General Data Protection Regulation: General Privacy Notice

This statement describes our approach to the collection, storage and handling of your data. Here we list all of the data which we collect and let you know how we store, use and process it in line with the requirements of the GDPR.

The table below shows a breakdown of who the Students’ Union holds data on, our legal basis for collecting and using the data, the source of the information we hold, and how long we retain the data prior to deletion.

If you would like to check whether the Students’ Union is holding any of your personal data, request a copy of your data, or request that the Students’ Union removes your data. You can do this by contacting Jeremy Harvey, who is the designated Data Protection Officer. 

Please contact Jeremy if you wish to raise a concern or make a complaint about how the Students’ Union has accessed or processed your information. This does not affect your right to report a concern to the Information Commissioner’s Office, the information for which can be found at https://ico.org.uk/concerns/

 

Who we hold data on

 

Legal Basis (why we hold data)

What we collect and what we use it for

How we ensure consent

Who has access to it

How long we keep it for

Where the data is kept

Job Applicants

Data held in case of any challenge to process

Names, addresses, former employment and education information

Statement on application form of use of data

CEO, Business and finance manager, Shortlisting panel, interview panel

6 months after interviews

Onedrive,

Email threads

Our Staff & Sabbatical Officers

Contract: for employment purposes

Payroll; Emergency Contact details; Expenses; Performance Management; Grievance and Complaints information; Training and Development records; Health & Safety

Consent is provided through the employment contract

Full detail: Chief Executive & Business and Finance Manager.
Limited details available to SU staff;

HMRC;

NEST Pension;

Xero; 

Auditors; basic contact details shared publically

 

Duration of employment. Some records we are required to keep for up to 7 years for audit purposes

Management Onedrive; Xero finance system; Paper copies secured in Swansea Office

Our Part-time Officers

Legitimate Interest: Student representation

Elections; Student Representation – local and national

Consent provided during election process

Full details: co-ordinating SU staff.

Limited details are published on the SU website to help officers promote their role

Duration of office (usually one year)

SU shared drive in the cloud (restricted access); TSDSU Unioncloud website; Staff & Officer e-mail & Onedrive 

Club & Society Committee Members

Legitimate Interest: supporting student experience

Supporting & promoting student-led activity; Health & Safety arrangements; Resource Allocation

Members themselves provide the data; covered in committee training.

SU Staff & Officers

Duration of time on committees (usually one year)

SU shared drive in the cloud (restricted access); TSDSU Unioncloud website; Staff & Officer e-mail & Onedrive

Students who sign-up to Clubs and Societies

Legitimate Interest: supporting student experience

Analysis of who is involved in SU activities – to assess whether we are meeting the needs of our members; Health & Safety; Keep members up-to-date with SU activities and opportunities

Members themselves provide & submit the data. Form has GDPR statement.

SU Staff & Officers and designated Club/Society Committee members

Duration of Student involvement in Club/Society

SU shared drive in the cloud (restricted access); TSDSU Unioncloud website; Staff & Officer e-mail & Onedrive

Who we hold data on

 

Legal Basis (why we hold data)

What we use it for

How we ensure consent

Who has access to it

How long we keep it for

Where the data is kept

Students who buy hoodies, NUS cards or TSD cards

Contract: commercial transaction

For commercial purposes; to report commercial progress

Commercial transaction completed by customer

Business & Finance Manager; designated staff; SU auditors

7 years as part of our charitable reporting requirements

PayPal SU account; downloaded onto CSV file which is stored locally and on OneDrive.

NUS

Students who sign up to ticketed events

Contract: commercial transaction

For commercial purposes; to report commercial progress

Commercial transaction completed by customer

Business & Finance Manager; designated staff; SU auditors

We clear our Tickettailor account of personal data annually; the financial transaction element is retained for 7 years as part of our charitable reporting requirements

SU Tickettailor account; Paypal SU account; downloaded onto CSV file which is stored locally and on OneDrive.

Students who sign up to events on social media

Consent: Individual consent provided

To promote events and encourage people to attend

Individual action and choice

Publically visible; designated SU staff and officers run our social media accounts

As long as the event is active online. Individuals can remove themselves whenever they wish.

Facebook; Twitter; etc.

Who we hold data on

 

Legal Basis (why we hold data)

What we use it for

How we ensure consent

Who has access to it

How long we keep it for

Where the data is kept

CCTV images 

Legal Obligation: Licensing Requirements

Fulfil licencing requirements in Ceredigion; Health & Safety; Risk Control; Complaints.

Appropriate public signage

Designated Controller and Operators

30 days is our norm; individual clips may be retained for longer if there is an incident. 

On a hard-drive designated for this purpose; Clips may be uploaded to Onedrive for longer-term storage as required. 

Course Reps

Legitimate Interest: Student representation

Student advocacy & representation; Publicising the rep system

Reps put themselves forward for election. Consent for data to be included in training

Public: Reps are public roles so limited details are published on the SU website & via publicity in academic schools.
Full details: accessible only by designated SU Staff

Removed annually. 

SU shared drive in the cloud (restricted access); TSDSU Unioncloud website; Staff & Officer e-mail & Onedrive

Faculty Reps

Legitimate Interest: Student representation

Student advocacy & representation; Publicising the rep system; Payroll.

Reps put themselves forward for election. Consent for data to be included in training

Public: Reps are public roles so limited details are published on the SU website & via publicity in academic schools.
Full details: accessible only by designated SU Staff

Removed annually.

SU shared drive in the cloud (restricted access); TSDSU Unioncloud website; Staff & Officer e-mail & Onedrive

Volunteers

Legitimate Interest: Supporting student experience

Analysis of who is involved in SU activities – to assess whether we are meeting the needs of our members; Health & Safety; Keep members up-to-date with SU activities and opportunities

Members themselves provide & submit the data. Form has GDPR statement.

SU Staff & Officers and designated project Committee members

Duration of Student involvement in Project

SU shared drive in the cloud (restricted access); TSDSU Unioncloud website; Staff & Officer e-mail & Onedrive

Who we hold data on

 

Legal Basis (why we hold data)

What we use it for

How we ensure consent

Who has access to it

How long we keep it for

Where the data is kept

Students who fill in our surveys and nominations forms

Legitimate Interest: Student representation

Gauge Student Opinion; Decision-Making; Student Representation

Statement on all of our surveys

Designated SU Staff

Full details removed annually; Overall summary retained

TSDSU accounts: SurveyMonkey; Google Forms

Students who submit an idea

Legitimate Interest: Student representation

Gauge Student Opinion; Decision-Making; Student Representation

Individual sign-up; Students self-publish the idea on our site. 

Ideas are public; Student data retained in Unioncloud – accessible only by designated SU staff

Ideas are not removed, but are moved from active to library section. Student data removed once account reaches its expiry date

TSDSU Unioncloud site

People who complain to the Students’ Union

Consent: Individual consent provided

Complaints process & reporting

Individual choice

Chief Executive & any designated investigating officer. Potential to get escalated to the Trustee Board.

Duration of the complaint; summary details retained thereafter

Chief Executive & staff e-mail / OneDrive

External Companies and Contractors

Contract: commercial relationship

Sponsorship; Fundraising; Provision of Services & Events

GDPR statements on our booking confirmation and contracts

Business & Finance Manager; Chief Executive; Projects Assistant; Activities Co-ordinator

Duration of Contract

SU shared drive in the cloud (restricted access); TSDSU Unioncloud website; Staff & Officer e-mail & Onedrive

Lampeter Bar Customers

Contract: commercial relationship

Commercial transaction - paypal

Individual decision to purchase

Business & Finance Manager; Lampeter Bar Manager; Chief Executive; SU Auditors

7 years as part of our charitable reporting requirements

On SU Sharepoint; In the SUs Paypal account; On the Business & Finance Manager’s Onedrive

Who we hold data on

 

Legal Basis (why we hold data)

What we use it for

How we ensure consent

Who has access to it

How long we keep it for

Where the data is kept

Registered students at UWTSD

The Education Act 1994 establishes that every member of a Students’ Union has a legal right to vote in elections and AGMs.

To facilitate SU democratic processes. 

The SU does not use this data to communicate directly with students – that is done by providing content to the University for them to use their e-mail system. 

We are not the data controller for this information, that is the University – who pass the information to us as part of their responsibilities under the 1994 Education Act. 

Members have the right to opt out of the Students’ Union. 

Named managers of the SU with responsibility for democracy. 

The data is removed annually, unless students activate their profile on the SU website, in which case it is retained for the duration of their course.  

It is provided to the Chief Executive by University IT&S and uploaded to the ‘Union Cloud‘ membership system. Union Cloud has its own data protection policy and procedures which are displayed on the Students’ Union website. 

 

Note: All paypal transactions are subject to the paypal privacy policy, which can be found here: https://www.paypal.com/uk/webapps/mpp/ua/privacy-prev

 

CSS Dump

 

Join the Conversation!