General Data Protection Regulation (GDPR)
The General Data Protection Regulation or GDPR came into effect in May of the academic year 2018-2019. They impact on how personal data is collected and used by organisations, including the University, the Students’ Union and our student groups. There will be an increase in penalties for organisations (data controllers) and, more notably, for individuals (data processors). The SU has made changes to the way it operates to comply with the GDPR, and will continue to improve our data protection management as an ongoing project, and all student groups must also be ready to do so. All groups are covered by and must comply with our data protection policy and use our data protection notices to ensure members know how their data is used. You can find these here.
It's your responsibility to limit the personal data you collect to only what is necessary and be as proactive as possible in finding out more about your responsibilities. If possible, instead of collecting personal data yourselves, use the information you are given access to through the sale of memberships and tickets on DurhamSU.com. Directing people to a Facebook Group is an easy alternative to collecting email addresses and other data. However, if you do collect personal data, please read and follow the below information.
We have several resources to help groups understand and manage data protection, and training session on data protection whenever we put on groups training and upon request, if you believe you have a high need (email firstname.lastname@example.org)
DUO data protection training - from re-registration 18/19 all groups will be required to have one member of their exec who has completed this
What is Personal Data?
Personal data includes any information that relates to an “identified or identifiable” person. Within student groups, examples of personal data include the names, email addresses, student numbers and phone numbers of members and non-members that you may collect or are given access to via durhamsu.com, plus any data collected that is specific to the activities of your student group.
What do you need to do differently?
We strongly recommend that you use Durham SU website to manage all your membership data and communications if possible. Mailing lists have no mechanism to remove people when they are no longer a member of your groups – at which point you are legally no longer entitled to process their data, unless you have explicitly collected and recorded that you have their consent to do so – and many platforms do not have the notification and access to mechanism for individuals to activate their privacy rights required under GDPR. Using the DurhamsSU.com mailing tool will help ensure you and your group are not at risk of breaking the law and are protecting your member's rights. We understand that this might be an imperfect long term solution, and we will be working with our groups to help you understand data protection, but also to understand what your core needs and challenges are around using data, and how we can work with you to come up with ways for you to contact people who have expressed interest in joining, and quickly and easily send communications. If you think anything you do may be high risk, or are worried about data you hold, please reach out to the SU team to discuss your group's situation.
If you need to hold the data of your exec team (ie names and mobile numbers) and can’t use a Facebook group for this, instead, we recommend using online forms (ie. Google docs) to collect personal information. This hides data from people submitting data, and allows for the insertion of a message about how the data will be used. It will also timestamp when the survey is submitted, creating an audit trail in case complaints are made.
Once you have collected the information, it must only be used for the purposes it was collected, and you must have been explicit when you collected this data about how you would use it (and only use it for those purposes). You must also promptly respond to requests for data to be removed from your records or for individuals to unsubscribe from mailing lists. You should include unsubscribe instructions in all email communications (the DurhamSU.com email tool will do this for you automatically). You must also have a plan for how long you’ll hold the data, and communicate this.
The Students’ Union, your group or individuals using data may be fined by the Information Commissioner for the misuse of data. This includes making data available – intentionally or accidentally – to third parties, including sponsors, other organisations and anyone who is not a committee member. Therefore, you should not give sponsors any personal data from your records or sell any personal data to another organisation. This may be considered a disciplinary offense.
When contacting people via email, always use the BCC option. This means that recipients will not be able to see other recipients email address and therefore prevents them from capturing and misusing this data. We highly recommend using the email function in the Durham SU website to contact individuals, as this automatically BCCs all recipients for you.
Storing data securely is another important part of proper data use. Make sure that data is stored on devices with suitable passwords and do not store data on a shared device. When transferring data on USB sticks or other devices, make sure they are kept securely and are not left behind in a shared computer or in a public place. Avoid holding personal data in spreadsheets or documents as much as possible, and if you do need to do so, ensure the documents are password protected and the password is never sent in the same email as a document, so if you do accidentally send it to the wrong person, it’s protected.
How could this affect you?
As a committee member, you are a data controller and therefore have a responsibility to handle personal data in an appropriate way in line with GDPR. Failure to follow this guidance may result in disciplinary action from the Students’ Union and/or the University as well as potential fines from the Information Commissioner’s Office.