This statement outlines in plain language how we use your data, what data we hold and how we take measures to ensure personal data is kept securely and safely.
For full details on our data protection processes and procedures please refer to our full suite of data protection policies and procedures.
The Data Controller
The data controller is Beds SU of the Campus Centre, University Square, Luton, LU1 3JU with an additional registered office at; The Hub, Polhill Avenue, Bedford, MK41 9EA and can be contacted on email by firstname.lastname@example.org or via telephone on 01582 743221.
The Data Protection Champion
The data protection champion for the Students’ Union is Mark McCormack (CEO) and can be contacted with any concerns or questions surrounding the use and storage of your personal and sensitive data on email@example.com
Why We Process Data
Beds SU collects a variety of different data which is outlined in the sections below to ensure we fulfil our obligations under the 1994 Education Act to represent students and conduct fair and democratic elections and to ensure we meet our charitable objectives which have been agreed by the charity commission to pass the public benefit test.
Our notice to the Information Commissioners Office in relation to the processing of such data can be found on the ICO website.
In summary, we use the data we hold:
- To provide an interactive website that provides information that you’re most interested in.
- To facilitate student activities and groups that you express interest in or join such as sports, societies and volunteering.
- To communicate membership services and opportunities that aid the student experience of those studying at the University of Bedfordshire.
- To undertake diversity monitoring and engagement to ensure we can engage and fully represent the diverse membership of Beds SU.
- To gain representational insight to allow elected representatives to fully represent the views of University of Bedfordshire students at University committees and meetings.
- Supporting students at the University of Bedfordshire to resolve issues, complaints and disputes with the University or external organisations and bodies.
- To communicate social and cultural activities run by the Students’ Unions or closely chosen partner providers where you have given consent and the opportunity is of legitimate interest to you as a student at the University of Bedfordshire.
- To promote the events and services of the Union through social media, publications, online content and other relevant digital media.
- To facilitate democratic processes as outlined in the Unions bylaws.
- To provide event ticketing for Union events/activities and sports and societies events/activities to ensure smooth and effective administration of such events/activities.
- To process and run the Unions loyalty scheme in our commercial outlets linked to University ID numbers.
- To improve the opportunities we offer by understanding which students engage in our activities.
- To manage and monitor general digital engagement using analytics software and social media remarketing.
- Using Matomo and to anonymously monitor the engagement in communication mediums and website usage to improve the services and communications offered to students. You can request to not be tracked at any time.
- For the purpose of recruiting staff and maintaining staff records.
- To provide guest and associated memberships access to our website and services
- To maintain required records for client and companies we with work with.
Our Legal Basis
Beds SU collects and processes data based upon the following legal basis:
- Contractual requirements
- Explicit consent from data subjects
- Legal Obligations
- The legitimate interests of our members
What Data We Hold
We receive the following student data directly from the University of Bedfordshire following students agreeing to the University terms and conditions of registration which is administered through the University enrolment process:
- Student ID Number
- Study Status
- Date of Birth
- University Email Address
- Alternative Email Address
- Telephone Number
- Domicile Country
- Term time address
- Term time postcode
- Fee Status
- Campus of Study
- Programme of Study Identification Number
- Level of Study
- Year of Study
- Department of Study
- Mode of study
- Course Start Date
- Course End Date
- Library card number
- If in a final year of study or not
- If on a placement or not
- Name of Programme of Study
- JACS CODE
- Name of School of Study
- Name of Faculty of Study
The above data is kept for a up to 5 years after exit as outlined on our Data Retention Policy. The accuracy of the data is maintained through regular data files provided electronically in a secure format from the University.
In addition, the Union collects additional data based upon:
- Participation in Union activities and services
- Participation in market research and student voice initiatives
- Use of the student advice service
- Completion of online account registration questions
- Participation in the Unions loyalty scheme
- The joining of sports clubs and societies
- Photos and filming took at Beds SU events in Beds SU venues
- Staff recruitment and employment records
- Guest/Associate Membership Access
You can disable any cookies already stored on your computer, but these may stop our website from functioning properly.
If you wish to restrict or block web browser cookies which are set on your device then you can do this through your browser settings; the Help function within your browser should tell you how. Alternatively, you may wish to visit the ICO website, which contains comprehensive information on how to do this on a wide variety of desktop browsers.
Access To Your Data
Beds SU takes the security of your information very seriously. You can change your subscription settings at any point by logging onto the website and editing your account settings in your profile.
Only authorised Union staff and volunteers will have access to your data for the purposes specified in this privacy statement. We make sure that your data is only accessed for legitimate purposes by people who are facilitating your student experience.
In addition, if you join a club, group or society your basic information such as name, email and date of birth will be made available to the group administrators. Next of kin details may also be provided if you are asked for this as part of the registration process.
We will not share any individual user details (including your email address) to any third party excluding the University of Bedfordshire without your consent. We do however use several data processors to manage our operations. Details of these organisation can be found in our Data Audit Overview.
Other organisations such as mailing houses as a data processor to deliver a service or communication message to you. In the event of this, the Union will enter into a data processing agreement with such organisations on the terms that data can only be used to administer the project specified and that all data will be destroyed following the project specified.
Where Is The Data Held
- Data that is received from the University of Bedfordshire, joining sports and societies and through online behaviour recording is stored by the platform DigitalOcean on servers based in London, UK (LON1 region). This on behalf of our website developers Wild Rocket Development Studio LTD. Trust certifications for the platform can be found here: https://www.digitalocean.com/trust/certification-reports/
- Data received from online forms used on the website is held on a secure server based in the United Kingdom and provided by 1&1 Internet Limited (https://www.1and1.co.uk).
- EPOS and loyalty account details are stored in a secure server operated and administered in conjunction with the University of Bedfordshire's Information Communication Technology department.
- Data related to advice casework is held on a secure server operated and administered by Advice Pro and is located within the United Kingdom.
- Any data collected within any other applications or server will be clearly outlined to participants at the point of data collection and any data downloaded from any server will be held on encrypted devices or Microsoft OneDrive / Microsoft SharePoint and will only be kept in such locations for the length of time required to process such information for its intended purpose.
- If physical copies of data are required strict procedures will be followed to ensure the data is stored and used in a confidential manner and confidently disposed of after the intended purpose. For more information on how the Union manages and stores data please refer to the Unions data protection policy.
Photos and Filming
- Beds SU will clearly indicate in its event listing and terms and conditions of event entry where photos or filming will be taking place alongside the physical displaying of notices within each of the Unions venues. Attendees at the event have the right to request not to be filmed or have a photo of them taken. Should any individual wish to request not having their photo taken or to be filmed they should make this intention aware to a member of Beds SU staff at the event and such requests will be implemented.
- Any requests for an image or an inclusion in a video to be removed from either being stored or publicly posted on social media, website or any other form of media contact should be made with the union by emailing firstname.lastname@example.org Images will be removed wherever this is possible.
- Any requests for an image to be removed from a printed publication should be made with the union by emailing email@example.com and the Union will prevent further circulation of the publication and take steps that are practically possible to recall other copies of the publication already in circulation. Should any individual have any questions about the use of photos and filming they should contact the Union on firstname.lastname@example.org
- Please see our Data Retention Policy (PDF) for a full breakdown of how long the Union retains different type of data, the justification for such retention period, the department/individual responsible and any action following the end of the retention period.
Beds SU will ensure that it treats personal information lawfully and correctly. To this end the Union fully endorses and adheres to the principles and your rights of Data Protection as set out in the Data Protection Act 1998 as outlined below:
- Personal data shall be processed fairly and lawfully, shall not be processed unless specific conditions are met,
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Furthermore, under the General Data Protection Regulations (GDPR) will become UK law in May 2018 you have the right to;
- The right to be informed about what data is being held about you and how it is processed and managed which has been clearly outlined within this privacy statement.
- The right of access to data that is held about you and you can do this by contacting us on email@example.com
- The right to rectification if the data that is held about you is inaccurate or incomplete and you can request this to be undertaken by contacting us on firstname.lastname@example.org
- The right to erasure of the data we hold upon you which is also known as the right to be forgotten. However, as the passing of the data to the students Union is part of a contractual agreement of enrolment at the University, we can only process such a request for non-university data feed items. To request the right of erasure please contact us on email@example.com
- The right to restrict processing of the data we hold upon you. This means not deleting the data we hold upon you but placing a certain restriction or total restrictions on how we process it. To request the restricting of processing please contact us on firstname.lastname@example.org
- The right to data portability to receive the data we hold on you in an open source format such as in a CSV format. To request the data, we hold in such a format please contact us on email@example.com
- The right to object to the way your data is being held, processed, or managed and you can do so by contacting us on firstname.lastname@example.org
- Rights in relation to automated decision making and profiling to be outlined to you which we have done in a section below.
Further in-depth information on your rights in relation to your rights under the General Data Protection Regulations (GDPR) can be found via the Information Commissioner Office (ICO), available online at https://ico.org.uk
Student Data - Data which is obtained through the Universities data feed is done so based on students agreeing to the Universities terms and conditions of enrolment through the Universities online enrolment process. You have a right to retrospectively withdraw your consent at any point by contacting us on email@example.com.
For other data collected and processed explicit and informed consent is gained at the point of collection of which can be withdrawn at any point by contacting the Union on firstname.lastname@example.org
Staff, Guests, Clients and Associate members – Consent for data collection and processing will be done so at the point of collection. Any changes to the use of this data will only be done so with expressed permission. Any request regarding this data can be done so by contacting us at email@example.com (Beds SU Staff members can also speak to a member of HR staff).
All website users can change their direct marketing preferences by reviewing their account details and preferences on the Student Dashboard.
Should you have a complaint about the management of your data please contact the Data Protection Champion Mark McCormack on firstname.lastname@example.org who will follow the Union's complaint procedure to investigate the matter.
You have a right to also complain to the UK Regulator of Data Protection. You can make a complaint or raise a concern to the Information Commissioners Office online at https://ico.org.uk
Automated Decision Making
Individuals have the right not to be subject to an automated electronic decision when:
- It is based on automated processing; and
- it produces a legal effect or a similarly significant effect on the individual.
The Union must ensure that individuals are able to:
- Obtain human intervention;
- Express their point of view; and
- Obtain an explanation of the decision and challenge it.
Currently, the Union doesn’t undertake any form of automated decision making.