Privacy Policy: Data & Information Security Policy

Last revised: 4 May 2018

This privacy notice tells you what to expect when Bristol SU (“the Students’ Union”, “we”, “us”) collects or processes personal information. All data is held in accordance with the guidelines set out in the General Data Protection Regulation (GDPR) and the Privacy of Electronic Communication Regulation.

It applies to information we collect about:

  • Our members, officers and volunteers (students)
  • Users of our websites
  • People who use our services (including Bristol SU Lettings, Just Ask and Bristol SU Live)
  • People who give us feedback, make suggestions, complete questionnaires, polls or make complaints
  • Suppliers and agents
  • Donors and supporters
  • Job applicants and our current and former employees

What data do we hold?

What personal data do we collect?

Your personal data (any information which identifies you, or which can be identified as relating to you personally for example, name, address, phone number, email address) will be collected and used by us. We’ll only collect the personal data that we need.

You might give us your personal data by filling in forms on our website, by registering to use our website, applying for jobs with Bristol SU, booking tickets to events or registering to be updated on upcoming events. If you are a student at the University of Bristol some of your personal data is shared with us by the University of Bristol to enable us to perform our functions as your Students’ Union. More detail is provided under the heading “I’m a Bristol student, what data do you hold about me?”

We collect personal data in connection with specific activities such as administering your membership, registration or membership requests, placing an order, booking tickets to an event, performing services, volunteering, conducting research, and employment. 

This personal data you give us may include name, date of birth, age, gender, demographic information, email address, telephone numbers, attitudes, opinions, usernames and passwords, transactional information (where you are purchasing tickets or items). We will make sure that we only collect the data that we need, and will only use it for the purpose specified at the point it was collecting. Some of this information is imperative to enable us to administer your membership or provide a service (such as contact information), but there might also be instances where we need to collect sensitive data. We will only do this when necessary.

In addition where you book or purchase tickets for events, join a student group or use on of our services we may ask for the following information such as:

  • Your date of birth to ensure compliance with age-related laws
  • Your bank details to facilitate payments
  • Information relating to your health or emergency contacts if you take part in a high risk activity
  • Any disabilities so that we can provide assistance where needed

Information that we collect from you and your use of this website

  • Information you give us through filling out forms, registering or using our services
  • Automatic Information (discussed below)
  • Information collected from cookies – full details provided here.

Automatic Information

We automatically receive and save certain types of information whenever you interact with this website. We use the information to monitor website traffic and to assist with the navigation and user experience of the website.

Information that we will automatically receive includes:

  • Requested URL (Uniform Resource Locator)
  • IP (Internet Protocol) address (this may or may not identify a specific computer)
  • Domain name from which you access the internet
  • Referring URL
  • Software (browser/operating system) used to access the page
  • Date and time pages were visited

We may use and analyse the information we collect so that we can manage and improve the services on the website. Demographic and statistical information about user behaviour may be collected and used to analyse the popularity and effectiveness of the website. Any disclosure of this information will be in aggregate form and will not identify individual users.

Bristol SU also uses services from Google on this website to measure and analyse visitor information. For further information on these, please visit Google’s website.

Bristol SU will not (nor will it allow any third party to) use the statistical analytics tools to track or to collect personally identifiable information of visitors to this website. Bristol SU will not associate any data gathered with any personally identifying information from any source as part of our use of the statistical analytics tools.

What sensitive data do we collect?

We might ask you to provide demographic information such as your age, gender, ethnicity or race or whether you have a disability. We use this to enable us to monitor whether our services and organisation is meeting the needs of a diverse student body, and to ensure that we are equally accessible to all students. When analysing our membership for monitoring reasons we will not use this data to identify you as an individual, and this data is coded within our database, to ensure greater protection of this data.

We also collect demographic information, including whether you identify as LGBT+ and those already listed in the previous paragraph to ensure that you are eligible to vote in all elections that affect you. Currently the Bristol SU bylaws provide that only members belonging to the liberation group being elected may vote in it’s election, this means for example that only LGBT+ students are eligible to vote for the candidates for LGBT+ Network Chair. This is collected on the basis of self-identification, and this information will only be collected where you give consent. You can also update or remove this information at any time by updating ‘My Account’ once you have signed in to this website. And there is an option to prefer not to say.

We will not use sensitive information to identify you as an individual. But there may be some specified circumstances in which we might use this data at aggregate level to contact all members of a specified group, where this enables us to provide valuable services such as to notify you of an election you are eligible to vote in.

I’m a Bristol student, what data do you hold about me?

Alongside the instances discussed above where you might give us your data directly, where you are a current student at the University of Bristol, some data that you share with the University at registration is shared with us by the University. You will be informed of this at the point of registration or re-registering with the University of Bristol each year. We have a formal data sharing agreement in place with the University and once we have received this information we will:

  • Notify you and alert you to our privacy policy (this policy)
  • Let you know how you can update or amend the data we hold about you
  • Ask you to update your permissions to let us know what information you want to receive from us – this ensures you hear the things that are most relevant to you

Sharing data in this way enables the University to fulfil its duty to provide a Students’ Union and to meet obligations under the Education Act 1994, as well as observing the legitimate interests of students to be offered the services provided by the SU, which include representation functions. 

The University of Bristol has provided Bristol SU with the following student information:

  • Student names
  • Student University of Bristol email addresses
  • Home address
  • Gender
  • Year of study (1/2/3/4/5)
  • Level of study (UG/PGR/PGT etc)
  • Student usernames
  • Student number
  • Date of birth
  • School
  • Faculty
  • Programme Code
  • Nationality
  • County of domicile
  • Fee status
  • Photographs (for student representatives)
  • Personal email address
  • Start Date
  • End Date
  • Student User ID 

The personal data collected here enables us to carry out our responsibilities as a Students’ Union and to enables us to ensure you have the required permissions to vote for elected student representatives.

The data is transferred securely and is not held on the website. No other sensitive personal data has been transferred between Bristol SU and the University. The University has only provided current student data. Equality monitoring data is used only to look at service delivery and to ensure the University and Bristol SU are meeting the needs of those with protected characteristics under equality legislation.

Our system is run by NUS Union Cloud.

Student information is provided via secure electronic transfer. The transfer ensures that Bristol SU hold up-to-date information at that time and ensure that the details of any students who opt out of the data sharing agreement are not processed further.

Data that is shared with us by other providers

There may be some circumstances where data about you is shared with us. This will only happen where there is a data sharing agreement in place, between ourselves and the organisation sharing your data. This data might be shared with us by partner providers for fulfilling a contract, for instance NUS Extra or some jointly run events. We will ensure this data is held in line with the data sharing agreement and disposed of in line with the retention period set out in the retention policy.

How do we use your data?

Where we process your data we will only do so where there is a legal basis. This includes the following:

  • Where there is a contract – like where you have asked us to provide a service and we need to process your data to fulfil our obligations (including where you include Bristol SU Lettings or The Basket. Bristol SU Lettings have a separate Privacy Policy located here.)
  • Where you give us consent – like where you have told us you’d like us to send you direct marketing or you engage with our platforms
  • Where law requires it - We are obliged by various laws including the Education Act, Contracts Act and employment law to process certain data
  • Legitimate Interest - We carefully balance your rights when we think there is a legitimate interest in us processing data to support you, for example using a third party processor (such as google analytics) to improve your experience using our website.
     

Ordinary Functions

As outlined at the beginning of the policy, we use your data to:
  • To provide you with the services, products of information you asked for
  • To administer your membership, including membership of Bristol SU clubs, societies and networks
  • To set-up your voting permissions for Bristol SU elections
  • To contact members about formal matters such as Annual Members Meetings (AMM) that we are required by law to inform our membership about
  • Keep a record of your relationship with us, to enable us to respond to queries and requests efficiently and accurately
  • To ensure we know how you prefer to be contacted
  • Understand how we can improve our services, products or information
  • Where a student group, society or club is affiliated to a National Governing Body we may need to share some information
  • Where you are applying for employment or opportunities at Bristol SU
Alongside the uses identified above, we also use your personal data to ensure we can improve your experience using our website and services, and to ensure you get relevant communications. We may do this through building profiles or targeting communications or research.

Marketing and Communications

We’ll always act upon your choice of how you want to receive communications (for example if you want to receive our newsletter or information about offers). However, there are some communications that we need to send. These are essential to fulfil our promises to you as a member, volunteer, donor or buyer of goods or services from Bristol SU. Examples are:

  • Transaction messaging or legal documentation, such as Direct Debit schedules, receipts, shop purchase confirmations and tenancy information
  • Membership-related mailings such as notifications of elections and our Annual Members Meeting

Building profiles of members and targeting communications

Where you have given us consent we use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our members. Profiling also allows us to target our resources effectively, which members consistently tell us is a key priority for them.  We do this because it allows us to understand the background of the people who study at the University and helps us to deliver appropriate services and information to members who need it.

When building a profile we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications. Your data would only ever be analysed or profiled through encrypted and protected data processes, which only ever identifies broad statistics. In doing this, we may use additional information from third party sources when it is available.

We might use cookies to do this, and we use Google Analytics to process this data. You can find out more about our cookies policy here.

Research

We carry out research with our members, customers, staff and volunteers to get feedback on their experience with us. We use this feedback to improve the experiences that we offer and ensure we know what is relevant and interesting to you. 

If you choose to take part in research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. For some of our research we may ask you to provide sensitive personal data (e.g. ethnicity). You don’t have to provide this data and we also provide a ‘prefer not to say’ option. We only use it at an aggregate level for reporting (e.g. equal opportunities monitoring). 

We may give some of your personal data (e.g. contact information) to a research agency who will carry out research on our behalf. They will only be supplied with information necessary for them to carry out this purpose (such as name and email address) and only on the basis of legitimate interest. Any other information you can choose to share by consenting to take part in the research. 

For most research we carry out, you will not be asked to provide any identifying information, though we may ask you to provide sensitive data to help us identify how different groups are affected by student issues. However where you are asked to enter identifying information, such as email to remain eligible for a prize draw, we will disaggregate this from the results, and dispose of this data 3 weeks after responses close and winners have been notified.

How do we keep your data safe and who has access?

How do we keep your data safe and who has access?

Personal data collected and processed by us may be shared with Students’ Union employees and volunteers. Students’ Union staff and volunteers will only have permissions to access the information required for them to perform their role. Everyone who handles personal data, whether a Bristol SU staff member or student volunteer, is mandated to do so in line with UK Law. All staff are required to undertake mandatory training as part of their induction, and guidance is provided for all student volunteers. Below more detail is provided on what data student leaders or volunteers have access to.

There may be instances where we share data with the University of Bristol. This includes:

  • Personal data and participant data in relation to sport, sports passes and users of Fit&Fab and B:Active. This is because our sports services are co-owned by the University of Bristol and Bristol SU, and thus we share this information on the basis of contract.
  • Contact information and role title for relevant student representatives (including full time elected officers, network chairs, faculty and course representatives). This is on the basis of legitimate interest to ensure that representatives are able to perform representative functions that require meeting with University of Bristol staff.
  • Where we need to safeguard your interests. We will only ever do this where you have been notified.
  • Information relating to disciplinary practice or complaints under the code of conduct, this results from all Bristol SU members being held to the University of Bristol code of conduct.

We may use third party companies as data processors to carry out certain administrative functions on behalf of the Students’ Union. If so, a written agreement will be put in place to ensure that any personal data disclosed will be held in accordance with the General Data Protection Act, will only be used for the purposes specified by Bristol SU and will have appropriate security measures in place. Any data used for these purposes is destroyed once used.

We do not sell or share your personal information for other organisations to use.

Alongside these actors there may be some circumstances where we give access to personal data to the following:

  • Contractors
  • Advisors
  • Agents (including external research agencies who may contact you to carry out research on our behalf)
  • Service provider partners (including the University of Bristol)

When we allow access to your information, we will always have complete control of what they see, what they are allowed to do with it and how long they can see it. We do not sell or share your personal information for other organisations to use.

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.

Some of our suppliers run their operations outside the European Economic Area (EEA). Although they may not be subject to the same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.

We may need to disclose your details if required to the police, regulatory bodies or legal advisors.

We will only ever share your data in other circumstances if we have your explicit and informed consent.

What information do student leaders or volunteers have access to?

Certain categories of students will have access to some limited personal data:

  • Course or Faculty Representatives
  • Student Group Leaders (such as sport captains or society presidents)
  • Network Chairs & Full-time officers

When you register to join a student group or network through our website or to attend one of their events, you consent to the relevant student leader (President, Club Captain or Network Chair) holding limited personal data (name, email address). This is under a legitimate interest for them to achieve their objectives of administering the membership you have requested. Whilst registering for membership of one of these groups you may be asked to provide other personal data to enable them to perform their duties. They will not collect information beyond what is needed.

Under some limited circumstances they may need to collect additional personal data, such as emergency contact or medical information to meet their requirements to perform a service you have requested, for example where you have requested membership for a group or event that involves high risk activity. This is to ensure that they can meet their obligations to comply with health and safety, and this data will not be used for any other purpose.

Bristol SU provide guidance to Student Leaders, Network Chairs, Representatives and Officers to ensure they handle your data in compliance with UK law..

How Long do we hold your data for?

We will only hold your personal data as long as is strictly necessary. Where this relates to your membership of the Students’ Union, registration with societies, our general retention policy is to hold this data for one year after the end of the academic year in which the data was collected or shared. This ensures that we can maintain an accurate record for a sufficient time period to administer your membership correctly or respond to any outstanding queries or complaints. There are some limited circumstances in which a different retention policy will be applied to enable us to comply with relevant legislation requirements, this includes:

  • 6 months for information you shared or submitted in an application for a job or opportunity at Bristol SU
  • 2 years for information shared for equipment hire through Bristol SU
  • 3 years for information shared for our transport booking service or for DBS services
  • 6 years for information held in relation to cases opened with our Just Ask Service
  • 7 years for information held in relation to any employment you have undertaken with Bristol SU
  • 6 years after the end of the tenancy for information held in relation to a tenancy or application arranged through Bristol SU Lettings (read their Privacy Policy here)
  • 6 years for any information held in relation to financial services, including purchases made through our shop. This is to ensure we can meet our obligations under the Companies Act.

How can you request your data or make changes?

Your right to know what data we hold about you, make changes or ask us to stop using your data

You have a right to ask us to stop processing your personal data, and if it’s not necessary for the purpose you provided it to us for (e.g. processing your membership or registering you for an event) we will do so. Contact chloe.maughan@bristol.ac.uk if you have any concerns.

You have a right to ask for a copy of the information we hold about you.  If there are any discrepancies in the information we provide, please let us know and we will correct them. You can already correct some of the information we hold by logging into your account on this website.

If you want to access your information, you must complete the Subject Access Request Form with a description of the information you want to see and the required proof of your identity by post to the University of Bristol Students’ Union, Richmond Building, 105 Queens Road, Bristol, BS8 1 LN. We do not accept these requests by email so we can ensure that we only provide personal data to the right person.

If you want to opt-out of all communications and data processing you will be required to surrender your membership to the Students’ Union which will limit your access to activities and services. You can do this by writing to the Chief Executive at the Students’ Union. Please be aware that without membership you will be unable to vote in Bristol SU elections.

If you have any questions please send these to chloe.maughan@bristol.ac.uk.
 

Changes to this statement

We may change this Privacy Statement from time to time.  If we make any significant changes in the way we treat your personal information we will make this clear on our Website or by contacting you directly.

If you have any questions, comments or suggestions, please let us know by contacting chloe.maughan@bristol.ac.uk