Learnwise AI Assistant for the Student Centre privacy notice

This privacy statement explains how the University of Westminster processes personal data when you use the Learnwise AI Assistant integrated within our public-facing website pages. We are committed to protecting your privacy and complying with data protection legislation.

What is Learnwise AI Assistant?

The Learnwise AI Assistant is an AI Assistant designed to provide 24/7 support to students. It appears on selected public web pages on www.westminster.ac.uk, specifically pages related to student services and support, to answer questions about university services in specific student support areas including Wellbeing, Finance, Careers, and Academic Regulations using publicly available university content.

Legal basis for processing

We process personal data under the legal basis of public task – the processing is necessary for the University to perform its educational functions and provide student support services in the public interest.

What personal data do we collect?

No personal data is automatically collected

The AI Assistant does not require registration, login, or automatically collect any personal information. Access is completely anonymous.

Unique session identifiers

Each chat session is assigned a unique session ID for internal diagnostic tracking purposes only. This ID is not linked to your personal identity unless you voluntarily provide identifiable information in your messages.

Data you may provide

If you choose to include personal information in your questions or messages to the AI Assistant, this data may be processed. This could include:

• Names, email addresses, or student numbers you mention in your queries.
• Any other personal details you voluntarily share in your messages.

Important warning: Please do not share sensitive personal information, financial details, health information, student numbers, or other confidential data in your conversations with the AI Assistant. 

How we use your data

Any personal data inadvertently included in your messages is used solely to:

• Provide responses to your queries about university services and support in designated areas (Wellbeing, Finance, Careers, Academic Regulations).
• Monitor system performance and optimise the AI Assistant service.
• Analyse trends, knowledge gaps, and system performance to improve the service.
• Ensure appropriate security and prevent misuse.

The AI Assistant is trained exclusively on publicly available University of Westminster student support web pages and does not learn from individual conversations.

Automated transfer to human support

The AI Assistant is programmed to automatically transfer you to human support when certain words or phrases are detected, or when you request to speak with a human. Some sensitive queries (such as those about visas or wellbeing) will receive pre-programmed responses directing you to appropriate human contacts.

Who has access to your data

Access to AI Assistant conversations is strictly limited to:

• Three authorised university administrators – limited access for system management and support purposes only.
• Technical support staff – for troubleshooting and system maintenance.

All access is logged and monitored in accordance with our security policies.

Session-based access only

Since the system is anonymous and requires no login, your conversation history is only available to you during your current live session. Previous chat history from past sessions is not available to users, though administrators can access stored conversations for system management purposes.

Data storage and security

Security measures:

• All data is encrypted both in transit (TLS 1.3) and at rest (AES-256).
• Role-based access control (RBAC) with principle of least privilege.
• Multi-factor authentication for admin access.
• Regular penetration testing and vulnerability assessments.
• Activity monitoring and audit logging.
• Web Application Firewall protecting APIs from abuse.

Data location:

• All data processing occurs within European Union data centres.
• All backups are also stored within the EU.
• No data is transferred outside the EU/EEA region.
• Sub-processors are bound by Standard Contractual Clauses and Data Processing Agreements.

Data protection:

• Processing confined to EU/EEA region.
• Regular compliance audits (SOC 2, ISO 27001, GDPR).
• Privacy by design principles implemented.
• Incident response procedures aligned with GDPR requirements.

Backup and recovery:

• Automated daily encrypted backups within the EU.
• Geographic redundancy within EU.
• 99.9% system availability target.
• Regular disaster recovery testing.

Data retention

Initial retention period:

• Conversation data is initially retained for 90 days to enable analysis of usage trends, knowledge gaps, and system performance.
• This retention period will be reviewed by the LIDE and Information Compliance Teams after three months of operation.
• System logs are retained according to technical requirements.

Data deletion:

• All data is securely deleted within a maximum of 90 days after contract completion.
• The University can request mass data deletion at any time during the retention period.
• Individual conversation deletion is only possible if you provide your session ID or timestamp.

Your rights

Under data protection legislation, you have the following rights:

• Access – request a copy of personal data we hold about you.
• Rectification – ask us to correct inaccurate data.
• Erasure – request deletion of your data in certain circumstances.
• Restriction – ask us to limit how we use your data.
• Portability – receive your data in a portable format.
• Objection – object to processing in certain circumstances.

Important note: Due to the anonymous nature of the system, exercising these rights requires you to provide your session ID or timestamp, as conversations are not linked to user identity.

How to exercise your rights:

To exercise any of these rights or if you have questions about data processing, contact:

• Information Compliance Team - E: [email protected]
• Data Protection Officer: Available through the above email

Opting out and alternative support

Since the AI Assistant is completely optional and anonymous:

• You can choose not to use the AI Assistant feature on university web pages.
• No personal data is collected unless you voluntarily provide it in your messages.
• Alternative support channels remain available including: 
  o   Live chat during core hours
  o   Compass ticketing system for human contact
  o   Traditional university support services
• Your decision will not affect access to any university services.

Third-party processing

The Learnwise service is provided by LearnWise.ai, who act as a data processor on behalf of the University. They use cloud infrastructure provided by AWS and Azure, all located within the EU.

A contract is in place with Learnwise which includes necessary data protection clauses and has been checked by the Information Compliance Team. 

System protection:

• Logical database separation ensures the web assistant cannot access data from other systems.
• Web Application Firewall protects against denial-of-service attacks.
• LearnWise does not charge based on usage, eliminating cost risks from system abuse.

Approved sub-processors are listed on the Learnwise website.

Important disclaimers

• AI-generated responses: All responses are generated by AI and marked as 'answered by AI.' While trained on official university content, please verify important information through official university channels.
• Limited scope: The AI Assistant is restricted to specific student support areas and factual, non-sensitive queries.
• Source verification: The AI Assistant provides links to original university web pages alongside responses for verification.
• No personal advice: The AI Assistant provides general information only and cannot provide personalised advice on individual circumstances.
• Automatic transfers: For sensitive topics or upon request, you will be transferred to human support services at the earliest opportunity.

System abuse prevention

The system includes multiple protections against abuse:

• Web Application Firewall protecting APIs.
• Rate limiting and abuse detection systems.
• No cost implications from usage-based attacks.
• Monitoring and logging of suspicious activity.

Complaints

If you have concerns about how personal data is being processed, you can:

• Contact our Information Compliance Team at [email protected]
• Raise a complaint with the UK Information Commissioner's Office (ICO)

Updates to this statement

This privacy statement may be updated periodically to reflect changes in our practices or legal requirements. The current version is always available within the AI Assistant interface and on our website.

Contact information

University of Westminster
Information Compliance Team

El: [email protected]

Service provider: LearnWise.ai
Contact details are available via [email protected].