DANCOP Privacy Policy

Privacy Policy

This page explains how and why we collect and use your data.
We are committed to keeping your data secure and will only use it for the purposes described below.

Section 1 – Who we are

The Derbyshire and Nottinghamshire Collaborative Outreach Partnership (DANCOP), based at the University of Derby, is committed to protecting the privacy and security of the personal information we collect. This privacy policy explains how we collect and use your personal information when you take part in our activities and events in accordance with the UK General Data Protection Regulation (UK GDPR).

The University of Derby, on behalf of the DANCOP project and hereafter referred to as “DANCOP,” is the ‘Data Controller’ of the personal data we hold about you. This means that we are responsible for deciding how we hold and use the personal information we hold. We are required under data protection legislation to notify you of the information contained in this privacy policy.

Section 2 – Changes to this policy statement

This privacy policy is reviewed on a regular basis and may be updated at any time. This page will always contain the latest version of our privacy policy.

This version was last updated on 1st July 2025.

It is important that you read this privacy policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Section 3 – The data we collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Special category data is more sensitive personal data, which requires a higher level of protection.

We may collect, store, process and share the following categories of personal information about you:

Learners

  • Full name
  • Postal address
  • Name of school or college you attend
  • Date of Birth
  • Gender
  • Next of kin and emergency contact details
  • Email address
  • Your current or past eligibility for Free School Meals
  • Whether your parents/carers have served in the Armed Forces
  • Care status
  • Young carer status
  • Quotes; which may be taken by hand or with use of an audio recordings; but only where prior consent has been given by you
  • Your residential status

    • We may also collect, store and process the following ‘special categories’ of more sensitive personal information:

  • Your ethnicity
  • Details of disability or relevant medical condition

    • Teachers and advisors

  • Full name
  • Name of school or college you work at
  • Relationship to attending learners, and job title
  • Email address used for work purposes
  • Quotes; which may be taken by hand or with use of an audio recordings; but only where prior consent has been given by you

    • Parents and carers

  • Full name
  • Address
  • Telephone number
  • Name of school or college your child/dependent attends
  • Email address

    • Section 4 – How we collect personal data

    Most of the personal data we collect and process is provided to us directly by you through one of the following methods:

    Learners

  • Completion of evaluation forms at the activities you take part in;
  • Completion of HEAT data collection forms (see Section 4a) before or during activities you take part in. This will be completed by your parent/guardian if you are aged 13 or under;
  • Completion of additional information forms for taking part in certain events, such as residential events
  • Completion of media consent forms where there may be photographs or film footage taken of you. These will be completed by your parent/guardian if you are aged 13 or under;
  • From your communication with DANCOP, for example if you contact us by email, telephone, or via social media;
  • Directly from the school or college you attend where an appropriate Data Sharing Agreement is in place;
  • When taking part in a focus group or case study interview, which may include audio recordings of your voice, when you (or your parent/carer) have given prior consent to be involved.

    • Teachers and advisors

  • Completion of evaluation forms at the activities you attend;
  • From your communication with DANCOP, for example if you contact us by email, telephone, or via social media.
  • Completion of ad hoc digital surveys produced by DANCOP, which may seek your opinion or knowledge on appropriate subjects, to help inform our support offering and practice. This may include cases where we ask for your consent to contact you in the future.
  • When taking part in a focus group or interview, which may include audio recordings of your voice, when you have given prior consent to be involved.

    • Parents and carers

  • Completion of evaluation forms at the activities you attend;
  • From your communication with DANCOP, for example if you contact us by email, telephone, or via social media;
  • Completion of additional information and consent forms allowing your child/dependant to attend certain events, such as residential events, or where there may be photographs or film footage taken of your child/dependent.
  • Completion of consent forms allowing your child/dependent to take part in focus groups or case study interviews.

    • Section 4a – HEAT

    As a condition of our funding, we use the HEAT monitoring and evaluation database to track the educational journey of the learners we work with, and as a tool to evaluate our work.

    You may be asked to complete a HEAT data collection form before or at an activity you take part in, or your parents/guardians may be asked to do so on your behalf if you are under 13. We may also ask for this data to be provided directly by your school or college, where an appropriate Data Sharing Agreement is in place.

    Please see here for more information about
    HEAT’s Privacy Notice     and HESA’s privacy notice with whom we share data.

    Tracking data previously collected via an EMWPREP data collection form or through a school data sharing agreement will be transferred to the HEAT database to support continued tracking and reporting. This is due to the closure of EMWPREP. Your data will continue to be processed in accordance with UK GDPR and the Data Protection Act 2018.

    Section 5 – How we use the personal data we collect

    We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • To prove to our funders, the Office for Students and Department for Education, that we are working with the people that our funding is provided for;
  • To prove the impact of the work we are doing;
  • To track the educational journey of the learners we work with, and to measure the impact of the activities they take part in;
  • To ensure the safety of learners when attending certain activities, such as residential events (staying over at one of our universities), or events where we take learners away from their school or college;
  • Where you have explicitly agreed to a particular use of your data (consent);
  • To communicate effectively with you by email or phone, where you have agreed to be contacted, including but not limited to the distribution of relevant newsletters and evaluation forms.

    • Legal basis for processing
    For tracking engagement on activities and longitudinal evaluation through linking HESA datasets to HEAT tracking data, DANCOP collects and processes personal information under the legal basis of Article 6 (1) (e) Public Interest; and special category data under Article 9 (2) (j) Research purposes or Article 9 (2) (g) reasons of substantial public interest. This means that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Office for Students and Department for Education).

    For short and medium term evaluation, for example surveys, and permission to contact stakeholders, DANCOP collects and processes personal information under the legal basis of Article 6 (1) (f) Legitimate Interest. This means that the processing is necessary to pursue our legitimate interests in delivering and evaluating programmes, balanced against individuals’ rights, in line with UK GDPR.

    For media permissions, activity application forms, marketing consent, and consent to participate in focus groups and interviews, DANCOP collects and processes personal information under the legal basis of Article 6 (1) (a) Consent; and special category data under Article 9 (2) (a) Explicit Consent. This means the processing is based on the individual’s explicit consent, given freely and specifically, including for special category data, in accordance UK GDPR.

    If you fail to provide personal information
    If you fail to provide certain information when requested, we may not be able to allow you or your child/dependent to take part in certain activities.

    Change of purpose
    We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

    Automated decision making
    Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. DANCOP do not use automated decision making.

    Incentives
    From time to time, DANCOP may offer learners incentives to complete surveys relating to activities they have taken part in, or resources they have accessed. This will not affect any of their rights as outlined in Section 9 of this notice.

    Section 6 – Data sharing

    We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law.

    Your data will not be transferred, stored or processed outside of the EU, in accordance with the UK GDPR.

    We may share the personal information we collect and process with one or more of the following receiving organisations:

  • The Office for Students, and Department for Education (who fund our activities);
  • The Higher Education Access Tracker (HEAT);
  • Our partner universities; University of Derby, Nottingham Trent University and University of Nottingham.
  • The schools and colleges that the learners we work with attend;
  • The Local Authorities of the schools and colleges that the learners we work with attend;
  • Selected third party activity and service providers working in association with DANCOP;
  • The national evaluators of our programme, CFE Research, and Transforming Access and Student Outcomes in Higher Education (TASO);

    • Section 7 – Data storage and retention

    How do you store my data?
    Your data is securely stored as follows:

    Physical data (paper-based):

  • Locked filing cabinets in secure access-controlled buildings at the University of Derby. Access to physical data is restricted only to those who need access.

    • Electronic data:

  • Stored on secure, restricted-access institutional drives; or on institutionally owned and controlled cloud services such as Microsoft OneDrive and Microsoft SharePoint.

    • How long will you use my data for?
    We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    Details of retention periods for different aspects of your personal information will be stated on each data collection form and in the Data Retention Schedule. Tracking data that is shared with HEAT will be held for 15 years from the year participants are ready to enter higher education.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

    In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

    Once we no longer need the personal data we have collected or have reached the date of deletion as outlined in our privacy notices, it will be securely destroyed or deleted.

    Section 8 – Data breaches

    DANCOP is committed to protecting the privacy and security of the personal information we collect and process and take this responsibility very seriously. We have a robust data breach reporting process in place, of which all University staff members are aware.

    Details of our security measures can be found in the University’s Data Protection Policy.

    Any data breaches or suspected data breaches are reported to GDPR@derby.ac.uk If appropriate, this will be escalated to the University DPO and, where necessary, the ICO).

    Section 9 – Your rights

    Under the UK GDPR, individuals have the following rights:

    Request access to your personal data – You have the right to request a copy of the personal data we hold about you, often referred to as a “subject access request.” This allows you to check that we are processing your information lawfully.

    Request a correction – If you believe the personal data we hold about you is inaccurate or incomplete, you can ask us to update or correct it. We may need to verify the accuracy of any new information you provide.

    Request deletion – You can ask us to delete or remove your personal data where there is no valid reason for us to continue processing it. This right also applies if you’ve successfully objected to processing, if we have used your data unlawfully, or if deletion is required to comply with legal obligations. Please note that in certain cases, we may not be able to fulfil your request due to specific legal reasons, which we will inform you of at the time.

    Object to processing – You have the right to object to our processing of your personal data when it is based on our legitimate interests (or those of a third party), particularly where you feel it affects your fundamental rights and freedoms. You can also object to your data being used for direct marketing. In some situations, we may demonstrate compelling legitimate grounds to continue processing your data.

    Request restriction of processing – You may ask us to limit the use of your personal data in the following circumstances: (a) while we verify its accuracy; (b) if the data is being used unlawfully but you do not want it deleted; (c) if you need us to retain it to establish, exercise, or defend legal claims; or (d) if you have objected to its use but we are considering whether we have overriding legitimate grounds.

    Request data portability – You can request that your personal data be provided to you or a third party in a structured, commonly used, and machine-readable format. This right applies only to automated data that you initially gave us consent to use or where the data was necessary for performing a contract with you.

    Withdraw your consent – Where we rely on your consent to process personal data, you can withdraw that consent at any time. This does not affect the lawfulness of any processing done before your consent was withdrawn. We’ll let you know if withdrawing consent will affect the services we can provide.

    Section 10 – Contact and Data Protection Officer details

    You can contact DANCOP directly with any queries relating to this notice, using the details below:

    Data, Evaluation and Impact Managerdancopdata@derby.ac.uk
    You can contact DANCOP directly with any queries relating to this policy

    GDPR TeamGDPR@derby.ac.uk
    You can contact the University’s GDPR team with any queries relating to your data

    Data Protection OfficerDPO@derby.ac.uk
    You can contact the University’s Data Protection Officer with any data protection queries.

    Full details of the University of Derby Information Governance and Security Policy and the Data Protection Policy to which we are required to adhere can be found here.

    If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try to put things right. If we are not able to resolve issues to your satisfaction, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. ICO contact details: www.ico.org.uk