner. This new information may be added to the record of a donor or potential donor.
- Where this activity is being undertaken for a new contact with whom we have no previous relationship, we will provide the individual with a link to this privacy notice as part of our initial engagement.
- Information may be collated into a briefing or profile in order to assist the planning of an approach to a potential donor to discuss that individual's interest in our work and in supporting it.
- We may also carry out due diligence on potential donors using publicly available information in order to comply with our policy on the acceptance of gifts, and to fulfil our legal responsibilities.
For operational reporting, management reporting, and governance
- We may use your personal data for the purposes of operational reporting, to produce management information, and for other relevant purposes relating to the governance of the collegiate University. We will use only the data required and, unless necessary, we will use anonymised or pseudonymised data.
In our external communications
- With your permission, we may publish your name in an online directory, in donor listings, as part of a guest list, or we may work with you to create press releases or case studies to be included in our publications or on our websites.
In the event of you withdrawing consent, we will stop the processing as soon as we can. However, this will not affect the lawfulness of any processing carried out before your withdrawal of consent
We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
E) Sharing your data with third parties
We may, from time to time, need to share your personal data within the collegiate University of Oxford or with third parties working on our behalf. We will only do this in appropriate circumstances, by secure means, and with the relevant data sharing agreements in place. We do not, and will not, sell your data.
Third parties will only process your personal data on our instructions and where they have agreed to treat your data confidentially and to keep it secure. We only permit them to process your personal data for specified purposes. We do not allow our third-party service providers to use your personal data for their own purposes nor to keep your data after the processing is complete. All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.
Whenever your information is shared, we will always seek to share the minimum amount of information necessary to fulfil the purpose, this includes the use of anonymised or pseudonymised data where that is sufficient.
Your data may be shared in the following ways:
Within the collegiate University of Oxford
We may share your data with colleges and departments that make up the collegiate University. We will do this only where it is necessary in order to carry out any of the purposes listed in this privacy notice. For example, where the University is coordinating with one or more colleges to organise shared events to which you are invited; to manage and coordinate relationship management activities with you; to ensure your contact information is up-to-date, to distribute to your college any gifts received via the University's payment methods.
We may also share relevant data, in appropriate circumstances, with University Sports Clubs and Societies where you are (or were) a member or supporter of that club or society.
Within the collegiate University of Oxford via the Development and Alumni Relations System (DARS)
The collegiate University of Oxford utilises a shared relationship management system, known as DARS (Development and Alumni Relations System), to store and share data across participating teams, departments, and colleges. Our objective in doing so is to improve our mutual understanding of the multiple relationships you have across the collegiate University; we believe this understanding is crucial for us to be able to provide you with the best possible experience we can. Developing a better appreciation of our relationship with you should improve our communications with you and mean we are better able to respond to your preferences about how we stay connected with you. This includes improving the quality of the data we hold about you and ensuring that we are processing the latest and most accurate data you have provided.
In the case of colleges that use DARS, the University and colleges are joint "data controllers" of your personal data. This means that if you have questions about your data you can either contact the University or your college and we will liaise as appropriate to respond to your query. A list of participating colleges, including the University, can be found at the Joint Data Controllers page.
With organisations or individuals affiliated to the collegiate University of Oxford
We benefit from a network of organisations and individuals who volunteer their support to the collegiate University. We may share relevant data with them, in appropriate circumstances, by secure means, and with the relevant data sharing agreements in place. These may include:
- Volunteers offering their expertise by serving on boards or otherwise advising on or assisting with alumni or development matters.
- Recognised University or college alumni societies and networks, for example when they are helping to organise a dinner or host an event to which you are invited.
With third-party organisations engaged by the collegiate University of Oxford to provide services:
These include but are not limited to:
- Mailing houses, printers, event organisers or venues.
- Organisations providing tools such as relationship- or event-management systems; databases and reporting/analysis tools; alumni networking or crowdfunding platforms; email or survey tools; payment services (e.g. direct debit, online donation processing).
- Organisations assisting with activities such as market research, marketing and communications, organisational effectiveness, strategy and planning, auditing, business intelligence and analysis, customer experience.
F) Where we store or use your data
We may store data collected by the website manually or electronically. The data is stored on our secure servers and/or in our premises within the UK.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data transmitted to the website and any transmission is at your own risk.
Where you have provided us with your credit or debit card information, over the phone, or on a printed giving form, that data is stored securely and destroyed after your payment has been processed. Bank details used for processing Direct Debits are stored under the Direct Debit Guarantee Scheme. Online donations are processed via our third-party payment service providers and your credit or debit card information is not collected or stored by us.
Transfers of your data outside of the UK - although most of the information we collect, store and process stays within the UK, some information may be transferred to countries outside of the UK. This may occur if, for example, one of our third-party partners' servers are located in a country outside of the UK. This may also occur where staff in our international offices access our relationship-management system.
Transfers outside of the UK will only take place if one of the following applies:
- The country receiving the data is considered by the UK to provide an adequate level of data protection.
- The organisation receiving the data is covered by an arrangement recognised by the UK as providing an adequate standard of data protection.
- The transfer is governed by approved contractual clauses.
- The transfer has your consent.
- The transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract.
- The transfer is necessary for the performance of a contract with another person, which is in your interests.
- The transfer is necessary in order to protect your vital interests or of those of other persons, where you or other persons are incapable of giving consent.
- The transfer is necessary for the exercise of legal claims.
- The transfer is necessary for important reasons of public interest.
Security
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website. Home | Information Security (ox.ac.uk)
G) Third party websites
Our sites contains links to and from various third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
H) Retaining your data
We will only retain your data for as long as we need it to fulfil our purposes, including any relating to legal, accounting, or reporting requirements.
We will retain your data for 7 years after you cease to be a member or after your last transaction.
I) Your rights
Under certain circumstances, by law you have the right to:
- Request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- Request erasure of your data. This enables you to ask us to delete or remove your data under certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- Object to processing of your data where we are relying on our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your data to another party.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. Further information on your rights is available from the Information Commissioner’s Office (ICO).
If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, you should contact the University’s Information Compliance Team at data.protection@admin.ox.ac.uk. The same email address may be used to contact the University’s Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you remain dissatisfied, you have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.
J) The legal basis for processing your data
We will only use your personal data where the law allows us to do so. Most commonly we rely on the following legal bases for processing your personal data:
- Where we have a legitimate interest to do so for purposes listed within this privacy notice. Where we use legitimate interest as the basis for our processing we have carefully considered each of the ways we process your data to ensure that we carry out our activities with a focus on the interests of our alumni, donors and supporters, and in the most efficient and effective way.
- Where we need to perform the contract we have entered into with you. Information processed for this purpose includes, but is not limited to, the information you provide when you register for an event, or to enable us to process a donation.
- Where we are required to comply with our legal obligations, such as for: reclamation of Gift Aid on your donations; statutory returns to the Office for Students (OfS), the Charity Commission or ICO; participation in the HESA Graduate Outcomes Survey; responses to the Charity Commission or ICO in relation to audits or official investigations; responses to FOI Requests, under the Freedom of Information Act 2000.
- Where your consent is required, for example where sensitive personal data is recorded. You can withdraw your consent at any time and we will stop any processing of your personal data requiring your consent. See: Your legal rights and choices in connection with your personal data.
Change of purpose
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose. Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
K) Changes to this policy
Any changes we may make to our privacy policy in the future will be posted on this page. Please check back frequently to see any updates or changes to our privacy policy.
L) Contact
If you wish to raise any queries or concerns about this privacy policy please contact the Information Compliance Team by email at data.protection@admin.ox.ac.uk or by post at University of Oxford, University Offices, Wellington Square, Oxford, OX1 2JD.
The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford