1. Purpose and context
Huddersfield Students’ Union (HSU) is committed to the protection of the personal data of students, employees, suppliers and other individuals whom we might hold information about.
The Union recognises the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR) as the primary statutory responsibilities relating to data handling and processing. In addition to this the Union shall take guidance from the Information Commissioners Office (ICO) to ensure it follows the regulations appropriately.
To this end every individual employee, student volunteer, member, or contractor handling data collected or administered by the Union must take responsibility and due consideration for its appropriate use in line with this policy and the declared processing activities. The specific arrangements for handling, processing and administering data can be found on the Union's website in our Privacy Statements and Notices.
2. Scope
This policy applies to all employees and volunteers, and is overseen by the Union’s Senior Management Team (SMT), reporting to the Union’s Board and Performance, Audit, Risk and Remuneration Committee (PARR). Any deliberate breach of the data protection policy may lead to disciplinary action being taken, and/or access to Union facilities being withdrawn, and/or even a criminal prosecution. It may also result in personal liability for the individual committing the breach.
This policy should be read in conjunction with the Universities data protection policies and procedures and the Data Share Agreement between HSU and The University of Huddersfield.
3. Data Protection statements of intent
In accordance with the General Data Processing Regulations (GDPR), the Privacy and Electronic Communications Regulations (PECR), The Freedom of Information Act 2000 and associated legislation, Huddersfield Students’ Union has a statutory duty to control and process personal data within specific legal parameters. As such Huddersfield Students’ Union recognises that: -
4. Personnel responsible for the implementation of this policy
4.1 Board of Trustees
4.2 Chief Executive Officer
The Chief Executive Officer (CEO) is delegated overall responsibility by The Board of Trustees for data protection and shall be responsible for:
4.3. Key Staff
The CEO has delegated the following responsibilities to staff outlined below:
4.4 Senior Managers
Senior Managers have responsibility for GDPR compliance and other data protection laws within areas of their control including: -
4.5 Departmental Managers
Departmental Managers will have:
4.6 All employees and volunteers
All employees and volunteers shall:
4.7 Students
All students shall:
4.8 The University
As outlined in the Memorandum of Cooperation the University of Huddersfield and HSU need to share data relating to students and both, as data controllers, are subject to GDPR. Both the University and the Union shall ensure there is a Data Sharing Agreement in place at all times to govern these arrangements and enable the Union to discharge its objectives.
4.9 Third Parties
4.9.1 HSU may transfer data to third parties for processing which will be declared to the individuals whose data is being processed. Prior to data transfer a contract or sufficient Privacy Statements/Policies shall be collected and stored to meet the expectations of HSU’s Privacy Statements and Notices.
4.9.2 All contracts or Privacy Statements/Policies shall include requirements outlined in the GDPR and outlined in guidance from the ICO.
5. Lawful basis for processing
HSU shall ensure it has a valid lawful basis for processing all personal data. There are six available bases for processing to which the Union shall select the most appropriate depending on the purpose and relationship with the individual. The Union’s Privacy Statements and notices should include each lawful basis, purpose for processing and retention length.
5.1 Consent
The GDPR has a high standard for obtaining consent by giving individuals real choice and control.
5.1.1 HSU shall ensure that it provides specific Statements and Notices of consent that requires a positive opt-in which is separate to other Terms and Conditions. This shall also include the naming of any third party controllers who will rely on the consent.
5.1.2 Withdrawal of consent shall be transparent and easy by following information in the Privacy Statements and Notices.
5.1.3 Evidence of consent should be retained for reference.
5.1.4 Statements and Notices of consent shall remain under consent review, be refreshed to reflect any changes made and individuals kept informed.
5.1.5 Explicit consent shall be used for the processing of special category data.
5.2 Contract
5.2.1. This legal basis can be used to process personal data to fulfil contractual obligations or because the individual has asked the Union to do something before entering into a contract. The processing must be necessary, targeted and proportionate for the purposes of performing a contract or taking pre-contractual steps.
5.2.2. If processing is not necessary for the Union’s side of the contract with the individual another lawful basis such as legitimate interests or consent will also be needed to process the data.
5.2.3. If processing of a special category is necessary for the contract a separate condition for processing data shall also be needed.
5.3 Legal obligation
This lawful basis is for the processing of personal data to comply with a common law or statutory obligation.
5.3.1.Processing must be necessary to comply with lawful obligations.
5.3.2.The Union should be able to identify the specific legal provision or appropriate source of guidance that clearly sets out the obligation.
5.4 Vital interests
Vital interests can be used as a lawful basis for processing personal data to protect someone’s life.
5.4.1 If there is another, less intrusive, lawful basis for processing data this basis will not apply.
5.4.2 This basis will not apply if the individual is capable of giving consent.
5.4.3 If the Union is likely to rely on this lawful basis the circumstances where it will be relevant should be documented.
5.5 Public task
This lawful basis can be used to process personal data for public functions and powers that are set out in law or to perform a specific task in the public interest that’s set out in law.
5.6 Legitimate interests
Legitimate interests is the most flexible lawful basis for processing.
5.6.1 HSU will always use people’s data in a way they would reasonably expect, with minimal privacy impact or where there is sound justification for the processing.
5.6.2 Processing of data shall follow the three-part test identified by the ICO:
5.6.3. Legitimate interests shall always be balanced against an individual’s interests, rights and freedoms.
5.6.4. Marketing activities shall also consider whether any consent is required under the Privacy and Electronic Communications Regulations (PECR).
5.7 Special category data
Special category data is personal data which the GDPR says is more sensitive and therefore needs more protection.
5.7.1. Examples of special category data include race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, sexual orientation.
5.7.2 The Union shall only process special category data if the conditions for processing are listed in Article 9(2) of the GDPR are met with legitimate and documented reasons.
5.8 Criminal offence data
To process personal data about criminal convictions or offences you must have both a legal basis and either the legal authority or official authority for the processing.
6. Individual rights
The GDPR provides the following rights for individuals:
6.1 Right to be informed
6.1.1 HSU will ensure it informs individuals about the collection and use of their personal data including: -
6.1.2 HSU will provide privacy information at the time personal data is collected. This information should be concise, transparent intelligible, easily accessible, and use clear and plain language.
6.1.3 When personal data is obtained from a source that is not the individual it relates to HSU will provide the individual with privacy information before the first communication take place or within one month of receiving the data.
6.1.4 Privacy information should be regularly reviewed with any changes being communicated to individuals whose data we hold.
6.2 Right of access
6.2.1 Where possible HSU shall provide access to an individual’s data through the Union and University website.
6.2.2 HSU will provide individuals with a simple and transparent process for accessing their personal data and supplementary information. Access information shall be contained in HSU’s Privacy Statements and Notices and responses shall usually be provided within one month of submitting a request.
6.2.3 If HSU believe a request is manifestly unfounded, excessive or repetitive a reasonable fee shall be applied to cover administrative costs of providing the information.
6.3 Right to rectification
6.3.1 Where possible HSU will try to keep all data up-to-date and accurate.
6.3.2 Individuals can request for data to be rectified via email.
6.3.3 HSU will respond to all requests within one calendar month.
6.3.4 HSU shall grant and/or refuse rectification following guidance from the GDPR and the ICO.
6.4 Right to erasure
6.4.1 Following Article 17 of the GDPR, HSU will provide individuals with the right to have personal data erased provided: -
6.4.2 HSU shall grant and/or refuse the right of erasure following guidance from the GDPR and the ICO.
6.5 Right to restrict processing
6.5.1 Individuals have the right to restrict the processing of their data by HSU if the following circumstances apply: -
6.5.2 HSU shall grant and/or refuse the right to restrict processing following guidance from the GDPR and the ICO.
6.6 Right to data portability
6.6.1 HSU will ensure that where it’s applicable individuals shall be able to obtain and reuse their data for their own purposes across different services.
6.6.2 HSU shall follow guidance from the GDPR and the ICO if an individual requests the transfer of their data.
6.7 Right to object
6.7.1 Individuals have the right to object to: -
6.7.2 HSU shall grant follow guidance from the GDPR and the ICO when fulfilling an individual’s right to object.
6.8 Rights to automated decision making including profiling
The GDPR includes specific provisions for automated individual decision making and profiling.
6.8.1 HSU will only undertake solely automated decision making provided that: -
6.8.2 A Data Protection Impact Assessment must be completed to ensure risks are identified and addressed.
6.8.3 GDPR also requires HSU to: -
7. Governance and Accountability
The GDPR requires HSU to have comprehensive but proportionate governance measures to minimise the risk of breaches and uphold the protection of personal data. HSU will maintain the following streams of work that will be monitored by Performance, Audit, Risk and Remuneration Committee:
7.1 Security
7.1.1 HSU will ensure it has appropriate security to prevent personal data being accidentally or deliberately compromised. This shall be achieved by ensuring that: -
7.1.2 All staff are responsible for ensuring that any personal data which they hold are kept securely in line with the University’s IT Security Policies and Procedures and that such data is not disclosed to any unauthorised third party.
7.1.3 All personal data should be accessible only to those who need to use it. A judgement on security measures shall be based on the risks presented by the data’s value, sensitivity or confidentiality. Consideration should always be given to keeping personal data: -
7.1.4 Shared folders, files and documents shall have a clear structure and permission set to ensure that all staff only have access to the personal information they require.
7.1.5 All data stored or transported on removable devices (such as memory sticks, external hard drives, mobile devices, etc.) should have an appropriate level of encryption to prevent a data breach if it is lost or stolen.
7.2 International Transfers
7.2.1 HSU will aim to ensure all processing of data takes place within the European Union.
7.2.2 Where this is not the case and personal data is shared with organisations outside the European Union we will seek to ensure that such organisations are based in countries that have comparable levels of personal data protection regulations to those enjoyed in the European Union.
7.2.3 HSU will follow the guidance outlined in the GDPR and from the ICO to comply with the relevant legislation.
7.3 Risk
7.3.1 Risks associated with the GDPR shall be appropriately assessed and with findings logged on HSU’s Risk Register.
7.4 Data breaches
7.4.1 HSU will follow the GDPR and guidance from the ICO following any suspected or actual data breaches.
7.4.2 Any notifiable breach will be reported to the ICO, Charity Commission and the University within 72 hours after becoming aware of it.
7.4.3 All data breaches shall be appropriately investigated following and recorded.
7.4.4 Should any employee, volunteer, contractor or other is found to have broken this policy or have been negligent with HSU’s data then disciplinary actions outlined in the Constitution and associated policies may be taken following an investigation.
7.5 Complaints
7.5.1 HSU will follow the processes outlined within the Constitution (Bye Law Eight: Complaints Procedure) and relevant policies when investigating complaints relating to data protection.