Last updated: 22/05/2018
Approved by Communications Committee: 30/05/2018
The Students’ Union believes that your data should be respected and that you should be able to confidently trust us with your personal data.
All personal data held by us will be securely processed, held and deleted in line with relevant data protection laws and our moral responsibilities. This page sets out how we will do this.
When we collect your data we will let you know what we will use it for and the basis for processing.
Your data is handled by the University of Sussex Students’ Union and/or USSU Trading Ltd, both at Falmer House, Falmer, East Sussex, BN1 9QF.
You can contact our Data Protection Officer, Paul Newton, via email - [email protected] - or by post at the address above.
You can see the categories of personal data we use (where this is not obtained from the person it relates to), the recipients or categories of recipients of the personal data, retention periods and details of transfers to any third countries or international organisations in our summary of the data we process and/or by viewing the data collection assessment for the area(s) you’re interested in. Additionally, we maintain a list of the sub-processors we use which includes details of their data protection measures.
The General Data Protection Regulation (GDPR) applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
For us this means information such as students’ names and email addresses, our employees’ personnel records and the members of sports clubs and societies.
Special categories of data have extra protections as they are considered particularly sensitive in relation to fundamental rights and freedoms:
Personal data revealing
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
The processing of the following for the purpose of uniquely identifying a natural person:
- genetic data
- biometric data
- a natural person’s sex life or sexual orientation
Note that personal data relating to criminal convictions and offences is not included in the definition of special categories of data, but similar extra safeguards apply to its processing.
All personal data will be processed in accordance with the data protection principles in the Article 5 of the General Data Protection Regulation which states that personal data shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and, where necessary, kept up to date;
- Kept for no longer than is necessary for the purposes for which the data was requested
- Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”, a duty overseen by our Data Protection Officer.
You have a number of rights over your data:
- The right to be informed about the collection and use of your personal data
- The right of access to your personal data
- The right to rectification if data about you is inaccurate or incomplete
- The right to erasure of your data in a number of circumstances
- The right to restrict processing of your data in a number of circumstances
- The right to data portability so you can transfer your personal data in a number of circumstances
- The right to object to processing based on legitimate interests, for direct marketing and/or the purpose of scientific/historical research and statistics
- Rights in relation to automated decision making and profiling
- The right to withdraw your consent where this is the basis for processing your personal data
- The right to make a complaint about how your data is used
These are explained fully at https://ico.org.uk/for-the-public/ which also contains information about how to make a complaint about how we or any other organisation uses your data.
To exercise your rights over the data we hold about you please contact us via [email protected] and we’ll act on your request within a calendar month unless the request is complex or a number of requests have been received, in which case we will notify of the expected delay and reasons why.
Whenever we collect your personal data we will give you a privacy notice explaining what we are collecting it for and the legal basis for processing it as well as if we’ll use it for automated decision-making.
We may give this to you verbally, via a sign at the point of collection and/or digitally. You can also see our privacy notices in each of our data collection assessments.
There are six bases for processing personal data. When we choose to collect and process your data will be establish the correct basis and state this in a data collection assessment. You can view these in our summary of the data we process and/or by viewing the data collection assessment for the area(s) you’re interested in.
- Consent - people have a real choice and control when giving ‘opt-in’ consent (i.e. not with a pre-ticked box), and have the option to withdraw their consent at any time. Consent cannot be conditional.
- Contract - data is processed prior to entering in to a contract and then in order to fulfil the contractual obligations. All processing will be necessary and proportionate to this aim.
- Legal Obligations - data is processed by the Union in order for it to fulfil its legal obligations and with the law easily identifiable, e.g. personal data which must be given to the HMRC
- Vital Interests - processing data in order to protect the life of the individual
- Public Task - ‘in the exercise of official authority’, which covers public functions and powers that are set out in law or in order to perform a specific task in the public interest.
- Legitimate Interests - this is the broadest basis for processing, and can include commercial interests, individual interests or broader societal benefits. The Union will always identify their legitimate interest, show that the processing is necessary to achieve it, and balance it against people’s interests, rights and freedoms. Our data collection assessments show how we’ve done this.
We use a number of technical and organisational measures to keep your information secure including:
- a confidentiality and data protection policy for our staff which outlines our expectations and requirements for staff handling personal data
- a confidentiality policy for our volunteers
- ensuring our computer systems are secure and that people access them from secure devices
- providing training to key staff and volunteers so they know how to look after your information
- ensuring that anyone who processes data for us (known as a sub-processor) has suitable measures in place to protect your data
- only sharing information with people who need to see it for the purpose we collected it for
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data.
If we suspect there may have been a breach of our data we will immediately notify our Data Protection Officer. They will investigate immediately and if there has, or may have been, a notifiable breach they will notify the Information Commissioner’s Office without undue delay and within 72 hours of becoming aware of it.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay and in many cases we’ll let people know about a breach even if there isn’t a high risk of damage to them.
Sources of information
Appendix: Retention schedule
Additional information can be found in our summary of the data we process and/or by viewing the data collection assessment for the area(s) you’re interested in.
|Job application records of unsuccessful candidates||10 months|
|Job application records of successful candidate(s)||Will be used to administer employment (see below)|
||2 years from date|
||3 years after the end of the relevant tax year|
||6 years after the end of the relevant payment year|
|Bank details||At end of employment|
|Personnel file and training records not covered above (includes disciplinary and grievance records)||6 months after leaving employment if there is no dispute|
|Immigration checks||2 years after leaving employment|
|Written particulars of employment, contract of employment and changes to terms and conditions||6 years after leaving employment|