Christ Church Data Privacy Notice for Students

For students at Christ Church; applicants and potential applicants to Christ Church or other institutions of Higher Education; applicants who have accepted an offer from Christ Church; and applicants who are not offered a place at Christ Church

This privacy notice applies to current students, applicants and potential applicants for courses of study at Christ Church.

Christ Church’s general data privacy notice, which covers all aspects of data processing in the College and Cathedral, can be found on the Christ Church website:

1. Introduction

2. What is Christ Church?

3. Explaining the legal bases we rely on

4. When do we collect your personal data?

5. What sort of personal data do we collect?

6. How and why do we use your personal data?

7. How we protect your personal data

8. How long will we keep your personal data?

9. With whom do we share your personal data?

10. Where your personal data may be processed

11. What are your rights over your personal data?

12. Contacts

13. If you live outside the UK

14. Any questions?

1. Introduction

Christ Church is committed to protecting the privacy and security of personal data.

This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we store and handle that data, and keep it safe.

“Personal data” is information relating to you as a living, identifiable individual.

“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it.

The law requires us:

  • To process your data in a lawful, fair and transparent way;
  • To only collect your data for explicit and legitimate purposes;
  • To only collect data that is relevant, and limited to the purpose(s) we have told you about;
  • To ensure that your data is accurate and up to date;
  • To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
  • To ensure that appropriate security measures are used to protect your data.

Christ Church has two data controllers: the Governing Body of Christ Church, and the Dean and Canons of Christ Church.

2. What is Christ Church?

Christ Church is, formally, the Cathedral Church of Christ of the Foundation of King Henry VIII in Oxford.  It was founded by Henry VIII in 1546 as a joint establishment of college of the University of Oxford and as the cathedral of the Diocese of Oxford.  It is governed by statutes ratified by the Christ Church Oxford Act of 1867.

3. Explaining the legal bases we rely on

The law on data protection sets out a number of difference reasons for which a company may collect and process your personal data.  When collecting your personal data, we will always make clear to you which data is necessary for each purpose or type of data.  Most commonly, we will process your data on the following lawful grounds:


In specific situations, we can collect and process your data with your consent.

This is usually in relation to direct marketing, but is also used extensively in the collection of personal data by higher education institutions.

Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations.

Legal compliance

If the law requires us to, we may need to collect and process your data.

Legitimate interest

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of the running of the college, cathedral, and cathedral school, and which does not materially impact your rights, freedom or interest.

We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests.  In a small number of cases where other lawful bases do not apply, we will process your data on the basis of your consent.  If you are aged under 18, we may ask your parent or guardian, teacher and/or school for their consent also.

Special category data

"Special categories" of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.  We aim to collect and process special category data as little as possible and, when we do, it is usually to do with your health and well-being.  Christ Church has documented all incidents of our processing of special category data in our Information Asset Registers, and will be preparing a separate document itemising all of these, with reasons, having conducted assessment on each occasion.

The Special Categories of personal data consist of data revealing:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership.

They also consist of the processing of:

  • genetic data;
  • biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;
  • data concerning health;
  • data concerning someone's sex life or sexual orientation.

We may process special categories of personal data in the following circumstances:

  • With your explicit written consent; or
  • When it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) or you are not capable of giving your consent, or where you have already made the data public; or
  • When it is necessary in the substantial public interest, and further conditions are met; or
  • When the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law.

Further legal controls apply to data relating to criminal convictions and allegations of criminal activity.  We may process such data on the same grounds as those identified for “special categories” referred to above.

4. When do we collect your personal data?

When you are an applicant or potential applicant for an academic course of study at the University of Oxford or another institution of Higher Education;

When you attend access events, open days, etc.

When you are a student at Christ Church;

When you are an alumnus/alumna of Christ Church;

When you access or engage with our website;

When you communicate or engage with Christ Church by letter, or email, or other means, including social media;

When your image is collected on our CCTV system;

When you contribute to any Christ Church publications.

The lawful bases that we use in the processing of data related to students, applicants and potential applicants for courses of study will be legitimate interest, contract, and legal obligation.  In some cases, we may keep special category data (particularly health and welfare data).  A full information asset register (IAR) will be available on request soon.  Some of the data will be held in the archives, for historical purposes, in perpetuity.

5. What sort of personal data do we collect?

Depending on your relationship with Christ Church, we may collect the following personal data:

Your name and contact details (including, but possibly not exclusively, address, email address, telephone number(s), URLs;

Your date of birth;

Your payment card and bank details;

Your employment record;

Your educational record, including any data in your assessed work, concerning your assessed work, and awards;

Any correspondence or other papers concerning or relating to your application, acceptance or non- acceptance, and time at Christ Church;

Any disciplinary records, including complaints or decisions about you;

Health and welfare data;

Your image on CCTV and details of access to buildings and grounds;

Your car type and registration number;

Technical information about your access to the website.

NB.  This list is not exclusive.  Christ Church will collect more data on some subjects than on others.

For example: a tourist paying cash at the gate may be recorded on CCTV but otherwise no additional personal data is collected, whereas the personal data collected and processed on members of staff and on students is much more extensive.  Christ Church aims, as part of its Data Protection compliance, to collect only what is necessary and to retain that information only for as long as it is needed.

6. How and why do we use your personal data?

Christ Church collects personal data in order to manage its functions as college, cathedral, and tourist destination:

To teach, supervise, house, and protect our students;

To ensure the health and welfare of our students;

To process applications from prospective students;

To engage with potential applicants and encourage aspiration to Higher Education;

To manage and protect visitors to the college and cathedral;

To manage and protect residents of Christ Church;

To manage the site and its buildings;

To keep in touch with alumni and alumnae, and friends of both college and cathedral;

To manage our website;

To comply with our contractual and legal obligations.

7. How we protect your personal data

Christ Church makes every effort to keep your personal data safe.  All departments within College and Cathedral have drawn up Information Asset Registers which include information on the measures in place to protect both physical and digital data during its collection, processing, and destruction (if relevant).  These Information Asset Registers (or Records of Processing Activities) will be made available on request soon.  Paper copies can be acquired by contacting the Data Protection Officer at the address below.

Access to your personal data is limited to those who need to process it.  As far as possible, paper records are kept in locked cabinets or cupboards which are themselves behind access-controlled doors.  The whole site is monitored during the day by custodial staff and CCTV is used in public areas. Digital files are always password-protected and encryption is encouraged when personal data is moved.  Servers are protected by firewalls and security software.  When data is deleted, every effort is made to ensure the deletion of all copies.

8. How long will we keep your personal data?

Data Protection legislation requires that personal data is only retained for as long as it is necessary, and all Information Asset Registers include retention periods.  In some cases, personal data will be kept in perpetuity, and these Registers will indicate the types of data which are archived for historical or statistical purposes.  Annual reviews will ensure that retention schedules are followed.

Data relating to applicants who are not offered a place at Christ Church is not retained beyond the completion of the application process.

9. With whom do we share your personal data?

Your data may be shared within Christ Church.  Christ Church will not sell your data to third parties. We may sometimes share your personal data with trusted third parties if we are allowed or required to do so by law.  We do not allow third parties to use your data for their own purposes.  Third parties may include:

Your relatives, guardians, and next of kin;


The University of Oxford;

Conference of Colleges;

Loan and financial support providers (including the Student Loans Company);

Letting agencies and mortgage providers;

GPs and hospitals, and other health service providers;

Mental health professionals, including Counselling Services, as necessary;

Other educational institutions;

Electoral agencies

Law enforcement agencies, if required;

Government departments, such as HMRC, and the Disclosure and Barring Service (DBS)

Data Protection legislation requires that companies and other institutions guarantee that they comply with the data protection legislation.

10. Where your personal data may be processed

Data Protection legislation does not allow the transfer of data outside the EEA without consent or without guarantees from those countries that there is adequate data protection legislation in place.

Christ Church has students, staff, and visitors from all over the world, and every effort will be made to ensure that no personal data is transmitted to any country without relevant and adequate legislation without your consent.  Data which may be transferred outside the EEA is noted on the Information Asset Registers.

11. What are your rights over your personal data?

You have the right to request, in most circumstances:

  • Access to the personal data we hold about you, free of charge unless your request is unreasonable;
  • The correction of your personal data if it is incorrect, out-of-date, or incomplete;
  • In certain circumstances, the erasure of your data;
  • The suspension of the processing of your data;
  • Copies of any data shared with another Data Controller

You can contact us to exercise these rights at any time by contacting the Data Protection Officer at the address below.

If you wish to make an access request for data collected by CCTV, contact the Steward of Christ Church at or on 01865 286580.

If you have given consent for Christ Church to collect and process your personal data, you have the right to change your mind at any time and to withdraw that consent.

When Christ Church relies on legitimate interest to collect and process your data, you may ask for processing to be stopped.  If, however, Christ Church believes it has a legitimate and over-riding reason to collect and process your personal data, we may continue to do so.

12. Contacts

The Data Protection Officer (DPO) at Christ Church is Mr James Lawrie.  He can be reached at Christ Church, Oxford, OX1 1DP or at or on 01865 276177.

If you feel that your data has not been handled correctly, then you may lodge a complaint with the Information Commissioner’s Office on 0303 123 1113 or on their website.

13. If you live outside the UK

If you live outside the UK, then complaints can be lodged with the relevant office in your own country.

14. Any questions?
If there is anything you would like to ask about the handling of your personal data, please contact the DPO at the address above in section 13.