The following relates to how we handle data within the course booking system, Accessplanit, which is referred to as ‘CoSy’ at Oxford as well as personal data submitted to us by email in support of the administration of training courses.
We handle your data with care
This policy relates to personal data, as defined by the General Data Protection Regulation (GDPR), held for administration of University of Oxford training courses.
When we collect your data
We collect information about you, (your ‘personal data’) when you:
- login to the course booking system to search, book and pay for course
- provide course feedback
- subscribe/unsubscribe to a mailing list
- book or join a course waiting
- attend a course, workshop or event (e.g. course attendance registers)
Types of data we collect about you
When you use our training booking services, we collect, store, and use the following types of data:
- address (non-University delegates)
- email address
- mobile phone number
- dietary or accessibility requirements
- status (eg member of University/external)
- role at University (eg staff/student)
- affiliation at University (department/college)
- invoicing information
- course information
We may automatically collect:
technical information. For example, the type of device (and its unique device identifier) you use to access our site or systems; the Internet protocol (IP) address used to connect your device to the Internet; your login information; browser type and version, time zone setting; browser plug-in types and versions; operating system, mobile network information and platform.
information about your visit to site or systems. This includes the full Uniform Resource Locators (URL); clickstream to, through and from websites (including date and time); pages you viewed; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); and methods used to browse away from the page.
How we use data
The information is used for:
- course and event administration
- requirements gathering
- analysis and evaluation
- payment for courses
- management information
- statistics and reporting
We process your data for this purpose only because you have given us your consent to do so, by:
- booking a course or placing yourself on a course waiting list*
- completing a course evaluation survey
- attending a workshop, course or event
This processing is necessary to provide you with our services.
We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for a related reason, compatible with the original purpose. If we need to use your data for an unrelated purpose, we will ask your permission first.
Please note: We may process your data without your knowledge or consent, in compliance with the conditions set out here, where this is required or permitted by law. By visiting our site and using our services you are accepting and consenting to the practices described in this policy.
*Registration data is supplemented with attendance data after a course has taken place.
Who has access to your data?
Access to your data within the University will be provided to those who need to view it as part of their work (e.g. managers, administrators and trainers) in carrying out the purposes described above. The CoSy booking system is used by CoSy administrators in other departments across the University and your data can be viewed by these administrators.
Where a course has been organised on behalf of a department the names of participants, attendance reports and feedback will be passed to the department.
Course records will be routinely shared with other people within the University who we believe have a legitimate need to know, including heads of departments and departmental administrators and HR managers. The mechanism to share data is via the Self-Service Training Data Reports Service.
Project training records will be shared on request with project roles (as identified by project managers) where there is a legitimate project requirement.
We also share your data with companies who provide services to us, such as for the course booking system, payment gateways, LinkedIn Learning and survey tools. These companies are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
Where your data is shared with third parties, we will seek to share the minimum amount necessary. For example, we only share your SSO ID with LinkedIn Learning.
We would like to send you information about services which may be of interest to you.
We do this only where you have specifically indicated that you agree to receive such information, for example, by selecting ‘Yes’ to receiving IT Learning Centre communications while booking a course. We will ask whether you would like us to send you marketing messages each time you book a course. You can choose which messages you wish to receive.
You can withdraw your consent at any time by contacting us at email@example.com. In this event, we will stop any processing as soon as we can. However, this will not affect the lawfulness of any processing carried out before your withdrawal of consent and you may no longer be able to use the site in the same way you did before.
We will not provide your data to organisations outside the University for their marketing purposes.
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website.
Where we store and use your data
We store data manually and/or electronically. The data is stored securely in accordance with University data security policies. This may be on premise or using approved off-site storage.
Electronic data may be transferred to, and stored at, a destination outside the European Economic Area ("EEA")
Such transfers will only take place if one of the following applies. The:
- country receiving the data is considered by the EU to provide an adequate level of data protection;
- organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield;
- transfer is governed by approved contractual clauses;
- transfer has your consent;
- transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
- transfer is necessary for the performance of a contract with another person, which is in your interests.
Retaining your data
We will only retain your data for as long as we need it to fulfil our purposes, including any relating to legal, accounting, or reporting requirements.
If you have any questions or concerns about our use of your data, please contact us at firstname.lastname@example.org
Data Controller: The University of Oxford is the “data controller" for the information you provide to us when using our services. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
Personal data: any information relating to an identifiable living individual who can be identified from that data or from that data and other data. This does not include data where your identity has been removed (anonymous data).
Processing of your personal data; refers to anything we do with that information, including collection, use, storage, disclosure or retention.