Data Protection

YUSU is a registered charity and as such, must abide by UK Charity Law. Ratified student groups have no separate legal identity from YUSU, therefore the same UK Law regarding charities must also apply to those affiliated groups.

Due to this, there are a number of rules and regulations that all projects must adhere to ensure compliance with legal guidelines, YUSU by-laws and your Project Constitution.

Data Protection

You should have already completed the online training covering the General Data Protection Regulation, so this should hopefully just act as a refresher to you.

Data protection policy works to control how individuals' personal information is used by organisations. It is the law, and it protects individuals from issues such as identity theft, spam emails, and the sharing of data across digital platforms.

As outlined previously, YUSU is legally responsible for student groups. That means that if a student group breaches the Data Protection Act, we are liable for it. We work to mitigate this risk by enabling you to make informed choices regarding data protection in your role as a student group leader.

What is personal data?

As a student group leader, you will most commonly come into contact with individuals' names and, sometimes, email addresses. The Member Dashboard system allows you to store your members' personal information in such a way that you only have access to their names, so contact information cannot be shared. This protects you and the Union. 

Collecting Data

There are some key things it's useful to be aware of with regards to data protection in your role.

Personal data can only be obtained for 'specific, explicit and legitimate purposes'. The individual must be aware of this purpose, and their data can be used for no other purpose without additional specific consent. 

When someone joins your student group, they are entering into a contract with your group. The collection of their data is necessary to fulfil this contract, and so their joining your group provides you with implicit consent by them to process and use their data. 

Storing and Using Personal Data

Groups must keep all personal data collected confidential.

Where possible, your member and mailing lists should be managed through the Member Dashboard.
If this is not possible, any personal data must only be held within your group's @yusu.org Google Drive.

Personal data must not be downloaded to any device or shared anywhere outside of this drive, even only to individuals who already have access to the drive.
Those who provided their data did not give permission for you to store it as an individual - only for the group to store it.

• If you send an email to multiple individuals, you must ensure that every email is blind carbon copied (bcc).
  This means that anyone who receives the email will not see the email addresses of anyone else on the list. 

• All group memberships terminate on the 31st of July each year. Your group's membership list will revert to 0 after this date. If you hold a separate mailing list, this must also be wiped at this time.
  You could send an email to the list asking people who wish to ​​​​​​continue receiving emails to fill out a form (with a privacy statement) and use these responses to create a fresh mailing list for the next academic year.

Data Protection: If Something Goes Wrong

Legally, we are required to keep a register of all data protection breaches.

Some examples of breaches could be:

• Loss of data

• Incorrect distribution (data shared to someone or somewhere it shouldn't be)

• Theft of data

• Accidental disclosure of data

If you suspect that there has been a breach of data protection you need to tell us. Send an email to your link staff member explaining what has happened in as much detail as you can. You need to include:

• The type of data involved

  • e.g. names, email addresses, phone numbers

• How many people the breach has or might have affected

We also have a legal obligation to inform the individuals involved. Depending on the situation, we might support you in doing this, or we might take on the responsibility instead.

If this does happen to you, try not to panic! Just let us know, and we'll help you. 

Kate Williams, Data Protection Officer - dataprotection@yusu.org