Data Privacy Statement
Bath Spa Students’ Union is committed to protecting your privacy when you access any of our services. This policy outlines the type of information we collect, how we use that data and how we protect your information.
All data is held in accordance with the guidelines set out in the General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Privacy of Electronic Communication Regulations.
Bath Spa University Students’ Union (“Bath Spa SU, “we”, “us”, “our”), promises to respect any personal data you share with us, or that is received from other organisations and keep it safe. We aim to be clear when collecting your data and not do anything you wouldn’t reasonably expect from us.
It applies to information we collect about:
- Members of the Union, officers and volunteers
- Users of our websites
- People who give us feedback, make suggestions, complete questionnaires, polls or make complaints
- People who use our services
- Partner organisations, suppliers and agents
- Donors and supporters
- Past, present and prospective employees
This can include information that the Union may be required to collect by law.
What data do we collect and how do we collect it?
We collect information in the following ways:
- When you become a member of the Union.
Each year when you enrol on your Bath Spa University course, you automatically become a member of the Students’ Union. Bath Spa University shares a register of members with the Union, which includes information about you and your course. When the University gives us this data, we become responsible for it and this is the central record of your membership of the Union.
- Home and term time address
- Personal and student email addresses
- Telephone number(s)
- Year, level and mode of study
- Date of birth
- Student ID
The University and Students’ Union have a data sharing agreement in place which outlines why we share data and the expectations and responsibilities of each party. The data is transferred securely via electronic transfer and held securely by our website provider MSL.
The transfer ensures that we always hold up-to-date information. When a student decides to opt-out of membership of the Union, we inform the University and their details are no longer included in the transfer.
- When you give us your information directly
You might give us your personal data by filling in forms on our website, by registering to use our website, applying for jobs or volunteering opportunities with us, booking tickets to events, taking part in online research or using our Advice Service or Gym.
This personal data you give us may include name, date of birth, age, gender, demographic information, email address, telephone numbers, attitudes, opinions, usernames and passwords, financial information (where you are purchasing tickets or joining a club or society). We will make sure that we only collect the data that we need, and will only use it for the purpose specified at the point it was collecting. Some of this information is imperative to enable us to administer your membership or provide a service (such as contact information), but there might also be instances where we need to collect sensitive data. Again we will only do this when necessary.
In addition where you book or purchase tickets for events, join a student group or use one of our services we may ask for the following information such as:
- Your date of birth to ensure compliance with age-related laws
- Your bank details to facilitate payments
- Information relating to your health or emergency contacts if you take part in a high risk activity or trip
- Any health or disability information so that we can provide assistance where needed
- When you give it to us INDIRECTLY
- When you give permission to OTHER ORGANISATIONS to share
You may have provided permission for a company or other organisation to share your data with third parties such as the Students’ Union. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.
When you use the Bath Spa Students’ Union website, certain anonymous information will be collected automatically. This helps us improve the content of the website and ensure the content and design work for its users. You can find out more in our Cookies Policy.
What sensitive data do we collect?
When you apply for a position with us or take part in a survey, we might ask you to provide demographic information such as your age, gender, ethnicity or race or whether you have a disability.
We will often collect this data anonymously, for example when you apply for a job with us. We use this data to monitor that our services and practices are fair and equitable across the organisation.
When you vote in Union elections, you may be asked to self-define in to particular groups, e.g. by gender or ethnicity, to determine your eligibility to vote for an Equality Rep whose role may be to represent you. Under our election rules, only people who self-define in a category can vote for that Equality Rep.
We do not use this information to identify you as an individual.
When you use our Advice Service or the GP Referral Scheme, we may ask you for specific personal information which enables us to provide the service you have requested to you and undertake statistical analysis to inform future service development.
How do we use your data?
Where we process your data we will only do so where there is a legal basis. This includes the following:
- Where there is a contract – like where you have asked us to provide a service and we need to process your data to fulfil our obligations
- Where you give us consent – like where you have told us you’d like us to send you information about opportunities on offer
- Where law requires it - we are obliged by various laws including the Education Act, Contracts Act and employment law to process certain data
- Legitimate Interest - We carefully balance your rights when we think there is a legitimate interest in us processing data to support you, for example using a third party processor (such as google analytics) to improve your experience using our website.
For everyday use
The Union needs to gather and use information about individuals in order to be able to operate effectively. We’ll only collect the data that we need to do this. We use information to:
- Administer membership records
- Administer elections and memberships of clubs and societies
- Administer representative systems
- Research and generation of demographic reports
- Advertising, marketing and communication with members
- Accounts and financial records
- Necessary staffing records
- Understand how we can improve our services, products or information
- To register your membership with national governing bodies where relevant.
Marketing and Communications
We will ask for “Personal Information” which identifies you and enables you to be contacted when you join a club or society or other contact information necessary to provide a service that you requested.
We may also use your Personal Information to send you information that you requested, or to confirm registrations, purchases, or to respond to your feedback.
We may use your email address to notify you of products or services that may interest you, such as events or discussions, or to provide you with latest news on Bath Spa Students Union and its services.
You may opt-out from receiving promotional or marketing emails by notifying us at the address specified at the bottom of any email.
We never give your contact details to third parties.
Building profiles of members and targeting communications
We use some profiling techniques to ensure communications are relevant and timely, and to provide an improved experience for our members. This allows us to target our communications to ensure you get the information relevant to you.
For example, we may analyse course subject information to let students know what candidates standing in elections are saying in their manifestos that is particularly relevant for students studying on that course.
Your data would only ever be analysed or profiled through encrypted and protected data processes, which only ever identifies broad statistics.
We carry out a wide range of research with our members, staff and volunteers to get feedback on their experience with us. Use of such information helps us to identify areas where we can improve our services to you and ensure we know what is relevant and interesting to you.
If you choose to take part in research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part.
For some of our research we may ask you to provide sensitive personal data (e.g. ethnicity). You don’t have to provide this data and we also provide a ‘prefer not to say’ option. We only use this type of information to monitor that we are being fair and equitable to all students.
For most research we carry out, you will not be asked to provide any identifying information, though we may ask you to provide sensitive data to help us identify how different groups are affected by student issues. However where you are asked to enter identifying information, such as email to remain eligible for a prize draw, we will disaggregate this from the results, and dispose of this data after winners have been notified.
How do we keep your data safe and who has access?
Personal data collected and processed by us is shared with Students’ Union employees and officers to help them undertake their roles. However, permission is only given to access the specific data required for their role.
Everyone who accesses data has to comply with UK law and has to undertake training as part of their induction to the organisation.
There may be instances where we share data with the University. This is covered in the Data Sharing Agreement and includes:
- Where either BSU or BSSU have reason to believe that a student may be at serious risk as defined under its safeguarding policy.
- To allow BSU and BSSU to collaborate on academic and well-being casework relating to a student, where students are receiving casework support from BSSU. In these circumstances, specific consent will be obtained from the student prior to sharing.
- To advise of any disciplinary issues which may affect a student’s status or the employment of a Union staff member.
We do not sell or share your personal information for other organisations to use.
If you make any purchases through the site, we will record your billing address, however we do not record your payment card details. This information is collected through Sage Pay, our online payment provider. No card payment details are stored through the site.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent, for example with a sports governing body if you a join one of our sports teams.
What information do student leaders or representatives have access to?
Certain categories of students will have access to some limited personal data:
- Course or Faculty Representatives
- Student Group Leaders (such as club or society committee members)
When you register to join a student group or network through our website or to attend one of their events, the relevant student leader will have access to limited personal data (name, contact details). This is under a legitimate interest, enabling them to provide the membership services you have requested. Whilst registering for membership of one of these groups you may be asked to provide other personal data to enable them to perform their duties. They will not collect information beyond what is needed.
Under some limited circumstances they may need to collect additional personal data, such as emergency contact or medical information to meet their requirements to perform a service you have requested, for example where you have requested membership for a group or event that involves high risk activity. This is to ensure that they can meet their obligations to comply with health and safety, and this data will not be used for any other purpose.
We ensure that Student Leaders, Representatives and Officers have training and understand how to handle your data in compliance with UK law and Union policies.
How long do we hold your data for?
We will only hold your personal data as long as is strictly necessary. This varies dependent on different administrative requirements or legal duties. This includes:
- 6 months for information you shared or submitted in an application for a job
- 1 year for information shared for our transport booking service
- 3 years for club and society memberships
- 6 years for information about users of our GP Referral scheme
- 6 years for information held in relation to cases opened with our Advice Service
- 6 years for any information held in relation to financial services, including purchases made through our shop
- 6 years for information held in relation to any employment you have undertaken with us, including health, disciplinary, redundancy information
- 20 years for basic employee records (start / end dates, role and reason for leaving)
All electronic data held is automatically archived and deleted in line with this policy.
All paper records are archived and destroyed via an approved contractor provided by Bath Spa University.
How can you request your data or make changes?
You have a right to ask us to stop processing your personal data, and if it’s not necessary for the purpose you provided it to us for (e.g. processing your membership or registering you for an event) we will do so.
You have a right to ask for a copy of the information we hold about you. You can correct some of the information we hold by logging into your account on the Union website. You can also ask to see the information we hold and ask us to correct any mistakes in your information. If you have any questions please send these to firstname.lastname@example.org
Users of the Union Advice Service can remove their consent to use their advice at any point by contacting email@example.com.
If you want to access your information to see what information we hold about you, this is known as a subject access request.
Subject access requests must be made in writing or to the Chief Executive, Bath Spa University Students’ Union, Newton Park, Bath BA2 9BN. Please include proof of identity with your request. The Union will always verify the identity of anyone making a subject access request before handing over any information and this will ensure your request can be dealt with quickly.
If you want to opt-out of membership of the Union, you can do this by writing to the Students’ Union President at firstname.lastname@example.org. Please be aware that without membership you will be unable to vote or stand as a candidate in Union elections. You may still visit the Bath Spa Students’ Union website but you will not be able to access the restricted areas available to registered users.
Changes to this statement
Approved by the Board of Trustees December 2018