SUUG Data Protection

SUUG Members Data Collection Notice
Aimed at all members

Throughout your relationship with the Students’ Union and for some period afterwards, we have a need to hold and process personal data about you. Consent is obtained where necessary for this. See the Union’s Data Protection Codes of Practice for more information about our systems of holding and processing personal data.

The Union has to provide a notification to the Information Commissioner under the Data Protection Act 1998 to hold personal data about its members.  The purposes that we specify for holding data include:  Fundraising; The administration of membership records; Maintaining membership; Providing and administering activities for members.

The information is held in a variety of formats, primarily in a centrally managed database. The Union has in place systems and procedures to ensure that the information complies with Data Protection Principles, including security.

Data will be processed in accordance with the provisions of the Act and will only be disclosed within the Union to members of staff who need to know it in order to carry out their duties, or to others outside the Union as specified in our notification, or for reasons set out in our Data Protection Codes of Practice.

When you leave the Union, some data is kept as a permanent record of your membership, and in order to enable us to keep in touch with you.

 

SUUG Data Protection Policy
Aimed at all Union staff and members, and for the information of other interested parties

The Union stores, processes and on occasion discloses information about employees, students and other Data Subjects for membership, administrative and commercial purposes. It is committed to a policy of protecting the fundamental rights and freedoms of individuals and in particular their right to privacy with respect to the processing of personal data, as set out in the Data Protection Act 1998. When handling such information, the Union, and all staff or others who process or use any personal information will comply with the Act in full at all times.

To ensure compliance with the Act the Union will:
 - Observe the spirit and the letter of the 1998 Act and will not seek to exploit ambiguous wordings or "grey areas" yet to be clarified by Case Law to avoid its responsibilities.
 - Co-operate fully with the Information Commissioner and his office.
 - Publish and maintain a Code of Practice outlining the meaning of the Data Protection Act 1998 and establishing procedures for processing data in day to day working. The Codes of Practice will provide a reference source for all staff to clarify anomalies, which may arise in routine operations.
 - Consider that all departments are subject to the Act: no individual, section or department shall hold or process records in any manner which does not conform to the Union's Data Protection Policy and Codes of Practice.
 - Seek to obtain comprehensive "informed consent" from Data Subjects regarding the keeping of records, the processing of data and the disclosure of data to third parties.
 - Initiate and maintain an on-going programme of staff development.
 - Periodically review its policies and practices to ensure continuing compliance with the Act.

In order to minimise its liability in law the Union will:
 - Ensure that all new data systems and new forms of processing data will be implemented in accordance with the 1998 Act.
 - Regard all members of staff of the Union as having an obligation to divulge the existence and contents of databases or other soft or hard copy filing systems that contain personal data, to the Data Protection Officer.
 - Implement and maintain appropriate practical and technical measures to ensure the security of all personal data.

 

SUUG Data Protection Code of Practice

It is the responsibility of all staff members to comply with the Data Protection Act 1998, by following the Data Protection Principles as set out in the Act.

Data Protection Principles
1. Personal data shall be processed fairly and lawfully
2. It shall be obtained for specified purposes
3. It shall be adequate, relevant and not excessive
4. It shall be accurate and up-to-date
5. It shall not be kept longer than necessary
6. It shall be processed in accordance with the rights of the data subject
7. Measures shall be taken to protect processing, and to prevent loss and damage
8. It shall not be transferred outside the EEA unless there is an adequate level of protection in that country

How to Respond to a Request for Personal Information
If you receive a request from somebody for personal information, consider the following:
- Is the information they are requesting information about themselves?
  - Is the information they are requesting information about a third party?

1. Requests for Own Information
If it is information about themselves, you can provide the information relatively easily, and it is something that you would normally do in the course of your duties:
 - Verify to your own satisfaction the person’s identity. This may mean getting the request in writing (including email), or checking an ID in person.
 - Ensure that personal data about a third party is not also being disclosed.
 - Then – provide the information required, if it is easily done. In most cases, personal data should not be disclosed over the telephone, unless you can verify the person’s identity.

If the request is complex or requires much copying, or they mention the Data Protection or Freedom of Information Act, or you are uncertain what to do, confer with the Data Protection Officer. These types of request will always need to be logged centrally.
 
2. Third Party Requests
If the information requested is for personal information about a third party, consider the following:

Who is the request from?

a) Member of staff
You can give out the information if the staff member requires the information in order to perform his or her official duties. Or with the consent of the individual concerned. (Remember to verify to your own satisfaction the member of staff’s identity. This might involve returning their phone call, or emailing them.)

b) Student
Third party data should not be disclosed to students without the consent of the individual concerned.

c) Requests from outside the Union
Requests must only be accepted in writing. Telephone callers or visitors in person must be requested to make a written enquiry. This includes police officers.

Disclosure of personal data to third parties is allowed only where the Data Subject has given consent, or in certain other limited circumstances. These include for the prevention or detection of crime.

Confidentiality of other third parties
Personal data should not be disclosed in any case where information about another third party cannot be protected (without the consent of that individual). The information should not be revealed if it is not reasonable to do so. If third party identity can be made anonymous, it should be.


Personal Data held Electronically

1. Email
Email should where possible be avoided when transmitting personal data about a third party, unless the data is securely encrypted. Any email, whether or not it contains personal information, may be liable to disclosure, either under the Data Protection Act, or under the Freedom of Information Act. All members of staff should be aware of this when writing emails, and when keeping them.
 
2. Union Website
2.1 Accessibility of data on Internet
Part of the Union website is accessible worldwide on the Internet. The Union Intranet is accessible only to members of the Union. Both of these parts contain pages where there is personal data, such as names, pictures, contact details etc. Such data, when released on the Internet, by definition goes beyond the European Economic Area and therefore contravenes the 8th Data Protection principle unless (for example) the data subject has given their consent. For this reason, personal data should not normally be available on web pages.

2.2 Staff business data on the Internet
Staff personal data which is required to be supplied for the purpose of the normal organisational functioning and management of the Union and, in particular, information which is already supplied in publicly available hardcopy publications does not require the consent of the person to its publication on the Internet or Intranet. This could include for instance business contact details, names, job titles and departments, roles. However, a person has the right to object to the use of their data where it would cause them significant damage or distress. Staff business contact details are currently made available on the Internet.

2.3 Staff or student personal information on the Internet
If staff or student personal contact details, or other personal information which is not related to their role at the Union, is placed on the Internet, the permission of that person must be obtained.

2.4 Personal Data Collection on Web Pages
When web pages are used to collect personal data, by the use of forms etc, a Data Protection statement should be included.

3. Personal data held electronically on computer shared drives and local areas
Personal data will frequently be held electronically, whether in the form of databases, spreadsheets, or simply as part of a Word document. Staff who have access to such data will generally have a legitimate purpose for accessing the data, if they are employed by the Union. However, the following points need to be adhered to:
 - Consider whether to impose authorised or restricted access to electronic data
 - Terminals or PCs may need to be kept in a room which is kept locked
 - Site PCs where the screen cannot be seen by unauthorised staff or the public
 - Screens should be clean of any previous data when not in use
 - Lock your computer when leaving your desk
 - Computers should be logged off or switched off when not in use
 - Disks or tapes should be stored and locked away when not in use
 - Passwords should be kept confidential, chosen carefully and changed regularly
 - Personal information should be made anonymous whenever possible
 - Delete personal data as soon as it is no longer required
 - Take appropriate security precautions if working on data away from the Union, either of losing the data en route, or of it being seen by unauthorised people
 - Maintain as many of these measures as possible, also when working on lap-tops.


Sensitive Personal Data
Sensitive personal data covers the following:
 - Racial or ethnic origin
 - Political opinions
 - Religious beliefs or beliefs of a similar nature
 - Membership of a trade union
 - Physical or mental health or condition
 - Sexual life
 - Commission or alleged commission of an offence
 - Proceedings for any offence or alleged offence, or sentence of court

It is possible that some or all of these types of personal data might be held in various departments of the Union. Racial or ethnic origin of staff will generally be held by HR for staff records. Similarly HR may hold details of offences. Any of these types of data could be held by the Union Advice Service. Where sensitive personal data collection occurs, the explicit consent of the individual is required.


Disclosure of Sensitive Personal Data to External Organisations
 Refer also to the Code of Practice
It may be that there is a specific requirement to disclose sensitive personal data to an external organisation or body. The explicit consent of the Data Subject should normally have been obtained.

Where there are partnership arrangements with other organisations, where data sharing is required as part of that relationship, the Data Subject will be asked to sign a consent form agreeing to this sharing of data. This form will state the purposes for which the data sharing is required, where it will be stored, who will have access to it, and how long it will be kept.

Where the Union receives a request from an external person or body for information of a sensitive personal nature, each case will be considered individually in conjunction with the Union Data Protection Officer.


Disclosure of Sensitive Personal Data to Union Staff
Where sensitive personal data has been collected by a member of staff as part of their role, or by a unit or department of the Union as part of their function, the data will be stored and kept securely. It will only be disclosed to other staff members if they need to know it to perform their duties at the Union, or for certain other reasons as specified in the Principles of Data Protection. Staff members will ensure that they do not disclose sensitive personal data to their colleagues, either in conversation or by disclosure of records, in a casual or thoughtless manner.