Privacy Policy
Understand how we protect your data, what we use it for and your rights.
About this Privacy Policy
The Advancement team supports the University’s vision through contact with alumni and supporters of the University. We provide news and information about our academic and alumni activities and offer opportunities for our community to be involved with the University through attending events, volunteering, and fundraising. Where possible, we communicate these opportunities through email and phone to save resources.
These guidelines explain how we manage and retain the personal information of our alumni and supporters. They define how we manage our data:
- Principles
- Responsibilities
- Mechanisms
- Time periods
As we develop our programme of activity, we may want to use your information for new purposes not currently described in this Privacy Notice. If our information practices change at some time in the future, we will contact you to let you know.
1. Data Controller, Data Processor and Data Protection Officer
University of Newcastle upon Tyne (“we”, “our”, “us”, “Newcastle University”, “The University”) processes personal data in accordance with our obligations under the General Data Protection Regulations (‘GDPR’) and is a registered Data Controller (Registration Number Z5470161) with the Information Commissioner’s Office (‘ICO’), which is the supervisory authority responsible for the oversight and enforcement of Data Protection Legislation within the United Kingdom.
The contact details of the University’s Data Protection Officer and the relevant supervisory authority are available at: Data Protection
2. How is your personal data collected?
We use different methods to collect data from and about you including through:
- University’s student record system
- ‘Update Your Details’ forms
- Donation forms and gift agreements
- Gift Aid declarations
- Scholarship applications and profiles
- Event, volunteering and competition registration forms
- Event feedback forms
- Surveys and feedback forms (Graduate Outcomes, HESA and similar)
- Volunteering agreements
- Direct emails, phone calls and in-person meetings with alumni, supporters and other stakeholders
- LinkedIn messaging
- Desktop research, including LinkedIn, Companies House and similar sources
- Xapien due diligence platform
- Obituaries
- Individual and video profiles
- Telethons
- Convocation election
3. What personal data is collected?
Upon the completion of your course, we create a Core Alumni Record from data held in the University’s student record system, in accordance with the Student Privacy Notice. This record contains the following information:
- Name
- Student ID
- Contact details (email address, postal address, and phone numbers)
- Date of birth
- Gender
- Nationality
- Tuition Fee category
- Degree information (including subject with start and end dates, campus, final degree classification)
Additional Information we collect, and process includes the following:
- Student or alumni society membership
- Student hall information
- Communications you have received from the Advancement team
- Alumni engagement or philanthropic activities you have been a part of (e.g., nominating/being nominated for an alumni achievement award, when registering for an event, volunteering or making donations to the University)
- Employment details, such as the company name and position
- Social media handles
- Ways of engaging that you have selected as being of interest to you (whether you wish to volunteer, donate, or support the University in another way)
- Scholarship, prize and bursary applications and awards
- Any links with fellow alumni (such as spouses or friends)
- Information regarding donations (including gift dates, amounts, fund support area, bank details and gift remittance information)
- Site ad ROI (Return on Investment) tracking (to track the journey of contacts who go on to access our website via links in our campaigns and to split test campaigns using ROI metrics)
Information we collect and process from publicly available sources includes the following:
- Employment information (company name, position, work email address, organisational memberships)
- Philanthropic capacity (propensity, affinity, and capacity to donate to our philanthropic causes)
- History of philanthropic activity and interests
- Online presence and web links
4. Where do we get your personal data and for what purpose?
We will only collect and use your personal data in line with current legislation. Most commonly we will use your personal data in the following circumstances:
- Where you consented to the processing
- Where it is within our legitimate interests (or those of a third party) and does not impact your fundamental rights to override those interests
We use public task as the basis to call meetings of the Convocation. This involves the creation of the Core Alumni Record from data held in the University’s student record system.
We use consent as the legal basis to collect and process personal data and additional information about alumni (“you” or “your”) to communicate with you and via post, phone and email to inform you about alumni news and updates, as well as event, volunteering, fundraising and surveys.
We use legitimate interest as the basis to collect and process Additional Information, including that available from publicly available sources, to provide benefits and services to students, staff, alumni, and supporters and to further the University’s educational charitable mission. We may also use this information to create short biographies for hosts and support staff if you register to attend a university event.
Those legitimate interests are to:
- Enable and cultivate a culture of continuity and engagement
- Focus on fostering meaningful relationships with existing and prospective supporters
We use contract agreement as the basis to process your donations, such as cheque, cash, and voucher donations, online single donations, Direct Debit and Standing Order payments, as well as to process Gift Aid.
5. Where do we securely process and store your personal data?
5.1 Within the UK and EEA
All personal data is processed by Newcastle University Advancement staff based in the UK, however, for the purposes of IT hosting and maintenance, this information is located on servers within the EEA.
Raiser’s Edge – The University uses Raiser’s Edge, Blackbaud solution, as its Alumni and Supporter CRM to hold all personal information on its stakeholders, including Core Alumni and Additional Information. Raiser’s Edge data servers are hosted in a Microsoft Azure Environment in Amsterdam, Western Europe.
5.2 Outside the UK and EEA
The following systems and purposes are exceptions where data is located on servers not based within the EEA to facilitate specific operational purposes e.g., donation processing services, email communication services, employment information data appending services, and due diligence scanning services.
Blackbaud Merchant Services – The University uses Blackbaud Merchant Services as one of its credit/debit card donation gateways and processors, integrating with the Raiser’s Edge Alumni and Supporter CRM. Blackbaud Merchant Services data is held in the United States.
DotDigital - The University uses the DotDigital platform as an online email marketing tool to create and send out mass email communications to the alumni, donor, and supporter community. Any updated communication preferences on this platform are recorded on the Advancement alumni and supporter database, the Raiser’s Edge, to maintain the accuracy of data. Dot Digital's data servers are in a Microsoft Azure Environment and the Google Cloud Platform, in Northern and Western Europe.
LiveAlumni - The University uses the research tool LiveAlumni to obtain graduate employment data from LinkedIn. This information is in the public domain and includes details related to company names, positions, and organisational memberships. We use this data to meet our legitimate interest to better understand the employment outcomes of our graduates, to improve our communication channels and for reporting purposes. LiveAlumni servers are in the United States.
Xapien – The University uses a background research tool Xapien to carry out due diligence and Acceptance of Donation checks on prospective supporters in line with the Ethical Gifts Policy, as well as volunteers, speakers, event registrants, partner companies and others. Xapien data is stored on AWS servers in Oregon, United States.
These solutions provide high levels of physical and network security as well as hosting provider vendor diversity. Where processing takes place with an external third party, processing takes place under an appropriate agreement outlining their responsibilities to ensure that processing is compliant with the Data Protection legislation and verified to be secure.
5.3 Payment processing
We adhere to a set of industry standards to ensure the highest level of data security to keep your cardholder data safe by ensuring our and our service providers’ compliance with PCI-DSS requirements.
The University is compliant with Pay UK’s rules governing the use of paperless Direct Debits and the BACS Direct Debit Scheme. All direct debits are processed under the direct debit guarantee.
Newcastle University is registered with Chapel and York and the British Schools and Universities Foundation for tax-efficient giving overseas.
6. Prospect research and data analysis
We may gather information about you from publicly available sources to help us understand more about you as an individual; your affinity to Newcastle University, interests, history of philanthropic activity, and capacity to volunteer, donate, or otherwise contribute to the university. This is known as “prospect research” and can involve the collection and analysis of biographical, financial, corporate, and philanthropic information from a wide variety of sources, both publicly available and those unique to us (such as our supporter database).
We carry out prospect research:
- To identify, and facilitate the development of relationships with, prospective supporters of Newcastle University.
- To maximise the value of our communication by ensuring only relevant updates, invitations and engagement opportunities are sent to prospective supporters.
- Where interest in supporting the University is expressed, to provide volunteering or philanthropic opportunities that are appropriate.
- For due diligence, ensuring engagement with an individual or organisation is aligned with the University values and minimises the reputational risk to the University.
- As part of this process, we may carry out giving capacity analysis. Giving capacity analysis is a fundamental part of efficient fundraising planning; using publicly available information to assess potential supporters’ philanthropic capacity and best tailor existing opportunities to their interests. We may use trusted third-party partners to automate elements of this work.
The University uses audience segmentation techniques to assist with reporting functionality for national benchmarking exercises (such as HESA graduate outcomes, CASE–Ross survey) and for internal KPI monitoring and data analysis.
7. Sharing your personal data with third parties
Your personal information will only be disclosed to third parties where we have an appropriate lawful basis to do so, which may include the following:
- With third parties who securely process data on our behalf in order to facilitate our relationship with you, such as software service providers providing externally hosted software solutions e.g., Raiser’s Edge, DotDigital.
- With telethons and direct mail agencies. Any updated information gathered during these activities (including information regarding any donations made) will be passed back to the University in the interest of data accuracy and donor stewardship.
- With software providers to carry out our regulatory obligations to ensure appropriate background checks are conducted as required e.g., Xapien research tool.
- With Social Media Providers so that we can communicate with you, promote tailored advertising to you, and assess your social media interactions to promote our services to you and with others you interact with on social media to inform our advertising campaigns to create look-a-like audiences with the data you provide.
8. How long do we hold personal data?
Personal data is retained for as long as it is required to fulfil the purpose for which is it held and then to fulfil any legal requirements.
- The Core Alumni Record and any subsequent updates to the information fields held in that record are retained indefinitely unless requested to be removed. To ensure that a record is not readded to the system following a request for erasure, a skeleton record containing student ID, name, date of birth and alumni type is retained.
- Contact information, such as email addresses, phone numbers, postal addresses, and online presence links, are retained whilst you wish the University to remain in contact with you. If you have made a Gift Aid declaration while making a donation to the University, the house name/number and postcode will be retained for 7 years (6 years plus current) from the date of the last donation in line with HMRC requirements.
- Completed volunteering opportunities, event attendance, donation details (gift date, amount and fund area), prospect engagement (such as a specific fundraising campaign request) and communications you have received from the University: retained indefinitely for internal reporting purposes unless requested to be removed.
- Employment data, prospect research (including fundraising capability and interests) and volunteer interests: Whilst you wish the University to remain in contact with you;
- Gift remittance information and Direct Debit mandates: duration of the gift plus seven years (six years plus current);
- Scholarship applications are retained for 3 months after application review. Scholarship recipient profiles are retained for 5 years after the completion date.
- Dietary and/or mobility data for event attendance: one-month post-event conclusion. Event panellist/speaker images and social media handles for promotional materials will be retained for 5 years after the receipt/event registration.
- Event biographies: whilst you wish to attend University events, reviewed every 2 years for accuracy.
We periodically review the data we hold and erase and anonymise it when it is no longer needed or when the data retention period has expired.
9. How do we store your information?
We have appropriate security measures in place to protect personal data, taking account of the nature of the data and the harm that might be caused if it were lost. These security measures will be tested regularly, assessed, and evaluated to ensure they maintain an appropriate level of security for personal data.
Personal data will be accessible only to those people who need to use it as part of their work. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action, and in some cases could be considered as gross misconduct. In serious cases, it could also be a criminal offence.
We will provide prompt and effective notification to the relevant supervisory authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations that result from a breach.
10. Your rights under GDPR
Under the GDPR, you have a number of rights in relation to the processing of your personal information, each of which may apply to differing degrees depending upon the nature of the processing and the legal basis for it. You have the right to:
- Be informed as to how we use your data (via this privacy notice)
- Request access (a copy) of the personal information that we hold about you.
- Correct inaccurate or incomplete data
- Request that we stop sending you communications.
- In certain circumstances, you may have the right to:
- Ask to have your data erased.
- Request us to restrict the processing of your personal data.
- Request that data you provided electronically to us be returned in a data file
- Object to certain processing of your personal data by us
In some cases, there may be specific exemptions as to why we aren’t able to comply with some of the above. Where this is the case, we will explain the reasons why. To ensure that a record is not re-added to the system following a request for erasure, we will retain a skeleton record containing supporter ID, name, and supporter type to form a suppression record.
Please note that whilst the Advancement Team will do everything possible to respect your communications preferences, Newcastle University is a large, complex organisation. As a result, if you make another faculty, department, or school aware of your communications preferences, this information may not always get passed on to us to also update your record. Please ensure you contact Advancement directly to update your communications preferences directly in the way explained in this privacy notice.
In some instances, we may be required to contact you outside your preferences because we are legally obliged to do so (for example, to provide a Direct Debit Guarantee and/or Gift Aid confirmation) or in response to an action you have taken (for example, to post you a gift thank you letter and receipt, or tickets to an event you have registered for). Beyond any legal obligation or in response to a positive action by you, your contact preferences will always stand until you inform us otherwise.
In order to exercise any of the above rights, please visit: Access Your Personal Data.
11. Further information
To update your details, please complete the form on our website: Update Your Details
For any enquiries about this privacy notice, how we use your data, or to update your communication preferences, please contact advancement.data@ncl.ac.uk
If you would like to discuss this further, please contact us at rec-man@ncl.ac.uk. If you would like more information about how we manage personal data more generally, including your rights under law, and the contact details of the University’s Data Protection Officer, visit our Data Protection website.