Data Protection Principles

There are seven principles of Data Protection outlined by the Information Commissioner's Office. It's important to familiarise yourself with these concepts as they should apply to any activities you undertake that involves collecting or processing personal data.

These are:

Lawfulness, fairness & transparency​

This principle is about making sure you are collecting and processing data within the law, that you are using data in a way that is fair to individuals and that you are transparent in your communication about how you are using data. This might involve you using a privacy notice if you are collecting personal data to let people know how you intend to use their data. The Union's Privacy notice will cover using member data for the purpose of managing memberships and groups.

Lawful Basis for processing data

These are the reasons that you can use to actually process data. In the case of student groups, most processing will occur for legitimate interests, but you may want to familiarise yourself with what each these means in practice. More information can be found on the Information Commissioner's Office website.

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public Task
  6. Legitimate Interests


Purpose Limitation​

Purpose limitation involves simply making sure that you are limiting what you are doing with personal data. For example, the data you may be able to access on the members of your student group can be used to administer your group and to contact your members with information regarding their membership - this is something they can reasonably expect given they have provided their details for the purpose of joining your group. However if you were to process their data in another way that they wouldn't be happy with (for example sell their data on to a third party or use the membership data to promote a cause or event unrelated to your group) then you would be breaking the principle of purpose limitation.

There are cases where you can use personal data for a new purpose if it is 'compatible' with a current purpose - you can read more about this on the ICO website. Essentially, if it is related to something you are already using the data for and it could be reasonably expected by the data subjects then it is ok. The exception to this would be sending marketing materials - if you intend to send marketing materials to a list of people you already have access to  then you would still need to obtain opt-in consent for the new marketing purpose.


Data minimisation​

As the name suggests, you should try and minimise the amount of personal data you hold. If you don't need it, delete it or better yet - don't collect it. For example, you shouldn't collect your members' personal email addresses or contact phone number unless you need this for a specific purpose eg. managing an event and then you should only collect this from the relevant members. As this isn't required for the majority of your members, you shouldn't collect or hold the data until it is needed - no  'just in case'.



Your data should be accurate and up-to-date. If you are unable to ensure that personal data that you hold is accurate then you should remove the data. Good practice around this would be to avoid keeping lists of members outside of eActivities - the list in eActivities will accurate as it is updated automatically whereas any member lists you keep yourself will need regularly updating. Any data on members from previous years should be deleted as you will be unable to ensure the accuracy of the data (and the principle of data minimisation would dictate that you shouldn't keep this if you are not using it anyway).


Storage Limitation​

You should only keep personal data for as long as you are processing the data. For example, you should remove any personal data about former members that are not from the current year if there is no reason for you to hold this data or if you were to collect personal information from members for a trip or a tour, this information should be deleted once the tour or trip has finished, assuming it is no longer required.. The Union database keeps records of student memberships so there is no need for your group to keep lists of members for the purposes of record keeping. It is good practice to have retention policies in place for any personal data that you manage - there are no strict rules about setting these but you should use common sense and make sure you adhere to any policies that you set.


Integrity and Confidentiality ​

You must ensure the security and confidentiality of your data.This means having approriate systems in place to make sure you are limiting the risk of losing data or compromising its integrity. The best way to do this is to not handle data at all - don't collect it if you don't need it and if you do need to, then make sure it is collected and stored on College (Office 365, network drives) or Union systems (eActivities, Union webservers). Storing personal data on College systems reduces the risk of data breaches occuring - College systems are secure and keeping your information in one place such as an Office 365 Sharepoint reduces the need to move data around.



This principle relates to the responsbility of organisations to ensure they are handling data responsibly and making every possible effort to ensure that data is managed well. This involves putting processes into place to make sure it is easy to mange data effectively, ensuring training is carried out, producing documentation, having policies in place etc. Union volunteers are also responsible for meeting this principle as representatives of the organisation. It is important to make sure your members and committee understand about Data Protection and that sufficient procedures are in place to handle data effectively.

Loading, please wait  

Report a problem