Data Protection (GDPR)

This impacts how personal data is collected and used by organisations, including the University, the Students’ Union and our student groups. Getting this wrong could have serious financial and legal for the SU and you could also be part liable yourself for a fine.

The General Data Protection Regulation (GDPR) came into effect in May 2018. This impacts how personal data is collected and used by organisations, including the University, the Students’ Union, and our student groups. Getting this wrong could have serious financial and legal consequences for the SU, and you could also be partly liable for a fine.

The SU has made some changes to the way it operates to comply with the GDPR and will continue to improve our data protection management as an ongoing project.

Student groups should use the tools, systems, and processes designed by the SU to suit these requirements, best practices, and other internal processes. All groups are covered by our data protection policy and the policy of the University, provided you use the tools and provisions we have in place. When not following these processes and procedures, you leave yourselves, individuals, other student groups, and the SU open to fines and legal claims.

As part of this Clubs and Societies should only be using their society and club email accounts.

Committee Presidents/Club Captains should familiarise themselves with information in these policies, which details who to contact if you have an issue or any questions.

Keele SU policies can be found here and the University policy can be found here.

If you would like to know more about GDPR, there is a good introduction HERE.

What Student Groups Need To Do:

This is not a detailed list, but it gives you some of the things that have been/will need to be considered when collecting data:

  1. Process personal data fairly and lawfully
    • Comply with Keele SU’s policies, privacy statement, and data protection guidelines.
    • Don’t share data with third parties unless you have documented consent from the individual to do so.
    • If information is processed on a consent basis, make sure that we tell people how they can withdraw their consent.
  2. Process personal data for specified and lawful purposes
    • If you are collecting data, you must have a privacy notice that tells students how you will use this data. For example, if you are conducting a survey of your members and are collecting names, you must inform them how the data will be used, and stored, and when it will be destroyed. This is why it is often best to collect anonymous survey feedback.
  3. Only collect the data that you need
    • Make sure you have a reason for all the data you collect, and identify whose job it is on your committee to be aware of this reason, and when you will review it.
    • ‘It’s nice to know’ or ‘we might need that one day’ is not a reason that the Information Commissioner’s Officer is likely to accept!
    • Make sure all members of your committee know it’s their job to question how data is used if they’re unsure.
  4. Keep data accurate and up-to-date
    • Take reasonable steps to correct anything you know is wrong.
    • Notify students of how they can update data.
  5. Don't keep data for longer than necessary (whilst upholding individuals' rights)
    • Have mechanisms/schedules for removing old data (hint: this will be done for you automatically on Keelesu.com and on your @keele.ac.uk email address and team channel).
    • Clubs and Societies are not authorised to use any email account other than their @keele.ac.uk account. Please report any unauthorised email accounts to the SU so that we can ensure they are properly closed down.
    • Know how long you need to hold the data.
  6. Keep data secure
    • Know who has access to the data you hold, and don’t allow people who don’t need access to have it. If storing on a device or platform, ensure that the device or platform can be password-secured and encrypted.
  7. Be accountable
    • Be able to evidence that you’ve considered people’s data rights under GDPR. Report any breaches ASAP. Refer to Keele SU’s privacy page and notices, with the details of how people can object, rectify, request, etc., their data.

We recognise there may be a few times when committees collect data outside of the website and email account; you must be able to justify the need to do this.

Collecting contact details at Club and Society sign-up fairs is strictly prohibited. Instead, you should utilise the free membership on the website "I'm interested, tell me more," which will give you the ability to contact these potential members. No matter where data is collected, you MUST comply with GDPR and follow the below guidance.

What if there is a data breach?

Please inform Keele SU immediately in the event of a data breach. Please email su.itsupport@keele.ac.uk with the subject heading "Data Breach."

If you have any queries, you can contact the Activities team at su.activities@keele.ac.uk.