In order to operate effectively and fulfil its legal obligations, the Union needs to collect, maintain and use certain personal information about current, past and prospective employees, volunteers, customers and suppliers and other individuals with whom it has dealings. All such personal information, whether held on computer, paper or other media, will be obtained, handled, processed, transported and stored lawfully and correctly, in accordance with the safeguards contained in the General Data Protection Act 2018 (GDPR).
Introduction
While carrying out its various functions and activities, Aberystwyth University Students’ Union (AberSU) collects information from individuals and external organisations and generates a wide range of data which is recorded and maintained.
- The purpose of this document is to enable Aberystwyth University Students’ Union (AberSU) to: ?
- Describe the personal data which it processes and the purposes associated with that processing ?
- Demonstrate its commitment to the proper handling of personal data. ?
- Comply with Data Protection law. ?
- Protect the organisation from the consequences of any breach of its statutory and common law responsibilities. ?
- To encourage and support a culture of best practise within data protection.
AberSU ensures that personal data is held in compliance with the Data Protection Act (DPA) and with the General Data Protection Regulation (GDPR), which becomes enforceable from May 2018. This document will be reviewed annually to ensure compliance.
‘Personal data’ refers to information that identifies a living individual. AberSU holds personal data for the following purposes:
1. Staff Administration – Appointments or removals, pay, discipline, superannuation, work management or other personnel matters.
2. Advertising, Marketing and Public Relations – Advertising or marketing the business, activity, goods or services and promoting public relations.
3. Accounts and Records – Keeping accounts, deciding to accept a person as a customer or supplier, keeping records of purchases, sales or other transactions, the processing of orders and accounts.
4. Administration of Membership Records – details of members, supporters, staff and temporary and casual workers.
5. Consultancy and Advisory Services – Giving advice or rendering professional services (Student Voice).
6. Benefits, Grants and Loans Administration – The administration of welfare and other benefits.
7. Fundraising – fundraising in support of the objectives of the organisation.
8. Property Management – management and administration of land, property, and estate management.
Information is transferred from Aberystwyth University to the Students’ Union for the purposes of facilitating:
i. the organisation of Students Union membership;
ii. the administration of clubs and societies;
iii. the administration and monitoring of fair representation in relation to polls and elections;
iv. the provision of services by the Students’ Union itself (including the administration of ticket sales);
v. verification of students’ identities;
vi. the realisation of the published objectives of the Students’ Union;
vii. Postal and email communications between Aberystwyth University and its Students’ Union.
Personal data provided to the Students’ Union by the University shall not be transferred to any third parties, including those formally contracted with as data processers which includes MSL Ltd, without the explicit consent of the University
As a not for profit organisation AberSU is not required to register with the Information Commissioner's Office. This document is intended to complement existing Aberystwyth University policies and procedures
AberSU processes personal information about its members in accordance with the principles of the data protection in section 3.
Definitions
a. Personal Data
Data which relates to a living individual who can be identified from the data, or from the data and other information about the individual which is in the possession of or is likely to come into the possession of the Data Controller. Personal Data includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.
b. Personal Sensitive Data (‘Special Categories’ under GDPR)
Personal data relating to racial or ethnic origins, political opinions, religious beliefs, union membership, physical or mental health (including disabilities), sexual life, the commission or alleged commission of offences and criminal proceedings.
c. Data Controller
A person or organisation who determines the purposes for which, and the way, any personal data, are, or are to be, processed.
d. Data Processor
Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
e. Data Subject
A living individual who is the subject of the Personal Data.
f. Processing
The obtaining, recording, holding, organizing, combining, altering, retrieving, consulting, disclosing, disseminating, deleting, destroying or otherwise using the data.
g. Third Party
Any person other than a Data Subject or the Data Controller or any Data Processor or other person authorised to process data for the Data Controller or Data Processor.
h. Privacy notice
One of the key areas which is emphasized under the GDPR is the ‘right to be informed’, which encompasses the obligation placed on organisations to provide ‘fair processing information’, usually with ‘privacy’ or ‘data protection’ notices.
The GDPR sets out what information should be included in such notices. Some of this will be familiar as it is the type of information which should ideally be included in current notices under the Data Protection Act. However, there are some other categories of data which need to be included and, also, a greater level of detail will be expected. For further details, see the ICO’s website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-thegdpr/individuals-rights/the-right-to-be-informed/
AberSU Conduct Statement in relation to the data protection principles set out in Article 5 of the GDPR 2018
Principle 1 – Processed lawfully, fairly and in a transparent manner in relation to the data subject; All students whose data is processed by AberSU must be properly informed or have access to clear information relating to how their data is used, unless an exemption is identified. Where anonymising of personal information is possible without restricting the benefits of the purpose of the data use, individuals should not be identifiable.
Principle 2 – Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; Staff must consult the Union CEO before any personal data is reused for any purpose that is substantially different to that which it was obtained for. If purposes are not to be reasonably expected, new intentions for data use will be published and an appropriate legal basis for processing data in this way will be sought; if deemed necessary, consent from students will be obtained.
Principle 3 – Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; All personal data must be fit for the purpose of which it is processed. Irrelevant information should be removed or not obtained at all.
Principle 4 – Personal data is kept accurate and, where necessary, up to date; Managers should ensure that every reasonable step is taken to ensure that personal data is accurate, having regard to the purposes for which they are processed or that they are erased or rectified without delay
Principle 5 - Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; All information must be retained and disposed of in accordance with AberSU Data Retention Schedule. For any information not noted on this schedule, staff will consult the Union CEO. Data that reaches the end of its retention period will be securely deleted. Out of date information that must still be retained will be securely archived.
Principle 6 - Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; Managers must observe all procedures and guidance in relation to the security of data and should implement all appropriate restrictions on access, considering factors such as location, length of retention and encryption. Records that hold personal data are stored in locked filing cabinets, or on controlledaccess systems, applications and servers. Electronic information is stored on internal servers managed and controlled by AberSU or securely maintained on external servers by partners bound by data protection contracts.
AberSU will also observe the other requirements of GDPR in relation to:
The rights of data subjects, which include: ?
- The right to be informed ?
- The right of access ?
- The right to rectification ?
- The right to erasure ?
- The right to restrict processing ?
- The right to data portability ?
- The right to object ?
- Rights in relation to automated decision making and profiling.
Transfers outside the European Economic Area
Any staff member who seeks to send personal identifiable information in any format to countries outside the EEA must discuss this with the Union CEO.
Staff Responsibilities
All staff who process personal data are expected to understand and adhere to the Data Protection Principles set out above. Appropriate training will be provided, including induction training for new starters and annual refresher courses.
Significant breaches of this policy will be dealt with using disciplinary action.
Student Responsibilities
Students should assist AberSU in ensuring that their own personal data as provided to the Students’ Union is accurate and up to date. Reasonable opportunities to do so will be provided.
Students volunteering for AberSU may need to process personal data for activity administration purposes. If students are using personal data, they must inform the relevant department manager in charge of the student’s activity so that the requirements of the 1998 Act can be adhered to.
Sensitive Personal Data (‘Special Categories’ under GDPR)
In most cases AberSU will refrain from processing data relating to sensitive personal information. This includes details relating to an individuals' ethnicity, religion, political opinions, health conditions, sexuality, criminal records etc. Where this is unavoidable, e.g. in the case of health and safety records, secure access will be limited to specific members of staff only.
Data subjects will also be required to give informed consent for AberSU to use their sensitive information.
Sharing Data Internally
Data is shared across business functions and between staff of AberSU only when it is required to perform work functions. As far as possible, data is transmitted electronically solely over a secure network and the transmission of data via paper, post or independent electronic devices is strongly discouraged. AberSU uses the University network, which is a secure system with fully managed access control, back-up and recovery processes in place, supported by the University IS team.
Sharing Data with Partners
Data is only shared with external agencies upon legitimate request and/or when required by law such as a court order.
AberSU has no responsibility for the management of personal data processed by Aberystwyth University, which is solely responsible for its own compliance with data protection legislation.
AberSU reserves the right to share limited information with Aberystwyth University as necessary to pursue its legitimate interests, or to ensure the smooth operation of procedures and practices in the interests of students. Specific information shared with the University, and its' purpose, is detailed in our sharing agreement which is published online.
Further to this, AberSU reserves the right to pass necessary information (including personal data) to the University in exceptional circumstances, such as to uphold and enforce disciplinary procedures.
A third party ‘Memberships Solutions Limited’ (MSL) provide an information management system to store and manage our students' personal information. MSL are bound by a contract stating that personal information will not be modified, deleted, or shared, without the instructions of AberSU, or used for any purpose other than that specified by AberSU. They are also contractually obliged to abide by current data protection legislation.
Sharing Data with the Police or a Similar Third Party
In the case of personal information requests by the Police or a similar third party for the purposes of the prevention or detection of crime or for taxation, and where it is not appropriate for the requestor to seek that information from the individual(s) concerned, it may be deemed necessary to release personal data to the third party. Data protection legislation allows this for the purposes of:
- The prevention or detection of crime; ?
- The apprehension or prosecution of an offender; or ?
- The assessment or collection of any tax or duty or of any imposition of a similar nature.
Unless a Court order is made, the decision regarding whether to release personal data will belong to AberSU. Any requests must be made using an official data protection form to be supplied by the police.
The University manages CCTV within the building. Please see their policies regarding Closed Circuit Television (CCTV) for more information.
Marketing and Communications
Personal details relating to each student are shared by the University with the Students’ Union to ensure that students are able to vote and access Students’ Union services. This enables the University to fulfil its obligation to support the operation of the Students’ Union. The transfer of information between AU and the Students’ Union is specifically noted in the University’s Data Protection Statement to which all students are directed on registration.
Unless students have opted out, occasionally throughout their time at the University AberSU will communicate with students via email. This will be for the main purpose of communicating services provided solely by AberSU in line with the students’ membership. If students would like to be removed from a mailing list they may opt out of that type of communication using the unsubscribe link provided in the email; alternatively, students can view and edit their contact options via email to union@aber.ac.uk
Subject Data Rights
If an individual would like to see or have a copy of the personal data that AberSU holds on them, they should submit a subject access request to union@aber.ac.uk or use the AberSU contact details provided below. AberSU will respond within one month of this request. If requests are manifestly unfounded or excessive, AberSU have the right to deny the request. Please note that unlike the University, AberSU are not subject to the Freedom of Information Act. If you are unhappy with how your requests are handled, please use the online complaints form.
On occasion AberSU will process personal information to improve offers and services to enhance student experience. This may involve profiling or automated decision making based on student information (e.g., if they are a member of an AU club) or information passed from the University (e.g., the department the student belongs to). If you would like to object to your personal information being processed to improve AberSU offers and services, you can contact us using the contact details on the AberSU website abersu.co.uk. There may be a legal basis to continue processing your data in this way, but you are entitled to an explanation of the processing and the opportunity to challenge them.
If you would like any of your personal information held by AberSU to be blocked, erased, or destroyed, you should contact us on union@aber.ac.uk
In some cases (e.g., records relating to a criminal investigation) there may be legitimate reasons for AberSU to preserve your personal information. Once legitimate purposes are no longer valid, AberSU will endeavour to honour your requests.
It is the responsibility of AberSU staff to take reasonable measures to ensure students’ personal data is accurate and up to date, and they will provide opportunities to update information if necessary. However, if you believe AberSU are holding inaccurate or out of date personal information, you have the right to request that your data be corrected. If necessary AberSU may seek to verify your requests before updating their records.
Data Breach
According to data protection legislation, appropriate security of personal data is required, including protection against unlawful processing and against accidental loss or damage. To ensure this, electronic information is stored on internal servers managed and controlled by AberSU or securely maintained on external servers by partners bound by data protection contracts. In the unlikely event of a data breach of any kind, staff have been trained to inform the CEO who will carry out the necessary procedures.
Legal Basis
AberSU is required to state under which legal basis personal data is processed. In most cases this is because it is necessary for the purposes of the legitimate interests pursued by AberSU. In terms of staff data, processing may be necessary for the performance of the contract of employment. Data processed for health and safety purposes will be done so because of the legal obligations to which AberSU is subject. In a small number of specific cases, processing is reliant on the provision of explicit and informed consent, which will be recorded.
Contact Details
This document can be made available in large print upon request. If you require another alternative format, please contact us to discuss your requirements.
Contact Details:
Aberystwyth University Students' Union
Penglais Campus
Aberystwyth
SY23 3DX
Telephone: 01970 621700
Email: union@aber.ac.uk