Data protection privacy notice for affiliates

This is a summary of how we protect your personal data and respect your privacy. This notice is for Affiliates, including guests, visitors, contractors, consultants, agency workers, collaborative partner staff, honorary staff, other collaborators from another institution.


How we collect your information

We collect your personal data directly from you during your engagement. We may also collect data from other sources including:

  • third party recruitment agencies;
  • referees, former employers, schools, colleges and universities;
  • university procedures, for example, when you connect to systems.

What types of information we collect

We may collect the following types of personal data about you:

Personal details

  • including name, date of birth, contact details.

Contractual information

  • contracts for services;
  • expenses and travel arrangements;
  • bank or building society account details;
  • correspondence between the University and third parties on your behalf;
  • correspondence between you and the University;
  • investigations into breaches of university policies and procedures.

Special category data

  • health-related information relevant to your engagement, for example, details of any disclosed disability and reasonable adjustments.

Academic and professional data

  • audio and/or video recording data of lectures, presentations and workshops;
  • workload, work allocation and financial information;
  • module evaluation data (for teaching staff only).

Other data

  • health and safety records (for example, accident reports);
  • information generated through your use of the University's digital systems (for example, MAC address, location and device information).

How we use your information

We process affiliate personal data for the following purposes:

To manage your contract with us

  • to enable affiliates to undertake their roles in teaching, research and administration (for example, to process and make available teaching timetables);
  • to enable use of and access to university systems and facilities;
  • to pay for your services into your bank account;
  • to handle claims in relation to insurance (for example, travel insurance for student trips);
  • ensuring your safety and security including the use of CCTV;
  • mobile trail cameras may be present on site for wildlife and conservation monitoring. Footage that shows illegal or inappropriate human activity may be passed to relevant authorities.

To comply with data protection laws

  • to respond to freedom of information and subject access requests.

To manage and lead the University

  • to inform strategic decision making;
  • to publish staff directories of basic contact details;
  • to review staff and University performance.

What legal basis we have for processing your information

We have identified appropriate legal bases for processing information as follows:

For a contract

We process some of your information because it is necessary for the performance of a contract with you, for example, to manage your contract for services with us and deal with any queries you may have.

Legal obligation

We process some of your information in order to comply with data protection laws.

Legitimate interests

We process some of your information because it is necessary for our legitimate interests, for example, to manage and lead the university.

Who we share your information with

We may share some of your personal data with:

Other Kingston University employees

  • employees of Kingston University only where they have legitimate need to access the data.

Other third parties

  • third party suppliers (for example, our travel booking partner, providers of software-as-a-service for university processes).

In all cases access will be restricted to individuals with the appropriate permissions and duty of confidentiality.

How long we keep your information

We keep your personal data only for as long as is necessary. Affiliate data will generally be retained after the end of the contract for the current tax year plus 6 years.

For full details you can access the University retention schedule on our website at policies and regulations.

Data will be anonymised or securely destroyed at the end of its retention period.

Your rights

Under the GDPR and the Data Protection Act 2018, you have the following rights:

  • to access the personal data we hold about you;
  • to require us to correct the personal data we hold about you;
  • to require us to erase your personal data;
  • to require us to restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
  • to receive your personal data, which you provided to us, in a structured, commonly used and machine-readable format and the right to transmit that data to another controller;
  • to object to any of our particular processing activities where you feel this has a disproportionate impact on your rights;
  • to not be subject to a decision based solely on automated processing, including profiling, which has a legal effect on you.

Please note that the above rights are not absolute and we may be entitled to refuse requests where exceptions apply.

Your responsibilities

When considering your personal data, affiliates should ensure that the information that you have provided to the University remains accurate and up to date. You should inform the University as soon as possible if details, such as your address, change. Some affiliates can make changes to personal details online via Unified.

When handling other people's personal data, affiliates are required to maintain confidentiality and abide by the GDPR principles. These responsibilities are set out in our Data Protection Policy.

Who to contact

If you have any queries about this privacy notice or how we process your personal data, or you wish to request access to the personal data we hold about you, please speak to your line manager or a member of HR first.

If you then wish to exercise your rights as a data subject, please use the Data Subject Request form on our website under policies and regulations.

If you have further questions, please email

If you are not satisfied, you can make a complaint to the Information Commissioner. You can find out more about your rights under data protection legislation from the Information Commissioner's Office website.

Changes to this privacy notice

This privacy notice will be updated on an annual basis. If we make any significant changes in the way we treat your personal information we will make this clear on the Kingston University website or by contacting you directly.

Kingston University is the data controller of your personal data and is subject to data protection legislation, the General Data Protection Regulation (GDPR), Data Protection Act (DPA) 2018 and Privacy and Electronic Communications Regulations (PECR). We are listed on the Information Commissioner's Office (ICO) register of fee payers.

You can find privacy notices and other relevant policies on our website under policies and regulations.