Privacy Policy

Reading University Students' Union Privacy Policy

Date privacy policy completed/updated: 18 March 2022

This Privacy Policy explains the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe.

We also employ staff, look after volunteers, work with suppliers and have customers visit our shops and services, so the information in this policy is for them too. This policy applies to applicants, volunteers, suppliers, customers and website visitors. We have a separate staff privacy policy. 

Section 1: Our contact details

Reading University Students' Union (RUSU) is the data controller, referred to as "we", "us" or "our" in this privacy notice. 

Reading University Students' Union is a registered charity (No. 1158523).

If you need to contact us to discuss any aspect of data protection, please email us using: enquries@rusu.co.uk or write to us at: 

Reading University Student's Union
Pepper Lane
Reading
RG6 6EH

Section 2: The type of personal information we collect 

We currently collect and process the following information: 
  • Identification information - name, student identity number, date of birth, gender, nationality, photograph, biometrics;
  • Contact details – address, telephone and email address; 
  • Course Information – course, start date, expected completion date, and mode of study
  • Financial information – such as payment card details and bank account details;
  • Equality and Diversity – You may choose to share information about your health, ethnicity, sexuality or beliefs with us for equality and diversity purposes. This information will be treated as highly confidential; 
  • Health – we may need this information if you are taking part in an activity or event which requires us to seek information about any medical conditions or injuries. 
  • Online and technical information – information about how you use our website, products and services, login data and technical information which may include your login data, information about your internet connection and browser, as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered.
  • Social Media – your username (if you interact with us through those channels, to help us respond to your comments, questions or feedback.)
  • Application data – CVs, application forms, visa and passport information 

Section 3: How we get the personal information 

We will collect and process the following data about you: 

  • Information you give us: this is information about you that you give us directly. You may do this by filling in forms or by corresponding with us by phone, email or otherwise. Information may be provided by you when you become a member of a club or society in the Students’ Union, or when you make purchases with us either in person or online. Additionally, information you enter onto our systems and devices will be stored and processed by us. This will include any emails or other electronic messages and any documents, photos, videos or other files stored on or processed through our systems or devices. Please be aware that by entering information onto these systems you are sharing that information with us. 
     
  • Information we collect throughout our relationship. We will collect information throughout your relationship with us, for example if you join a student group or sign up to one of our events. 
     
  • Information we collect indirectly. We may also receive information about you from third parties e.g. the University and event partners when you have consented to them sharing your information with us. 

Section 4: Why we collect your data

Where we process your data we will only do so where there is a legal basis. Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

·       Consent: In specific situations, we can collect and process your data with your consent. For example, when you tick a box to receive email marketing, engage with our platforms, and when you agree to cookies. 

·       Contractual obligations: In certain circumstances, we need your personal data to comply with our contractual obligations. For example, if you have asked us to provide a service, or you have purchased goods, and we need to process your data to fulfil our obligations.

·       Legal Compliance: If the law requires us to, we may need to collect and process your data. 

·       Legitimate interest: In some situations, we may require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running a Students’ Union. For example, to send you emails or to use a third-party provider to maintain the security of our website and to ensure it loads at an appropriate speed. 

·       Special category data: more sensitive personal information that requires higher levels of protection.

We need to have further justification for collecting, storing, and using this type of personal information. We may process special categories of personal information in the following circumstances:

  1. in limited circumstances, with your explicit written consent. 
  2. where we need to carry out our legal obligations and in line with our data protection policy.
  3. where it is needed in the public interest, such as for equal opportunities monitoring, and in line with our data protection policy.
  4. where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards. 
  5. where it is necessary for establishing, exercising, or defending legal claims.

Less commonly, we may process this type of information where it is to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public. For example, if you became seriously unwell or had an accident at a venue, we may need to provide a hospital with medical information we are aware of. 

We will use your particularly sensitive information in the following ways:

  1. we will use information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  2. we may obtain your biometric data as part of our venue management process to uphold our licencing objectives around prevention of crime and disorder and protection of children from harm.
  3. we may use all special categories of data to defend legal claims.

We may inform you of additional purposes for processing your information when that information is collected from you. We do not sell or share personal details to third parties for the purposes of marketing. 

Section 5: How we store your data and who has access

We take your safety and security very seriously and we are committed to protecting your personal and financial information. All information kept by us is stored on secure servers.

Personal data collected and processed by us may be shared with Students’ Union employees and volunteers. Students’ Union staff and volunteers will only have permissions to access the information required for them to perform their role. Everyone who handles personal data, whether a RUSU staff member or volunteer, is mandated to do so in line with UK Law. All staff handling data are required to undertake general data protection training and guidance is provided for all volunteers.

Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. Personal data is password protected and/or secured in dedicated systems to hold the data with access being restricted to only those individuals within RUSU who need access. Paper copies containing person data will be kept securely and shredded/destroyed at the end of the appropriate retention period OR scanned in and immediately shredded/destroyed. 

There may be instances where we share data with the University of Reading. For example:

·       Contact information and role title for relevant student representatives (including full time elected officers and part-time officers). This is on the basis of legitimate interest to ensure that representatives are able to perform representative functions that require meeting with University of Reading staff.

·       Where we need to safeguard your interests. We will only ever do this where you have been notified.
 

We do not sell or share your personal information for other organisations to use.

We may need to disclose your details if required to the police, regulatory bodies or legal advisors. For example, we are collecting data from our venues via Scannet devices on entry and in limited circumstances, data may be shared with the police. 

We will only ever share your data in other circumstances if we have your explicit and informed consent. Where information is shared with third parties, we will only share the information required for the purpose it is being shared.

We do use third party suppliers in certain circumstances, such as Eventbrite for ticket sales.

Section 6: Data retention

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected. The retention periods vary depending on the type of data in question.

At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

Some examples of data retention periods:

  • Your core membership data is retained for 3 years after the summer in which you leave the University.
  • Personal data relating to financial and business transactions with the Union is maintained for 6 years;
  • Personal data relating to services provided by the Student Advice Centre are maintained for 6 years;
  • Personal data relating to elections is maintained for 1 year.
  • Our register of members is retained for 10 years.
  • Health and safety records are retained for 3 years.
  • Scannet data is retained for 30 days.
  • We will retain your contact details for marketing purposes for the duration of you being a student, and we will retain alumni data for as long as you are an active alumni member.

In all other cases, we will retain your information for 1 year to establish, exercise or defend legal claims.

Information stored generally on IT systems, such as email history, will be deleted regularly in line with our policies.
 

Section 7: Your data protection rights

Under data protection law, you have a number of rights, including:

  • Your right of access - You have the right to ask us for copies of your personal information. 
     
  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. 
     
  • Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances. 
     
  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances. 
     
  • Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
     
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Should you have any issues, concerns or problems in relation to your data, or wish to notify us of data which is inaccurate, please let us know by contacting us using the contact details at the beginning of this document. 

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Policy.

Section 8: If you have any questions of wish to make a complaint 

We hope this Privacy Policy has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that haven’t been covered, please contact us at enquiries@rusu.co.uk or write to us at Reading University Student's Union, Pepper Lane, Reading, RG6 6EH.

In the event that you are not satisfied with our processing of your personal data, you can also complain to the ICO.

The ICO’s address:            

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

 

Section 9: Changes to this Policy

We may change this Privacy Policy from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on our website or by contacting you directly.

If you have any questions, comments or suggestions, please let us know by contacting enquiries@rusu.co.uk