Data Protection

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) form the UK’s data protection legislation.

Data protection legislation works to control how personal information is used by organisations. It is the law, and it protects individuals from issues such as identity theft, spam emails, and the sharing of data across digital platforms.

York SU is legally responsible for student leaders and groups. That means that we can be held liable for any data breaches caused by student groups. We work to mitigate this risk by enabling you to make informed choices regarding data protection in your role as a student group leader.

You can also take a look at York SU's Privacy Policy, which will give you a better understanding of how we, as an organisation, manage data.

Personal Data

Personal data can only be obtained for 'specific, explicit and legitimate purposes'. The individual must be aware of this purpose, and their data can be used for no other purpose without additional specific consent.

Personal data can be anything that identifies a specific individual, including:

Names
Email addresses
Online usernames
Passport or National Insurance numbers
Phone numbers
Photos, videos, and sound recordings
Location

As a student leader, you will most commonly come into contact with individuals' names and email addresses.

Lawful Bases

There are six lawful bases for processing data. They all hold equal standing: none of them are more important or significant than any others.

Consent

The individual has given valid consent for you to process their personal data for a specific purpose.
In UK law there is a high standard for consent to be valid. It must be clear, specific, explicit, freely given, and require a positive action (i.e. "click this if you don't agree" is not valid consent).
If you are collecting personal details as part of a survey, you will need to gain explicit consent to do this. Anyone completing the survey will need to agree to having their data collected and used for your intended purpose (see more details about this in the “collecting, retaining and removing data” section within this training).

Contract

The processing is necessary to perform a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
If you are running a student group, when someone joins your group they are entering into a contract with your group. The collection of their data is necessary to fulfil this contract, and so their joining your group provides a legitimate basis for you to process and use their data.

Legal Obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

Vital Interest

The processing is necessary to protect someone’s life.

Public Task

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate Interest

The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
If you can reasonably achieve the same result in another less intrusive way, legitimate interests may not apply.
To use the legitimate interest basis, you need to
- Identify a legitimate interest
- Show that data processing is necessary to achieve it
- Balance it against the individual's interests, rights, and freedoms
Legitimate Interest is probably the most complex of the legal bases - we recommend you read the ICO's guidance and get in touch with your link staff member if you are considering using it.

Sensitive Personal Data

In addition to personal data, there is a specific type of personal data classified as Sensitive Personal Data. Sensitive Personal Data (or Special Category Data) includes any information about an individual that falls under the following categories:

Race
Ethnicity
Politics
Religion
Trade Union Membership
Genetics
Biometrics
Health
Sex Life
Sexual Orientation

In order to process Sensitive Personal Data, you must justify it using one of the following bases in addition to one of the core six:

Explicit consent has been given by the individual for this data to processed, for the specific purposes;
The processing relates to the field of employment;
The protection of vital interests when the individual is physically or legally incapable of giving consent;
The processing is conducted by a non-profit organisation and the data subject has a legitimate interest and is affiliated with such body;
The processing is of data made available to public access by the data subject;
The processing is necessary for legal claims;
The processing is necessary due to significant public interest;
The processing is necessary for medical diagnosis and treatment;
For the maintenance of public health;
For historical, statistical or scientific purposes;
When there are any exemptions under national law

It is unlikely that you will need to process any Sensitive Personal Data in your roles, but there may be exceptions to this. Some examples include:

If you are a media group, you may process data in image, video, written or audio form. It's important to consider all sensitive personal data your chosen medium may disclose (intentionally or unintentionally) about an individual.
If you are organising an international trip, you may need to gather some sensitive data in order to make bookings.

Good Practice

It's essential to understand that you are responsible for looking after any data you collect or use. Below is a list of key things to remember:

Maintain confidentiality

All personal data must remain confidential. This means you cannot share the data with anyone.

Always provide notification of data collection

Whenever you are collecting students’ personal data, you will need to make people aware of the following:

What data you will hold on them
What their data will be used for
Who will have access to the data
How long the data will be held for

This is best achieved by having a privacy statement prepared. Please ask your link staff member if you would like help with this. Remember, whenever you wish to collect data you must ensure you have the legal grounds to do so.

Manage lists in an appropriate place

Where possible, your mailing and member lists (if appropriate to your role) should be managed through the Member Dashboard. If this is not possible, any personal data must only be held within your group's @yorksu.org Google Drive.

Always gain explicit consent for social media content

If you want to include personal data on social media (e.g. photos and videos from events), you should always gather explicit consent from the individuals.

Never download or share data outside your @yorksu.org drive

Personal data must not be downloaded to any device or shared anywhere outside of your group's drive, even only to individuals who already have access to the drive.

Those who provided their data did not give permission for you to store it as an individual– only for the group to store it.

BCC every email

If you send an email to multiple individuals, you must ensure that every email is blind carbon copied (bcc). This means that anyone who receives the email will not see the email addresses of anyone else on the list, preventing a data breach.

Do not hold email accounts outside of @yorksu.org

Having external email accounts (e.g. @gmail.com, @hotmail.co.uk) for student groups is against York SU’s data protection policy.

We can set up additional @yorksu.org email addresses for your group if it’d be helpful - for example some groups have a separate welfare contact email, or separate accounts for specific events or projects. We can also help you migrate an external email account to a @yorksu.org account. If this would be useful, fill out this form and our Digital Team will be in touch.

Clear all membership information annually

If you are a student leader responsible for a group, note that all group memberships terminate at the end of each academic year, on the 9th September. At this point, your group's membership list will revert to 0. If you hold a separate mailing list, this must also be wiped at the same time.

Do not share data with third-parties

You must not share any personal information with any third-parties, unless the individuals have consented to allow you to do so.

Beware when sharing Google Docs

Giving users "edit" rights in documents means they will be able to see each other's email addresses.

If you are worried your group may have had or caused a data breach, email dataprotection@yorksu.org and your link staff member as soon as possible. Depending on the seriousness of the breach, we may need to take remediation steps within a certain amount of time, and the clock starts the moment we find out about the breach.

We will not take any action against your group if you have made a good faith mistake, but we need to know as soon as possible.

Questions?

Contact your link staff member or our IT (it@yorksu.org) or Data Protection (dataprotection@yorksu.org) Teams