Privacy Policy

Card Issue

For University members, cardholder details and entitlements are obtained from the University's staff and student databases.

The University will also issue UCards to non-members upon request from the Sports Centre, Library Services or suitably authorised University staff. Only the data required to identify the cardholder and print the UCard will be collected during the registration process. Additional entitlements: building access, library membership, etc. must be individually authorised and are held in their respective databases.

Photo upload

When you upload a photograph you may be asked to provide certain information about yourself such as your University logon id; student or UCAS number, date of birth and name before you are able to proceed with using the Photo Upload facility.

Your image data is classified by the University as "confidential" and as such will only be visible to some authorised members of the University. You can choose not to provide information, although this will require you to attend Royal Fort Lodge to have your photo taken and card produced

Information we collect

Each time a UCard is used to enter or exit a building or controlled location we record the following information;

  • Badge no.
  • Date and time
  • Reader identification code

Biometric data

For those members of staff to whom it applies, fingerprint images are not be retained as part of the enrolment process. A number is created after taking a fingerprint image and stored on the UCard alone (not on central University systems). When a finger is presented to the reader the number is recalculated and checked against the number on the card. No biometric information is held by the University.

How we use the information we collect

The information is used for administrative purposes, e.g. to report on the total number of visits through any given door or controlled location. Your image data is stored on the University's central systems and may also be accessed for the purpose of identification and for security.

UCard data and access control data may not be used by the University's Faculties and Departments except to satisfy statutory obligations (including the University's duty of care to staff and students under health and safety legislation) or for investigation into criminal procedures. Exceptionally, personalised data may be accessed where there is an investigation into a criminal act or or suspected abuse of access privileges.

How we handle the information we collect

Data protection

The University is your data controller. As your data controller the University has notified its activities to the Office of the Information Commissioner as required under the Data Protection Act 2018 (the "Act") and is listed in the Public Register of Data Controllers.

  • Personal data will be collected and/or processed in accordance with the Data Protection Act 2018.
  • Personal information held on the UCard database will be treated confidentially and will only be used for the purposes of UCard facilities and administration.
  • UCard system managers and administrative staff will ensure that UCard data is only used for its intended purpose.
  • Information relating to an individual's health will usually constitute Sensitive Personal Data under the Data Protection Act, and will therefore be subject to additional safeguards when processed. 

Disclosure of your information

Personal information may be used by University departments to enable members of staff and students to access University facilities and services.

Personal information will not be extracted or shared with other university staff or systems without an explicit request to the Card Services manager or his/her representative and the Secretary/Director of Legal Services or his/her representative.

Any access preferences specified by the cardholder, held in the card, may only be made available to an authorised member of the University staff.

Data retention

Unless specifically requested, for legislative or academic reasons, personal UCard data and visit data will be removed from the system 90 days after card expiry.

Freedom of information

All freedom of information requests should be submitted to the University’s Information Rights Officer, or his/her representative.

Access to your personal data

If you wish to obtain any personal data in relation to your UCard, please make a subject access request via the Secretary's Office.

How to contact us

For any queries you may have in connection with this privacy policy, please contact:

Information Governance Manager, Beacon House, Queens Road, Bristol, BS8 1QU

Email: data-protection@bristol.ac.uk.