This Privacy Notice is a statement of the practices of the University of Malta (‘UM’) in connection with the processing of personal data and the steps taken by UM to protect personal data and safeguard an individual’s right to privacy.
This Privacy Notice explains the following:
The data we collect from you will be used by the UM in accordance with the purposes outlined in this Privacy Notice. We collect personal data via website forms, written application forms and documents, email and phone enquiries, research studies and surveys. We also collect information via third parties such as: Junior College; the Authority responsible for regulating further and higher educational institutions and education providers; Jobsplus; the National Research Statistics Office; Identity Malta; the Ministry responsible for Education; the Ministry responsible for Justice; the Ministry responsible for Equality; research partners; and international affiliates.
UM process data relating to students as detailed in the table below. Personal data and special categories of personal data may be collected directly from students who avail of specific services offered by UM e.g. the ACCESS Disability Support Unit, Counselling Services, UM Alumni. If you provide the UM with your data for these purposes, then specific information on data protection will be provided at the point of collection.
Application
Category: Administrative
Legal basis for processing:
Enrolment
Category: Administrative
Legal basis for processing:
Administration of your education
Category: Administrative
Legal basis for processing:
Administration of UM policies
Category: Administrative
Legal basis for processing:
Administration and provision of UM email address and IT services
Category: Administrative
Legal basis for processing:
Personal Email
Category: Administrative
Legal basis for processing:
Administration and provision Library services
Category: Administrative
Legal basis for processing:
Provision of data to the Ministry for Education, the Authority responsible for regulating further and higher educational institutions and education providers, Jobsplus, the National Research Statistics Office, the National Audit Office, Junior College, research partners and international affiliates.
Category: Administrative
Legal basis for processing:
The provision of data to Identity Malta to support visa applications for international students
Category: Administrative
Legal basis for processing:
To provide student ID cards
Category: Administrative
Legal basis for processing:
Face-to-Face and Online synchronous teaching and learning (hybrid learning).
Category: Administrative
Legal basis for processing:
Audio and Video recording of UM classes, including lectures, tutorials, seminars, workshops and practicals
Category: Academic
Legal basis for processing:
Academic assessment and supervision and monitoring of attendance, including remote assessment and supervision
Category: Academic
Legal basis for processing:
Graduation and granting of awards, including online graduation
Category: Academic
Legal basis for processing:
Processing of appeals, complaints and disciplinary issues
Category: Administrative
Legal basis for processing:
Administration of research programmes and funding
Category: Academic
Legal basis for processing:
Administration of placements
Category: Academic
Legal basis for processing:
Surveys, submission forms and student feedback
Category: Academic
Legal basis for processing:
The provision of medical, counselling and disability and equality services
Category: Student Services
Legal basis for processing:
The provision of reasonable accommodations
Category: Student Services
Legal basis for processing:
The provision of careers services and mentorship
Category: Student Services
Legal basis for processing:
The use of sports and recreational facilities.
Category: Student Services
Legal basis for processing:
The provision of UM accommodation
Category: Student Services
Legal basis for processing:
If necessary due to a medical emergency
Category: Duty of Care
Legal basis for processing:
The protection of vital interests
Category: Duty of Care
Legal basis for processing:
The protection of public health
Category: Duty of Care
Legal basis for processing:
Processing and recovery of fees and payments
Category: Financial
Legal basis for processing:
The administration of campus CCTV for security
Category: Health & Safety; Protection of Assets
Legal basis for processing:
Provision of a safe environment for educational activities
Category: Health & Safety; Protection of Assets
Legal basis for processing:
Vetting for placements on specific courses
Category: Academic; Legal
Legal basis for processing:
For the purposes of criminal investigations
Category: Legal
Legal basis for processing:
Exercise or defence of legal claims
Category: Legal
Legal basis for processing:
Provide information about UM events and activities.
Category: Communication and Promotion
Legal basis for processing:
Provide information about the Kunsill Studenti Universitarji (University Students’ Council).
Category: Communication and Promotion
Legal basis for processing:
Provide information about senate-approved Student Organisations
Category: Communication and Promotion
Legal basis for processing:
Retention of academic data and data of archival value in the public interest
Category: Archives
Legal basis for processing:
Provision of education and contact data to UM Alumni Office for the purposes of alumni engagement and fundraising.
Category: Alumni
Legal basis for processing:
Sharing of health data of students on clinical placement with placement providers as required in order to comply with Public Health Advice.
Category: Health & Safety
Legal basis for processing:
Provision of contact data to the Kunsill Studenti Universitarji (University Students’ Council)
Category: Students’ Council
Legal basis for processing:
We collect personal data for the purposes of recruitment and for the formation and administration of the contract of employment and employee relationship.
The detailed privacy notice for staff is available on the Human Resources website and is provided to new members of staff with their contract of employment.
Additional data may be collected from staff when they register to use other services within UM.
One of the objectives of UM is to carry out and support research. Where personal data is processed by UM for the purposes of research, detailed information about how personal data will be used will be provided to research participants prior to the collection of the relevant personal data or shortly after if the data is obtained from a third party. Where possible personal data collected for research purposes will be pseudonymised so that the participant is no longer identifiable.
The use of personal data for research will often involve sensitive personal data including health or genetic data and will therefore be subject to higher standards of security and protection which are reviewed by the University Research Ethics Committee - Data Protection (UREC-DP). This Committee reviews those research ethics applications which concern special categories of personal data (previously 'sensitive personal data') which are approved by the Faculty Research Ethics Committees (FRECs).
We collect data from members of the public in order to respond to enquiries, process transactions, administer services and accept bookings for events. We may add your personal data to a relevant mailing list if you have made an enquiry in relation to a service and opted in to receive communications or if a transaction has taken place. In the event that we do record your data on a mailing list you will be provided with the opportunity to opt out from the outset of engagement. Moreover, in all our communications with you we will only send you information relevant to your initial enquiry or transaction.
Information on internet traffic is collected routinely by the University. This technical information is used to ensure the smooth running of the computer network in the University and for statistical or administrative purposes. It is not used to gather identifiable personal information on individual website visitors, except in so far as this is permitted by law and may be necessary in order to prevent or detect problems or offences in relation to the operation of the website.
This information is used for the sole purpose of statistical information gathering and demographics relating to the University websites, and enables us to determine general visitor patterns and pathways within our pages. This statistical data is then fed back into future design and usability modifications made to the University web pages.
Cookies are small pieces of information that a website can put on your hard drive in order for it to remember something about you at a later time. The information is in the form of a text file, which will only be understood by the website that initially set the cookie. The UM website uses cookies for certain applications, e.g. to remember your name when filling in online forms. A cookie is also used to anonymously track how visitors interact with the UM website, including where they came from and what they did. This is then used to ultimately provide a better online experience for all our audiences. You can stop your browser from exchanging cookies with web servers at any time by changing the settings in your web browser. For further information and control options in respect of the use of cookies please see the UM Cookie Policy.
We sometimes collect data from minors under the age of eighteen (18) years of age. Minors’ data is collected for the purposes of providing information on courses, examinations and admissions. We will also collect minors’ data when they access services offered by UM.
CCTV cameras are in operation on the UM campus in consultation in order to provide enhanced protection for students, staff and visitors as well as UM buildings and facilities in the context of an open campus. For further information please see the UM CCTV Code of Practice Privacy Statement.
Personal data is collected directly from individuals when accessing UM-controlled facilities via an Access Control System. This system is employed to provide a safe and secure environment at UM. Data processed by the system is also collected from other secure systems under the control of UM. Only the minimum and necessary data is processed for the purposes of the system. For further information please see the UM Access Control System Privacy Statement.
Photographs or videos of staff and students may be taken on Campus at official events such as graduation ceremonies, including online ceremonies. As a number of public events also take place on campus UM will frequently take photographs or video at these events which may be shared on the University website or social media accounts. Where the use of photographs or video may not be reasonably expected by individuals UM will seek consent to publish photographs or video where it is practical to do so. Individuals have the right to object to the use of their photograph and should contact the event organiser in the first instance or the UM Data Protection Officer.
In order for the use of personal data to be lawful, it should be processed on the basis of a legal basis as set out under Articles 6 and 9 GDPR.
UM will ensure that your data is processed fairly and lawfully in keeping with the principles of data protection and will process personal data under various legal bases depending on the purpose for which the data is collected.
Specific information on the legal basis for processing your personal data will also be provided at the point of collection of personal data. These may include:
Generally, when processing special categories of personal data UM will seek explicit consent for the processing of data except where another condition applies e.g. employment law, legal claims or medical diagnosis.
Any data we collect from you will be stored confidentially and securely as required by the University Data Protection Policy, Information Systems Security Policy and IT and Network Code of Conduct. The University is committed to ensuring that processing of University-controlled data is performed in a secure manner.
In keeping with the data protection principles, we will only store your data for as long as is necessary and in accordance with the University Records Management Policy and Records Retention Schedule.
When we store your personal data on our systems the data will primarily be stored either on the UM premises and secure IT platforms within the European Economic Area (‘EEA’) which are also subject to European data protection requirements.
We may store or share your data outside the EEA in the following circumstances:
UM will only share your data with third parties where necessary for purposes of the processing and where there is a legal basis to do so.
The University may share relevant personal data with the following categories of third parties:
When we share your data with the third parties outlined here the UM will endeavour only to share the data that is needed, that the data is only processed according to our specific instructions and that the same standards of confidentiality and security are maintained. Once the processing of the data is complete any third parties with whom data was shared will be required to return the data to the UM or to destroy it, save where they are required to retain it by law.
One of the functions of the UM is the curation of the University Archives, which comprise the University’s administrative, legal and historical records of archival value. The University will process personal data of archival value in accordance with article 6 of the Data Protection Act Cap. 586 [PDF] of the Laws of Malta, which permits that personal data of archival value in the public interest may be retained. Personal data retained by the UM for archival purposes in the public interest will be stored and secured in accordance with the principles of data protection.
Individuals are entitled to certain rights under GDPR. These rights apply to the processing of personal data, which is defined under the GDPR as ‘any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
You have the following rights over the way we process your personal data:
You have the right to request a copy of the personal data we are processing about you and to exercise that right easily and at reasonable intervals.
Under article 15 of the GDPR individuals have the right to access their personal data that is under the control of UM. Responses to access requests will be issued within one (1) month unless an extension is required.
To access your personal data:
You have the right to withdraw your consent where that is the legal basis of our processing.
You have the right to have inaccuracies in personal data that we hold about you rectified.
You have the right to have your personal data deleted where we no longer have any justification for retaining it subject to exemptions such as the use of anonymised data for scientific research.
You have the right to object to processing your personal data if:
You have the right to restrict the processing of your personal data if:
Where it is technically feasible you have the right to have a readily accessible electronic copy of your data transferred or moved to another data controller if we are processing your data based on your consent and if that processing is carried out by automated means.
For further information regarding your rights contact the University Data Protection Officer at dpo@um.edu.mt.
UM is required by law to appoint a Data Protection Officer.
The role of the Data Protection Officer is:
If you have any queries relating to the processing of your personal data or if you wish to make a complaint or escalate an issue relating to any of your rights you can contact the Data Protection Officer at: dpo@um.edu.mt
If you are not satisfied with the information we have provided to you in relation to the processing of your data you can raise a concern with the Information and Data Protection Commission or contact the Commission at: idpc.org.mt/contact