University of Manchester: Privacy Notice relating to ClearPass

ClearPass is the halls of residence network management system that residents register with to connect to the internet from their halls of residence and forms part of the Hornet service.

1. Introduction
   1. This privacy notice relates to residents using the Wired and Wireless Internet access within halls of residence (AKA HORNET) detailed in appendix A. The notice specifically relates to data held by the management module for this system, ClearPass, provided by Aruba Networks Ltd.
2. What is personal data (also known as personal information)?
   1. Personal information means any information which relates to or identifies you as an individual and includes opinions about you or information which may not explicitly identify you (e.g. where your name has been removed) but which nevertheless does identify you if it is combined with other information that is readily available.
3. How does this notice relate to other information about data protection?
   1. The ClearPass system does not use personal data from any other University system.
4. Who will process my personal information?
   1. Personal information will be used by the HORNET team to provide user support to those on the HORNET system, and in order to remain compliant with the Regulation of Investigatory Powers Act 2000.
5. What personal information will you process?
   1. The University needs to collect, maintain and use the following personal data relating to or about you:
      1. University Username
      2. IP Address(es) of any device(s) registered to access HORNET
      3. MAC Address(es) of any device(s) registered to access HORNET
6. What is the purpose of the processing under data protection law?
   1. We will only use your personal information when the law allows us to do so by providing us with a legal basis or valid condition. Most commonly, we will use your personal information in the following circumstances:
      1. The data subject has given consent to the processing of their personal data for one or more specific purposes;
      2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
7. Can you provide examples of processing?
   1. Processing this data allows us to manage all wired and wireless accounts registered within halls of residence detailed in appendix A.
8. What constitutes “Special Category Data”?
   1. The University will also process some information about you that is considered more sensitive and this is referred to as ‘special category’ personal data in the General Data Protection Regulation and Data Protection Act 2018. When we process this type of information, we are required to apply additional protections. Special category personal data is defined as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic data and biometric data which is processed to uniquely identify a person. In the UK this also includes any personal information relating to criminal convictions.
9. How will you process my Special Category personal information?
   1. We will only process special category personal information in certain situations in accordance with the law. For example, we can do so if we have your explicit consent and, in some circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do, we will provide you with full details for the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent, which you can withdraw at any time.
10. Who will my personal information be shared with?
    1. Data will be held on servers managed by ROC Technologies Ltd. In order to facilitate the management of registered wired and wireless accounts.
11. What are my rights in connection with my personal information?
    1. Under certain circumstances, by law you have the right to:
       1. Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
       2. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected
       3. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing
       4. Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes
       5. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
       6. Request the transfer of your personal information to another party
    You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. If you would like to exercise any of these rights, you should contact the University Data Protection Officer by email: dataprotection@manchester.ac.uk. Alternatively you can write to The Information Governance Office, University of Manchester, Christie Building, Oxford Road, Manchester M13 9PL. Further information about your rights is available from the University’s data protection web pages.
12. How long is my information kept?
    1. Device data will be deleted after one year.
    2. User account data will be deleted after one year.
13. Who can I contact if I have any queries?
    1. If you have any questions about how your personal information is used by the University as a whole, or wish to exercise any of your rights, please consult the University’s data protection webpages at [insert link]. If you need further assistance, please contact the University’s Data Protection Officer (dataprotection@manchester.ac.uk)
14. How do I complain?
    1. If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF (https://ico.org.uk).
15. Are changes made to this notice?
    1. We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information – 10th June 2019.

Apendix A – List of UoM halls:

1. Ashburne Hall
2. Burkhardt House
3. Canterbury Court
4. Dalton Ellis Hall
5. George Kenyon Hall
6. Horniman House
7. Hulme Hall
8. Oak House
9. Owens Park
10. Richmond Park
11. Sheavyn House
12. St Anselm Hall
13. Unsworth Park
14. Uttley House
15. Whitworth Park
16. Woolton Hall