Privacy Notice for Capita Disabled Students’ Allowance Service

At Capita, we’re committed to ensuring that your personal information is protected. Your privacy is important to us and right at the heart of our business.

Please note, Capita is contracted by the Student Loans Company (SLC) to deliver services for the Disabled Students’ Allowance (DSA). Information processed relating to DSA is owned and controlled by the SLC and for parts of the services detailed below, also by Capita Business Services Ltd, part of Capita plc. SLC manages your data in accordance with its privacy notice found at https://www.gov.uk/help/privacy-notice. Any data controlled by Capita plc is covered by the privacy notice below. Any requests to exercise your GDPR rights or request a subject access request for data processed under DSA, should be directed in accordance with each Controller’s privacy notice instructions.

Capita’s privacy notice describes how we process i.e. collect, organise, host, structure, modify, use, combine, handle, share, access and look after your personal information when using our systems, websites, or engage with us via email or telephone.

1.    Data Controller of your personal information
The Privacy Notice set out below is issued by Capita plc so when we mention “Company”, "we", "us", "our" or “Capita” in this privacy notice, we are referring to Capita plc who is the data controller of your personal data and responsible for how we hold and use personal information about you. We are committed to ensuring the privacy and security of your personal information while providing Disabled Students’ Allowance (DSA) services.

2. Purpose of Processing 
Your personal data is used to:

  • Manage and administer the DSA service, ensuring you receive the appropriate support
  • Assess eligibility and process applications for DSA;
  • Maintain communication with you about your DSA application and related support or technology services
  • Facilitate necessary assessments for disabled students to determine support needs
  • Enhance and monitor service delivery and customer satisfaction

3. Data Protection Principles 
To help you understand how we handle your personal information, below is a summary of the data protection principles which guide how we use your personal information. These principles provide that personal data should be:

  • Used lawfully, fairly and in a transparent way
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  • Relevant to the purposes we have told you about and limited only to those purposes
  • Accurate and kept up to date
  • Kept only as long as necessary for the purposes we have told you about
  • Kept securely

We have put policies, procedures and standards in place to seek to adopt these principles in our everyday processing activities set out in this Privacy Notice.

4. Information we hold about you 
To provide you with effective Disabled Students’ Allowance (DSA) services and manage our relationship with you, we collect various types of personal information, which include but are not limited to:

  • Personal Identifiers and contact details: your full name, date of birth, contact details (home, term-time, and email addresses; telephone and mobile numbers)
  • Health Information: details regarding your disability type, medical reports (provided either by the SLC or directly from yourself) and disability assessment outcomes
  • Educational Information: Course title, code, institution, and start/end dates of study and any previous support received
  • Communication Records: Details of your interactions with us, including call recordings, emails, and written communications, which help in improving service quality and assessing service impact
  • Communication preferences: details on how you wish to be contacted, language preferences
  • Third party details: details of other individuals contact information (i.e. parents, guardians)
  • Consent Records: Records of any consents you have given, along with the date, time, and related details including third party consent details
  • Financial Records: details of purchases for equipment and purchase logs/payments made

We collect this data through various means, including direct submissions from you via application forms, communications during service provision, and through data sharing and processing agreements with the Student Loans Company (SLC).

5. How We Collect Your Data
We use various methods to collect personal data from and about you to ensure the effective administration of the DSA service and to provide related services. These include:

  • From the Student Loans Company (SLC) - via your DSA1 and DSA2 forms, assessments and instructions;
  • Direct from you – either by you contacting Capita for a DSA assessment or technical equipment and training via telephone, email or via our website portal and support services.
  • Third parties – we may receive information through one of our suppliers regarding training or equipment services provided to you and when processing payments for additional equipment or upgrades, and, therefore, we will collect and store your personal data as part of our legal obligation for business accounting and tax purposes.
  • Automated technologies or interactions. As you interact with our website we may automatically collect technical personal data about your equipment, browsing actions and patterns which might be used with other identifying data to establish other personal information about you. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical personal data about you if you visit other websites employing our cookies. Please see our Cookie Policy for further details. 

6. Lawful Basis for Processing 
We will only process your personal information where we are satisfied that we have an appropriate lawful basis to do so. We will rely upon different lawful bases for processing according to our relationship with you and for the purposes for which we collect it, and may process your personal data for more than one lawful ground, these include:

  • Legitimate interest – to fulfil the DSA services as contracted by the SLC including the operating of assessments, sending of equipment, management and arrangement of training and support services, administration of our services to you and our online services, including quality improvements, system maintenance.
  • Your explicit consent to process special category data (health and disability information and for contact purposes), which can be withdrawn at any time – however, this will impact ours and SLC’s ability to provide you with the DSA services and support.
  • The performance of our contract with you when you purchase equipment from us.
  • Fulfil our legal obligations for when processing any financial purchases you make with us for equipment or equipment upgrades.

7. Sharing Your Information 
We share your data with:

  • We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice, where there is a legal requirement or as part of a data sharing agreement. Capita do not transfer your data outside of the European Economic Area (EEA) and will always ask for consent if this becomes a requirement.
  • We utilise the below processors/controllers who act on our behalf to provide the below business functions and services. They act in accordance with instructions from us and comply fully with this and their own privacy notice, the data protection laws and any other appropriate confidentiality and security measures.
  • Capita also process your data which is managed and hosted securely, with backups taken daily. Capita ensures your data will be secure protected and monitored and will not share or disclose your data without your explicit consent.
  • Third-party service providers, including Salesforce, Inc., which provides customer relationship management solutions. Salesforce processes data under strict confidentiality and data protection standards. For more information about Salesforce’s data handling practices, please visit their privacy policy.

8. Data Retention 
Capita only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We are required under the Quality Assurance Framework to keep your personal data for a minimum of six years, after which time it will be destroyed. 

9. Your Rights 
Under data protection laws, you have several rights regarding the use and control of your personal data. These rights are designed to give you confidence and power over the information we collect and process. Here are the rights you can exercise at any time:

  • Right of Access: You have the right to request a copy of the personal information we hold about you, often referred to as a 'subject access request'. This allows you to know exactly what information we have about you and check that we are processing it lawfully.
  • Right to Rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it.
  • Right to Erasure (‘Right to be Forgotten’): You have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This right is also applicable if you withdraw consent or object to processing and there is no overriding legitimate interest to continue processing.
  • Right to Restrict Processing: You have the right to request the suspension of the processing of your personal data, for example, if you want us to establish its accuracy or the reason for processing it.
  • Right to Data Portability: This right allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy, or transfer personal data easily from one IT system to another in a safe, secure way, without hindrance to usability.
  • Right to Object: You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Right to Withdraw Consent at Any Time: Where the legal basis for processing your data is consent, you have the right to withdraw that consent at any time.
  • Right to Complain to a Supervisory Authority: You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority.
  • Rights Related to Automated Decision-Making Including Profiling: You have the right to request human intervention or challenge a decision where processing is done solely by automated processes, affecting your legal rights.

To exercise any of these rights, please contact us using the contact details provided in this notice. It is important for us to confirm your identity before responding to any requests to ensure the security of your data.

10. Data Security 
Capita takes your privacy seriously and take every reasonable measure and precaution to protect and secure your personal data.

We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including secure hosting of our website, anti-virus, firewall and malware protections on all device and networks, use of HTTPS, and strong passwords for members of staff. 

11. Cookie Policy
Our website utilises cookies to ensure the best user experience and to facilitate certain functions of the website. We do not use cookies for tracking purposes.

For a detailed list of the cookies used by our site, which is powered by Salesforce, please refer to the Salesforce Platform Cookies page. This page documents all cookies used on the Salesforce platform, ensuring transparency and control over your data privacy.

12. Profiling and Automated Decision Making
We sometimes may use automated decision-making processes in the administration of Disabled Students’ Allowance (DSA) services. These processes help us make decisions more quickly, fairly, and efficiently. Here is how and why we may use these technologies:

  • Automated Decision-Making: We use automation to assess eligibility and to process applications for DSA. This involves evaluating financial status, academic eligibility, and other criteria set forth by the relevant educational and government bodies. For example, our systems automatically determine your eligibility for certain types of financial aid based on the information provided in your application forms and from third-party sources.
  • Profiling: We may analyse your personal information to create a profile of your interests, preferences, and needs. This profiling helps us understand the demographic and educational backgrounds of our applicants to better tailor our services. However, decisions that have legal or significant effects on you will not be solely based on automated profiling.
  • Safeguards and Your Rights:
    • Transparency: We ensure transparency in our automated processes. You will always be informed when automated decision making is taking place.
    • Human Intervention: You can request human intervention if you disagree with an outcome or decision produced by automated means. This allows you to express your point of view and contest decisions.
    • Accuracy: We take precautions to ensure that the data used and generated by automated decision systems is accurate and up to date. You have the right to challenge the accuracy of your data.
    • Right to Opt-out: You can opt out of automated decision-making processes and profiling that are not necessary for the performance of the contract between you and us, especially where such profiling would have legal or similarly significant effects on you.

To exercise your rights related to automated decision-making or to obtain further information about how these processes affect you, please contact us using the contact details provided in this notice.

13. Data Protection Officer and ICO details
Capita’s Data Protection Officer (DPO) is Elvira English who can be contacted at privacy@capita.com
Capita’s registered address is First Floor, 2 Kingdom Street, Paddington, London, England, W2 6BD.

The Supervisory Authority is the UK Information Commissioner’s Office (ICO), www.ico.org.uk, and you have the right to make a complaint to them for data protection issues at any time. However, we respectfully request that you raise any concerns or complaints with our DPO in the first instance.

14. Changes to this Notice
We reserve the right to update this Privacy Notice as necessary. All updates will be posted on our website and, if significant, will be communicated directly to you.