Reading University Students' Union Privacy Policy
Date privacy policy completed/updated: 18
March 2022
This Privacy Policy explains the types of personal data we may collect
about you when you interact with us. It also explains how we’ll
store and handle that data, and keep it safe.
We also employ staff, look after volunteers, work with suppliers and
have customers visit our shops and services, so the information in
this policy is for them too. This policy applies to applicants,
volunteers, suppliers, customers and website visitors. We have a
separate staff privacy policy.
Section 1: Our contact details
Reading University Students' Union (RUSU) is the data controller,
referred to as "we", "us" or "our" in this
privacy notice.
Reading University Students' Union is a registered charity (No.
1158523).
If you need to contact us to discuss any aspect of data protection,
please email us using: enquries@rusu.co.uk or write to us at:
Reading University Student's Union
Pepper Lane
Reading
RG6 6EH
Section 2: The type of personal information we collect
We currently collect and process the following information:
-
Identification information - name, student
identity number, date of birth, gender, nationality, photograph,
biometrics;
-
Contact details – address, telephone and
email address;
-
Course Information – course, start date,
expected completion date, and mode of study
-
Financial information – such as payment
card details and bank account details;
-
Equality and Diversity – You may choose
to share information about your health, ethnicity, sexuality or
beliefs with us for equality and diversity purposes. This
information will be treated as highly confidential;
-
Health – we may need this information if
you are taking part in an activity or event which requires us to
seek information about any medical conditions or injuries.
-
Online and technical information –
information about how you use our website, products and services,
login data and technical information which may include your login
data, information about your internet connection and browser, as
well as the country and telephone code where your computer is
located, the web pages viewed during your visit, the advertisements
you clicked on, and any search terms you entered.
-
Social Media – your username (if
you interact with us through those channels, to help us respond to
your comments, questions or feedback.)
-
Application data – CVs, application
forms, visa and passport information
Section 3: How we get the personal information
We will collect and process the following data about you:
-
Information you give us: this is information
about you that you give us directly. You may do this by filling in
forms or by corresponding with us by phone, email or otherwise.
Information may be provided by you when you become a member of a
club or society in the Students’ Union, or when you make
purchases with us either in person or online. Additionally,
information you enter onto our systems and devices will be stored
and processed by us. This will include any emails or other
electronic messages and any documents, photos, videos or other files
stored on or processed through our systems or devices. Please be
aware that by entering information onto these systems you are
sharing that information with us.
-
Information we collect throughout our relationship. We will collect information throughout your relationship with us,
for example if you join a student group or sign up to one of our
events.
-
Information we collect indirectly. We may also
receive information about you from third parties e.g. the University
and event partners when you have consented to them sharing your
information with us.
Section 4: Why we collect your data
Where we process your data we will only do so where there is a legal
basis. Under the General Data Protection Regulation (GDPR), the lawful
bases we rely on for processing this information are:
· Consent: In
specific situations, we can collect and process your data with your
consent. For example, when you tick a box to receive email marketing,
engage with our platforms, and when you agree to cookies.
· Contractual obligations: In certain circumstances, we need your personal data to comply
with our contractual obligations. For example, if you have asked us to
provide a service, or you have purchased goods, and we need to
process your data to fulfil our obligations.
· Legal Compliance: If the law requires us to, we may need to collect and process your
data.
· Legitimate interest: In some situations, we may require your data to pursue our
legitimate interests in a way which might reasonably be expected
as part of running a Students’ Union. For example, to send you
emails or to use a third-party provider to maintain the security
of our website and to ensure it loads at an appropriate speed.
· Special category data: more sensitive personal information that requires higher levels
of protection.
We need to have further justification for collecting, storing, and
using this type of personal information. We may process special
categories of personal information in the following circumstances:
-
in limited circumstances, with your explicit written consent.
-
where we need to carry out our legal obligations and in line with
our data protection policy.
-
where it is needed in the public interest, such as for equal
opportunities monitoring, and in line with our data protection
policy.
-
where it is needed to assess your working capacity on health
grounds, subject to appropriate confidentiality safeguards.
-
where it is necessary for establishing, exercising, or defending
legal claims.
Less commonly, we may process this type of information where it is to
protect your interests (or someone else's interests) and you are
not capable of giving your consent, or where you have already made the
information public. For example, if you became seriously unwell or had
an accident at a venue, we may need to provide a hospital with medical
information we are aware of.
We will use your particularly sensitive information in the following
ways:
-
we will use information about your race or national or ethnic
origin, religious, philosophical, or moral beliefs, or your sexual
life or sexual orientation, to ensure meaningful equal opportunity
monitoring and reporting.
-
we may obtain your biometric data as part of our venue management
process to uphold our licencing objectives around prevention of
crime and disorder and protection of children from harm.
-
we may use all special categories of data to defend legal claims.
We may inform you of additional purposes for processing your
information when that information is collected from you. We do not
sell or share personal details to third parties for the purposes of
marketing.
Section 5: How we store your data and who has access
We take your safety and security very seriously and we are committed
to protecting your personal and financial information. All information
kept by us is stored on secure servers.
Personal data collected and processed by us may be shared with
Students’ Union employees and volunteers. Students’ Union
staff and volunteers will only have permissions to access the
information required for them to perform their role. Everyone who
handles personal data, whether a RUSU staff member or volunteer, is
mandated to do so in line with UK Law. All staff handling data are
required to undertake general data protection training and guidance is
provided for all volunteers.
Once we have received your information, we will use strict procedures
and security features to try to prevent unauthorised access. Personal
data is password protected and/or secured in dedicated systems to hold
the data with access being restricted to only those individuals within
RUSU who need access. Paper copies containing person data will be kept
securely and shredded/destroyed at the end of the appropriate
retention period OR scanned in and
immediately shredded/destroyed.
There may be instances where we share data with the University of
Reading. For example:
· Contact information
and role title for relevant student representatives (including full
time elected officers and part-time officers). This is on the basis of
legitimate interest to ensure that representatives are able to perform
representative functions that require meeting with University of
Reading staff.
· Where we need to
safeguard your interests. We will only ever do this where you have
been notified.
We do not sell or share your personal information for other
organisations to use.
We may need to disclose your details if required to the police,
regulatory bodies or legal advisors. For example, we are collecting
data from our venues via Scannet devices on entry and in limited
circumstances, data may be shared with the police.
We will only ever share your data in other circumstances if we have
your explicit and informed consent. Where information is shared
with third parties, we will only share the information required for
the purpose it is being shared.
We do use third party suppliers in certain circumstances, such as
Eventbrite for ticket sales.
Section 6: Data retention
Whenever we collect or process your personal data, we’ll only
keep it for as long as is necessary for the purpose for which it was
collected. The retention periods vary depending on the type of data in
question.
At the end of that retention period, your data will either be deleted
completely or anonymised, for example by aggregation with other data
so that it can be used in a non-identifiable way for statistical
analysis and business planning.
Some examples of data retention periods:
-
Your core membership data is retained for 3 years after the summer
in which you leave the University.
-
Personal data relating to financial and business transactions with
the Union is maintained for 6 years;
-
Personal data relating to services provided by the Student Advice
Centre are maintained for 6 years;
- Personal data relating to elections is maintained for 1 year.
- Our register of members is retained for 10 years.
- Health and safety records are retained for 3 years.
- Scannet data is retained for 30 days.
-
We will retain your contact details for marketing purposes for the
duration of you being a student, and we will retain alumni data for
as long as you are an active alumni member.
In all other cases, we will retain your information for 1 year to
establish, exercise or defend legal claims.
Information stored generally on IT systems, such as email history,
will be deleted regularly in line with our policies.
Section 7: Your data protection rights
Under data protection law, you have a number of rights, including:
-
Your right of access - You have the right to
ask us for copies of your personal information.
-
Your right to rectification - You have the
right to ask us to rectify personal information you think is
inaccurate. You also have the right to ask us to complete
information you think is incomplete.
-
Your right to erasure - You have the right to
ask us to erase your personal information in certain
circumstances.
-
Your right to restriction of processing - You
have the right to ask us to restrict the processing of your personal
information in certain circumstances.
-
Your right to object to processing - You have
the the right to object to the processing of your personal
information in certain circumstances.
-
Your right to data portability - You have the
right to ask that we transfer the personal information you gave us
to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If
you make a request, we have one month to respond to you.
Should you have any issues, concerns or problems in relation to your
data, or wish to notify us of data which is inaccurate, please let us
know by contacting us using the contact details at the beginning of
this document.
To protect the confidentiality of your information, we will ask you to
verify your identity before proceeding with any request you make under
this Privacy Policy.
Section 8: If you have any questions of wish to make a complaint
We hope this Privacy Policy has been helpful in setting out the way we
handle your personal data and your rights to control it.
If you have any questions that haven’t been covered, please
contact us at enquiries@rusu.co.uk or write to us at Reading
University Student's Union, Pepper Lane, Reading, RG6 6EH.
In the event that you are not satisfied with our processing of your
personal data, you can also complain to the ICO.
The ICO’s
address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Section 9: Changes to this Policy
We may change this Privacy Policy from time to time. If we make
any significant changes in the way we treat your personal information
we will make this clear on our website or by contacting you directly.
If you have any questions, comments or suggestions, please let us know
by contacting enquiries@rusu.co.uk