Student Group Data Protection Guidelines
This page will cover:
- Background
- Managing your group's data protection
- Training
- Collecting and storing data
- Limit data processing to assessed activities
- Deleting data
- Reporting breaches
- Contributing to the annual student group data processing audit
- Understanding risk
- More information
Background
Key Terms
'Data Controller' The individual who determines the purposes and means of processing personal data, in line with data protection principles.
‘Data Processer’ The individuals who are responsible for processing personal data on behalf of a controller.
‘Data Processing’ anything that is done to, or with, personal data (including simply collecting, storing or deleting those data). This definition is significant because it clarifies the fact that EU data protection law is likely to apply wherever an organisation does anything that involves or affects personal data.
‘GDPR’ The UK General Data Protection Regulations is the general data protection regime that applies to most UK businesses and organisations.
‘Information Commissioner’s Office’ The UK's independent body set up to uphold information rights.
‘Personal Data’ Personal data is information about a person that can be used to identify them. This includes name, email address, telephone number, date of birth, membership of a group or organisation, dietary and access requirements, photographs, and social media accounts.
‘Special Category Personal Data’ The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
In this guidance we refer to this as ‘special category data’.
Introduction
As Student Group leaders, you all do invaluable work so that your groups can run top-class events, provide opportunities and connect students who share common interests. You need to use personal data to do this. It makes your Group more accessible, enjoyable, and efficient for your members and you. This guide aims to support you in doing this well.
In most instances, Group leaders already ensure their Group uses personal data in ways that comply with legal responsibilities. You take care of other people's personal data, and you know that they have data rights. The main message we have for you is that this is important and to keep doing it. This guide is to help you do that better and to save you work by providing advice and resources. Using them reduces the risk of being the subject of a complaint to the Information Commissioner's Office or a fine for misuse of personal data.
Durham Students' Union is the legally responsible "data controller" when Student Groups use personal data. This is part of being a registered student group – your group cannot independently be the “data controller” for the data you process. This means Durham SU holds the risk for your Group's data use and that we do a lot of the 'admin' to ensure that it's legal. This includes registering with the ICO, providing a Data Protection Officer, having a data protection policy and privacy notices that cover your activities, keeping a formal record of processing activities, and reporting and recording any breaches. To do this, we need to know some details about how and what personal data you process.
Purpose of this guidance
There is good evidence that nearly all Student Groups treat personal data with respect and process it safely. That means the purposes of this guidance are:
- Document the most common ways that most Student Groups use personal data according to our Data Protection Policy. This helps Durham SU uphold the accountability principle of GDPR on your behalf.
- Explain the criteria for how and when Student Groups can use personal data without oversight from SU staff (the majority of Group processing).
- Explain when and how Student Group leaders and staff will work together when data processing activities are higher risk, complex or if an incident has occurred.
Remember - falling into more complex or risky categories of personal data use is not necessarily a reflection on the care or practices of the Group. Often it will arise from the nature of your Group, its work or its members, not any fault of the Group's leaders.
The bad stuff
Data protection laws exist to protect the rights of individuals. When people's personal information is shared or used in ways they are not expecting it can cause significant harm and distress. There are penalties for breaking data protection law, especially if this harms people's rights. The Information Commissioner's Office can level fines of up to 4% of a charity's annual turnover.
The example below provides a relatable instance where a charity received a fine.
Charity HIV Scotland fined £10,000 by the ICO.
An email to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name.
From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.
An ICO investigation of the February 2020 incident found shortcomings in the charity’s email procedures.
Durham SU must demonstrate that we are responsible and accountable for the personal data we use, both as staff and student volunteers, in our roles. For staff, this is part of their employment contract. For Student Group leaders, it is part of the Student Group agreement.
We have to ensure that people don't continue to process personal data in the name of Durham SU if they can't or won't do so safely. Usually, this means helping them to do better. However, if this is not achievable, it will be enforced. For Student Group leaders, this happens through Student Group disciplinary processes and the powers in the student group agreement to suspend members, groups or access to data or services (room booking, Freshers Fair, website access etc.). For staff, this happens through performance management or disciplinary purposes.
Managing your group's data protection
Training
All Presidents and Secretaries must have completed Durham University Data Protection training. You will find this on Oracle, and a screenshot of the passed assessment mark is needed for your Group to be permitted to attend the Freshers' Fair and access your membership data on the Durham SU website.
You should also make use of the various tools and guides available to support in the Student Group Resources section of our website: https://www.durhamsu.com/student-group-resources/gdpr
Collecting and storing data
The Durham SU website is the most secure and straightforward way for your Student Group to manage personal data as it already aligns to our data protection policy. The website can send member communications, run elections and create and ticket events. If you decide that your Group needs to collect and process data in other ways, you must follow the approach below.
Only collect what you need.
Don't have a good reason to ask your event attendees which college they're from? Never contact your members by phone? Then you don’t need to collect these pieces of personal data, and shouldn’t do so.
There are particular types of personal data given extra protection under the law. These are called special categories of data, and the main types that Student Groups might collect are:
- Racial or ethnic origin
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Data concerning a person's sex life
- Data concerning a person's sexual orientation
It's ok to collect and use this data if you need it, but how you do needs to have been assessed for potential harm to the people the data belongs to. For this reason, we ask that you only process these types of data in the ways which have already been assessed by Durham SU in our processing record, indicated below.
You must give people clear information about how you treat their data when you collect it.
This information must include how you use their data, if you share it with other organisations or platforms, how long you keep it and where individuals can go for more information. You can link to Durham SU's privacy notice as long as you process data in line with it. However, you must still provide a short notice at the point of collection. An example notice is below.
"We take care of your personal data. We will only use your personal data to contact you about joining our Group, including sharing events and opportunities, and after a year, we'll delete your data. We'll store it securely in Mailchimp and won't share it with any other third parties. As part of Durham SU we follow their data policies and practices, which you can find out more about here.”
LIMIT DATA PROCESSING TO ASSESSED ACTIVITIES
Below are the most common ways we currently (2022) understand Student Groups will process personal data and the protections you should use in each instance. Only personal processing data in these ways is the best way of reducing data protection risk.
You must follow the security measures indicated for each activity.
| What | Purpose | Stored/Processed | Data | Security |
|---|---|---|---|---|
| Expressions of interest | collect expressions of interest in group membership | Durham University Owned Microsoft Forms platform | name and email, non-special category lifestyle information | Good device and password security, limiting access, not downloading data on personal devices |
| Expressions of interest | collect expressions of interest in group membership | non Durham SU/ Durham University platforms | name and email, non-special category lifestyle information | Ensuring platforms processing is GDPR compliant, not sharing passwords, providing privacy notices and opt-out options, limiting access, not downloading data on personal devices, deleting data after 1 year |
| Membership lists | communicate with members and provide membership services | Non-Durham SU platforms | name, email, non-special category lifestyle information | Good device and password security, no screenshot or copying data for any reason |
| Membership lists | communicate with members and provide membership services | Non-Durham SU platforms | name, email, non-special category lifestyle information | Ensuring platforms processing is GDPR compliant, not sharing passwords, providing privacy notices and opt-out options, limiting access, not downloading data on personal devices, deleting data after one year |
| Attendance lists | manage event attendance | Durham SU website | name and email | Suitable device and password security, not screenshotting or copying data for any reason |
| Attendance lists | manage event attendance | non-Durham SU platforms | name and email | Ensuring platforms processing is GDPR compliant, not sharing passwords, providing clear and accurate privacy notices, limiting access, not downloading data on personal devices, deleting data after one year |
| Photos and videos | images and videos promoting group activity | social media platforms | images of people, special categories of personal data | Providing clear and accurate privacy notices, ensuring photos are deleted after three years, |
We know some groups need to use other personal data or do other processing activities. To facilitate this we are currently working on assessing the below activities.
We understand these activities less well and they are higher risk, but we still expect to be able to bring within our risk tolerance for groups to do independently. If your Group wants to do these kinds of processing, you need to let us know during re-registration or before your start processing the data and get an individual ok from our Data Protection Officer.
| What | Purpose | Stored/Processed | Data |
|---|---|---|---|
| research surveys | research student experiences and needs | Durham University Sharepoint, Microsoft Forms, Google Forms, Survey Monkey,? | name and email, non-special category lifestyle information |
| trip manifestos | have medical information on hand if needed during a trip | ? | Health information |
| Membership lists | communicate with members and provide membership services | Durham SU website | name, email, non-special category lifestyle information |
| expressions of interest (special category data) | collect expressions of interest in group membership | Durham University platform | name, email, special category data |
| membership lists (special category data) | communicate with members and provide membership services | SU platform | name, email, special category data |
| event and membership lists | enable trusted partners to deliver membership services | ? | name, group membership, email |
Deleting data
You must tell people how long you will hold their data, hold it for that long, and then delete it. You should hold it for as long as you need to fufill purpose for which it was collected, and no longer.
We recommend that one year is an appropriate retention period for most student data (e.g. expressions of interest and membership). However, in many instances (one off events, surveys or training) you will need to delete it sooner i.e. once the activity is complete.
Having a process.
The most important part of this is that you have a process for deleting data every year and you write it down in handover documents that you pass on when you finish in your role. Otherwise, you’ll do great work sorting out how and when to delete old data – which could go to waste if nobody does it again for ten years.
Reporting breaches
A personal data breach means a breach of security leading to the destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
A data security breach can happen for several reasons:
- Loss or theft of data or equipment
- Inappropriate access controls allowing unauthorised use
- Equipment failure
- Human error
- Unforeseen circumstances such as fire or flood
- Hacking attack
- Deception of the organisation through ‘blagging’ offences
Detecting data breaches
Detecting a data breach or the potential of a data breach can happen in a variety of ways
- You or one of your group members recognise a breach has occurred (e.g. accidentally sharing a spreadsheet with personal information)
- You receive a complaint
- It's likely a breach has occurred because of some other incident (i.e. loss of a laptop with personal data, or notification a platform you use has been hacked)
Reporting a breach
Where any employee, volunteer, supplier or contractor of Durham SU discovers a data breach they must report this to the Data Protection Officer within 24 hours. You can do this by emailing su.admin@durham.ac.uk, or contacting any other staff member. The Information Commissioner's Office shall be notified within 72 hours of the breach where there is a risk to the rights and freedoms of individuals, such as discrimination, discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
CONTRIBUTING TO THE ANNUAL STUDENT GROUP DATA PROCESSING AUDIT
Based on any breach and incident records and your responses to the Student Group re-registration questionnaire, Durham SU does an annual Student Group data protection audit. We need your help to do this by completing it honestly and accurately and contacting us if you are unsure about anything.
If your Group doesn't complete the questionnaire, then Durham SU does not have oversight of the processing activity. This will affect how we regard your data processing risk and may lead to you not being permitted to process data or gather it (ie not having access to our website memberships, Freshers fair or our finance facilities).
UNDERSTANDING YOUR GROUP'S DATA PROCESSING RISK
The yearly audit will give us the information to place all Student Groups in Green, Amber or Red risk categories for personal data processing. For all Green and Amber Groups, this won’t impact what you're able to do.
For Groups in the Red category, particularly those who are there due to an incident or breach, you will need to collaborate with staff to create a Data Protection Plan for your Group, to address any issues. If your Group doesn’t do this, you may not be permitted to process data or gather it (ie not having access to our website memberships, Freshers fair or our finance facilities).
Indicative criteria for each category are:
|
Red |
|
|
Amber |
|
|
Green |
|
More information
You can find more information, including Durham SU’s Data Protection Policy, and privacy notices on our Privacy page https://www.durhamsu.com/privacy-policy.
Specific resources for Student Groups can be found here: https://www.durhamsu.com/student-group-resources/gdpr
The Information Commissioner’s Office provides excellent resources, including checklists and quick quizzes to help understand your responsibilities: www.ico.org.au
If you would like advice from SU staff on managing your Group's data use you can contact the Opportunities team on dsu.engagement@durham.ac.uk.
To report a suspected breach or to submit a data subject request contact su.admin@durham.ac.uk.
