Data Protection (GDPR)

This impacts how personal data is collected and used by organisations, including the University, the Students’ Union and our student groups. Getting this wrong could have serious financial and legal for the SU and you could also be part liable yourself for a fine.

In accordance with new data protection laws from 25th May 2018 onward, Clubs and Societies should only be using their society and club email accounts.

The General Data Protection Regulation or GDPR came into effect in May 2018. This impacts on how personal data is collected and used by organisations, including the University, the Students’ Union and our student groups. Getting this wrong could have serious financial and legal for the SU and you could also be part liable yourself for a fine. 

The SU has made some changes to the way it operates to comply with the GDPR, and will continue to improve our data protection management as an ongoing project.  

Student groups should use the tools, systems and processes that have been designed by the SU, to suit these requirements, best practice and other internal processes. All groups are covered by our data protection policy and the policy of the University providing you use the tools and provision we have in place. When not following these processes and procedures you leave yourselves, individuals, other student groups and the SU open to fines and legal claims. 

Committee Presidents/ Club Captains should familiarise themselves with information in these policies which details who to contact if you have an issue or any questions. 

Keele SU policies can be found here and the University policy can be found here.  

If you would like to know more about GDPR there is a good introduction HERE

 

What Student Groups Need to do:

This is not a detailed list, however, this gives you some of the things that have been/ will need to be considered when collecting data

1. Process Personal data fairly and lawfully

  • Comply with Keele SU’s policies, privacy statement and data protection guidelines. 
  • Don’t share data with third parties unless you have documented consent from the individual to do so  
  • If information is processed on a consent basis, making sure that we tell people how they can withdraw their consent 

2. Process personal data for specified and lawful purposes

  • If you are collecting data, you must have a privacy notice which tells students how you will use this data. Ie; if you are conducting a survey of your members and are collecting names, you must inform them how the data will be used, stored and when it will be destroyed. This is why it is often best to collect anonymous survey feedback.  

3. Only collect the data that you need

  • Make sure you have a reason for all the data you collect, and identify whose job it is on your committee to be aware of this reason, and when you will review it.  
  • ‘It’s nice to know’ or, ‘we might need that one day’ is not a reason that the Information Commissioner’s Officer is likely accept! 
  • Make sure all members of your committee know its their job to question how data is used if they’re unsure   

4. Keep data accurate and up-to-date

  • Take reasonable steps to correct anything you know is wrong 
  • Notify students of how they can update data  

5. Don't keep data for longer than necessary (whilst upholding individuals' rights)

  • Have mechanisms/schedule for removing old data (hint: this will be done for you automatically on Keelesu.com and on your @keele.ac.uk email address and team channel.) 
  • Clubs and Societies are not authorised to use any email account other than their @keele.ac.uk account. Please report any unauthorised email accounts to the SU so that we can ensure they are properly closed down.  
  • Know how long you need to hold the data

6. Keep data secure

  • Know who has access to the data you hold, and don’t allow people who don’t need access to have it. If storing on a device or platform, ensure that device or platform can be password secured and encrypted. 

7. Be accountable

  • Be able to evidence that you’ve considered people’s data rights under GDPR. Report any breaches ASAP. Refer to Keele SU’s privacy page and notices, with the details of how people can object, rectify, request etc their data.  

We recognise there may be a few times when committees collect data outside of the website and email account, you must be able to justify the need to do this. 

Collecting contact details at Club and Society sign up fairs is strictly prohibited. Instead, you should utilise the free membership on the website "I'm interested, tell me more" which will give you the ability to contact these potential members. No matter where data is collected, you MUST comply with GDPR and follow the below guidance.  

What if there is a data breach? 

Please inform Keele SU immediately in the event of a data breach. Please email su.activities@keele.ac.uk AND su.itsupport@keele.ac.uk with the subject heading "Data Breach" 

If you have any queries you can contact the Activities team at su.activities@keele.ac.uk