This article contains information relating to the following areas:
The Union expects that student groups will take every precaution to meet the requirements of GDPR and other Data Protection laws. It's impossible to provide a definitive list of everything you might collect or use personal data for, so make sure you are applying the data protection principles covered in this guide.
If you are at all unsure, then please contact the Union Activities team to ask before you use personal data for something - if you haven't planned for data protection when undertaking an activity, the Union may need to take action if something could result in increased reputational risk through unlawful use of data, for example.
Below are are some more general rules to follow when dealing with personal data.
- Send emails to your members (using mailing lists) regarding the running or activities of your group
- Keep Lists of personal data in College systems (Office 365/Sharepoint) so this can be accessed as necessary rather than being emailed around
- Use Microsoft Forms to collect data and store it in an Excel file Office 365 Sharepoint
- Regularly check and delete personal data if you no longer need it
- Plan ahead and think about what you need personal data for, how you will collect, store and process it in a lawful way.
- Destroy paper-based information once it’s been recorded electronically, by shredding the paper it is written or using confidential waste bins (one is available in the Union office)
- Make sure Data Protection is part of your handover for the next committee.
- Abide by the Union Web Policy
- Download lists of members if possible
- Send documents containing personal data by email if this can be avoided
- Send messages to members advertising external companies or encouraging them to renew their membership (from the ICO: ‘significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end’)
- Send mailshots or newsletters to anyone who is not a member of the society that you don’t already have specific, opt-in consent to email. This is the case even if you would like to send them an email asking for permission to keep emailing them – if you don’t already have consent to contact them, you cannot email them to ask for their consent.
- Try to workaround data protection issues - the law is the law.
Any time you collect or use any personal data you should consider the Data Protection principles and what your legal basis is for processing. It seems obvious, but If you don't need the information then don't collect it! You will need to provide a privacy notice if you collect any data so people are aware of why you are collecting the data and who to contact if they have any issues.
Make sure you have a secure method for collecting data - using Microsoft Forms and storing the data in Office 365 is a good way to do this if it is somethng simple. If you collect any personal information on paper, then digitise this and store somewhere secure as soon as possible, then destroy the paper records.
Purpose Limitation means that if you have permission to use personal data for one activity, you can't then use it for something else. So, for example, if you were to collect contact information of customers that had signed up to attend an event, you couldn't then also use their personal information to do profiling or sharing with a third party without the customers already being informed of this further use. As members have given you acceess to their personal information to manage their membership of their society, you can reasonably use their data for different activities related to managing memberships - but be careful about what you use the data for and make sure you have planned ahead if you are going to be doing anything drastically different.
The principle of Data Minimisation means that you should only keep data for as long as you resonably need access to it. For example, contact details from last year's members should be deleted if you have this and no longer have any reason to keep it. Any historical data you hold should be anonymised (ie. all identifying information removed) or deleted unless you can justify a need for keeping it - 'just in case' is not a valid reason. You may keep information for the sake of record keeping, but wherever possible you should keep only the absolute minimum of data required. If you are maintaining lists for emailing updates then you should only keep this information if you still sending updates - if you stop an activity you should remove the corresponding personal information.
Here are a few important things to make sure you do to keep data safe:
- Store any personal data on College or Union Systems (Office 365 or CSP servers), preferably in one place so this can be easily managed
- Avoid sending personal data via email or on transferrable physical media such as USB drives if you can
- Encrypt personal data where approriate and password protect any files if you do have to send them by email - make sure you delete the files from your sent folder and inbox once you no longer need the data
- Make sure handover is managed well and personal data is removed if no longer needed, or passed on to the new committee safely