Top Advertisement

Data Protection Policy

1. Purpose and context

Huddersfield Students’ Union (HSU) is committed to the protection of the personal data of students, employees, suppliers and other individuals whom we might hold information about.

The Union recognises the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR) as the primary statutory responsibilities relating to data handling and processing. In addition to this the Union shall take guidance from the Information Commissioners Office (ICO) to ensure it follows the regulations appropriately.

To this end every individual employee, student volunteer, member, or contractor handling data collected or administered by the Union must take responsibility and due consideration for its appropriate use in line with this policy and the declared processing activities. The specific arrangements for handling, processing and administering data can be found on the Union's website in our Privacy Statements and Notices.

2. Scope

This policy applies to all employees and volunteers, and is overseen by the Union’s Senior Management Team (SMT), reporting to the Union’s Board and Performance, Audit, Risk and Remuneration Committee (PARR). Any deliberate breach of the data protection policy may lead to disciplinary action being taken, and/or access to Union facilities being withdrawn, and/or even a criminal prosecution. It may also result in personal liability for the individual committing the breach.

This policy should be read in conjunction with the Universities data protection policies and procedures and the Data Share Agreement between HSU and The University of Huddersfield.

3. Data Protection statements of intent

In accordance with the General Data Processing Regulations (GDPR), the Privacy and Electronic Communications Regulations (PECR), The Freedom of Information Act 2000 and associated legislation, Huddersfield Students’ Union has a statutory duty to control and process personal data within specific legal parameters. As such Huddersfield Students’ Union recognises that: -

  1. It must process data lawfully, fairly and transparently.
  2. That data is collected for specified, explicit and legitimate purposes.
  3. That data is adequate, relevant and limited to what is necessary.
  4. That data is accurate and kept up to date.
  5. That data is not kept longer than is needed.
  6. That data is stored and processed securely.
  7. It should be able to demonstrate compliance.

4. Personnel responsible for the implementation of this policy

4.1 Board of Trustees

  1. The Board of Trustees have ultimate responsibility for data protection, including that an effective and up to date data protection policy is in place.
  2. The Board of Trustees will ensure that the necessary resources are made available for the effective implementation of the policy.
  3. The Board of Trustees is advised on matters relating to data protection by the SMT.

4.2 Chief Executive Officer

The Chief Executive Officer (CEO) is delegated overall responsibility by The Board of Trustees for data protection and shall be responsible for:

  1. Informing and advising the organising and its employees about their obligations to comply with the GDPR and other data protection law. 
  2. Monitoring overall compliance with the GDPR and other data protection laws.
  3. To be the first point of contact for supervisory authorities and for individuals whos data is processed (students, employees, customers etc).

4.3. Key Staff

The CEO has delegated the following responsibilities to staff outlined below:

  1. Projects and Audit Coordinator - Monitoring compliance, internal audits and regular reporting to the PARR Committee.
  2. Head of Activties, Communications and Events - To be the first point of contact for supervisory authorities and for individuals whos data is processed (students, employees, customers etc).
  3. Head of Voice, Insight and Advice - Compliance with the University Data Share Agreement.
  4. HudLets Manager - Compliance with the HudLets Data Share Agreement.


 4.4 Senior Managers

Senior Managers have responsibility for GDPR compliance and other data protection laws within areas of their control including: -

  1. Ensuring that the Union’s Data Protection Policy document is implemented.
  2. Ensuring that data is processed in line with the Union’s privacy statements and notices.
  3. That data is erased within specified time frames.
  4. That data breaches appropriately investigated and changes made to prevent future breaches.

4.5 Departmental Managers

Departmental Managers will have:

  1. Responsibility for data protection and compliance at a departmental level.
  2. Managers will ensure suitable and sufficient organisational and management arrangements are in place to deliver successful GDPR compliance.
  3. Report any data breaches or data concerns to the CEO.

4.6 All employees and volunteers

All employees and volunteers shall:

  1. Cooperate with the Union on matters relating to data protection and assist the Union in fulfilling its statutory duty.
  2. Never intentionally misuse, store or share data that would break the Union’s data protection responsibilities.
  3. Report any data breach that has taken place directly or indirectly at the earliest convenience.

4.7 Students

All students shall:

  1. Take reasonable care of their own data.
  2. Cooperate with the Union on matters relating to data protection to assist the Union in fulfilling its statutory duty.
  3. Never intentionally misuse, store or share data that would break the Union’s data protection responsibilities.
  4. Ensure they report, through the appropriate mechanisms, any situation they are aware of and know is likely to present significant risk of data being breached.

4.8 The University

As outlined in the Memorandum of Cooperation the University of Huddersfield and HSU need to share data relating to students and both, as data controllers, are subject to GDPR. Both the University and the Union shall ensure there is a Data Sharing Agreement in place at all times to govern these arrangements and enable the Union to discharge its objectives.

4.9 Third Parties

4.9.1 HSU may transfer data to third parties for processing which will be declared to the individuals whose data is being processed. Prior to data transfer a contract or sufficient Privacy Statements/Policies shall be collected and stored to meet the expectations of HSU’s Privacy Statements and Notices.  

4.9.2 All contracts or Privacy Statements/Policies shall include requirements outlined in the GDPR and outlined in guidance from the ICO.

​5. Lawful basis for processing

HSU shall ensure it has a valid lawful basis for processing all personal data. There are six available bases for processing to which the Union shall select the most appropriate depending on the purpose and relationship with the individual. The Union’s Privacy Statements and notices should include each lawful basis, purpose for processing and retention length.

5.1 Consent

The GDPR has a high standard for obtaining consent by giving individuals real choice and control.

5.1.1 HSU shall ensure that it provides specific Statements and Notices of consent that requires a positive opt-in which is separate to other Terms and Conditions. This shall also include the naming of any third party controllers who will rely on the consent.

5.1.2 Withdrawal of consent shall be transparent and easy by following information in the Privacy Statements and Notices.

5.1.3 Evidence of consent should be retained for reference.

5.1.4 Statements and Notices of consent shall remain under consent review, be refreshed to reflect any changes made and individuals kept informed.

5.1.5 Explicit consent shall be used for the processing of special category data.

​​5.2 Contract

5.2.1. This legal basis can be used to process personal data to fulfil contractual obligations or because the individual has asked the Union to do something before entering into a contract. The processing must be necessary, targeted and proportionate for the purposes of performing a contract or taking pre-contractual steps.

5.2.2. If processing is not necessary for the Union’s side of the contract with the individual another lawful basis such as legitimate interests or consent will also be needed to process the data.

5.2.3. If processing of a special category is necessary for the contract a separate condition for processing data shall also be needed.

5.3 Legal obligation

This lawful basis is for the processing of personal data to comply with a common law or statutory obligation.

5.3.1.Processing must be necessary to comply with lawful obligations.

5.3.2.The Union should be able to identify the specific legal provision or appropriate source of guidance that clearly sets out the obligation. 

5.4 Vital interests

Vital interests can be used as a lawful basis for processing personal data to protect someone’s life.

5.4.1 If there is another, less intrusive, lawful basis for processing data this basis will not apply.

5.4.2 This basis will not apply if the individual is capable of giving consent.

5.4.3 If the Union is likely to rely on this lawful basis the circumstances where it will be relevant should be documented.

5.5 Public task

This lawful basis can be used to process personal data for public functions and powers that are set out in law or to perform a specific task in the public interest that’s set out in law.

5.6 Legitimate interests

Legitimate interests is the most flexible lawful basis for processing.

5.6.1 HSU will always use people’s data in a way they would reasonably expect, with minimal privacy impact or where there is sound justification for the processing.

5.6.2 Processing of data shall follow the three-part test identified by the ICO:

  1. Purpose test – is it a legitimate interest?
  2. Necessity test – is the processing necessary for the purpose?
  3. Balancing test – do the individuals interests override the legitimate interests?

5.6.3. Legitimate interests shall always be balanced against an individual’s interests, rights and freedoms.

5.6.4. Marketing activities shall also consider whether any consent is required under the Privacy and Electronic Communications Regulations (PECR).

5.7 Special category data

Special category data is personal data which the GDPR says is more sensitive and therefore needs more protection.

5.7.1. Examples of special category data include race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, sexual orientation.

5.7.2 The Union shall only process special category data if the conditions for processing are listed in Article 9(2) of the GDPR are met with legitimate and documented reasons.

5.8 Criminal offence data

To process personal data about criminal convictions or offences you must have both a legal basis and either the legal authority or official authority for the processing.

6. Individual rights

The GDPR provides the following rights for individuals:

​6.1 Right to be informed

6.1.1 HSU will ensure it informs individuals about the collection and use of their personal data including: -

  1. The purpose for processing
  2. The length of time it is retained
  3. Who it will be shared with

6.1.2 HSU will provide privacy information at the time personal data is collected. This information should be concise, transparent intelligible, easily accessible, and use clear and plain language.

6.1.3 When personal data is obtained from a source that is not the individual it relates to HSU will provide the individual with privacy information before the first communication take place or within one month of receiving the data.

6.1.4 Privacy information should be regularly reviewed with any changes being communicated to individuals whose data we hold.

6.2 Right of access

6.2.1 Where possible HSU shall provide access to an individual’s data through the Union and University website.

6.2.2 HSU will provide individuals with a simple and transparent process for accessing their personal data and supplementary information. Access information shall be contained in HSU’s Privacy Statements and Notices and responses shall usually be provided within one month of submitting a request.

6.2.3 If HSU believe a request is manifestly unfounded, excessive or repetitive a reasonable fee shall be applied to cover administrative costs of providing the information.

6.3 Right to rectification

6.3.1 Where possible HSU will try to keep all data up-to-date and accurate.

6.3.2 Individuals can request for data to be rectified via email.

6.3.3 HSU will respond to all requests within one calendar month.

6.3.4 HSU shall grant and/or refuse rectification following guidance from the GDPR and the ICO.

6.4 Right to erasure

6.4.1 Following Article 17 of the GDPR, HSU will provide individuals with the right to have personal data erased provided: -

  1. The personal data is no longer neccessary for the purpose it was collected for. 
  2. Consent was used as the lawful basis and the indivdual withdraws their consent. 
  3. Legitimate interests were used as the lawful basis and the individual objects and there is no overriding legitimate interest to continue the processing. 
  4. The processing is for direct marketing purposes and the individual objects to that processing.
  5. Data has been processed unlawfully.
  6. The Union is complying to a legal obligation

6.4.2 HSU shall grant and/or refuse the right of erasure following guidance from the GDPR and the ICO.

6.5 Right to restrict processing

6.5.1 Individuals have the right to restrict the processing of their data by HSU if the following circumstances apply: -

  1. The individual contests the accuracy of the data and HSU is verifying its accuracy.
  2. The data has been unlawfully processed and the individual opposes erasure.
  3. HSU no longer needs the data but the individual needs you to keep it in order to establish, exercise or defend a legal claim.
  4. The individual has objected to HSU processing the data but HSU are considering legitimate grounds to override the rights of the individual.

6.5.2 HSU shall grant and/or refuse the right to restrict processing following guidance from the GDPR and the ICO.

6.6 Right to data portability

6.6.1 HSU will ensure that where it’s applicable individuals shall be able to obtain and reuse their data for their own purposes across different services.

6.6.2 HSU shall follow guidance from the GDPR and the ICO if an individual requests the transfer of their data.

6.7 Right to object

6.7.1 Individuals have the right to object to: -

  1. Processing based on legitimate interests
  2. Direct marketing (including profiling)
  3. Processing for purposes of scientific/historical research and statistics.

6.7.2 HSU shall grant follow guidance from the GDPR and the ICO when fulfilling an individual’s right to object.

6.8 Rights to automated decision making including profiling

The GDPR includes specific provisions for automated individual decision making and profiling.

6.8.1 HSU will only undertake solely automated decision making provided that: -

  1. It is necessary for entering into or performance of a contract with HSU.
  2. It’s based on an individual’s explicit consent.

6.8.2 A Data Protection Impact Assessment must be completed to ensure risks are identified and addressed.

6.8.3 GDPR also requires HSU to: -

  1. Give individuals specific information about the processing including the logic involved in the decision making.
  2. Take adequate steps to prevent errors, bias and discrimination.
  3. Give individuals the right to challenge and request a review of the decision.

7. Governance and Accountability

The GDPR requires HSU to have comprehensive but proportionate governance measures to minimise the risk of breaches and uphold the protection of personal data. HSU will maintain the following streams of work that will be monitored by Performance, Audit, Risk and Remuneration Committee:

  1. Have an active data protection policy and procedures that are effectively communicated to all staff.
  2. All staff to receive basic and role specific training on data protection.
  3. Maintain relevant and up-to-date documentation on data processing.
  4. Carry out regular data protection audits across the organisation.
  5. Include data protection within the Union’s risk register.

7.1 Security

7.1.1 HSU will ensure it has appropriate security to prevent personal data being accidentally or deliberately compromised. This shall be achieved by ensuring that: -

  1. Data can be accessed, altered, disclosed or deleted by those who have authorized to do so.
  2. The data is accurate and complete.
  3. The data remains accessible and useable and has not been accidently lost, altered or destroyed.

7.1.2 All staff are responsible for ensuring that any personal data which they hold are kept securely in line with the University’s IT Security Policies and Procedures and that such data is not disclosed to any unauthorised third party.

7.1.3 All personal data should be accessible only to those who need to use it. A judgement on security measures shall be based on the risks presented by the data’s value, sensitivity or confidentiality. Consideration should always be given to keeping personal data: -

  1. In a lockable room with controlled access;
  2. In a locked draw or filing cabinet;
  3. If computerized, password protected.

7.1.4 Shared folders, files and documents shall have a clear structure and permission set to ensure that all staff only have access to the personal information they require.

7.1.5 All data stored or transported on removable devices (such as memory sticks, external hard drives, mobile devices, etc.) should have an appropriate level of encryption to prevent a data breach if it is lost or stolen.

7.2 International Transfers

7.2.1 HSU will aim to ensure all processing of data takes place within the European Union.

7.2.2 Where this is not the case and personal data is shared with organisations outside the European Union we will seek to ensure that such organisations are based in countries that have comparable levels of personal data protection regulations to those enjoyed in the European Union.

7.2.3 HSU will follow the guidance outlined in the GDPR and from the ICO to comply with the relevant legislation.

7.3 Risk

7.3.1 Risks associated with the GDPR shall be appropriately assessed and with findings logged on HSU’s Risk Register.

7.4 Data breaches

7.4.1 HSU will follow the GDPR and guidance from the ICO following any suspected or actual data breaches.

7.4.2 Any notifiable breach will be reported to the ICO, Charity Commission and the University within 72 hours after becoming aware of it.

7.4.3 All data breaches shall be appropriately investigated following and recorded.

7.4.4 Should any employee, volunteer, contractor or other is found to have broken this policy or have been negligent with HSU’s data then disciplinary actions outlined in the Constitution and associated policies may be taken following an investigation.

7.5 Complaints

7.5.1 HSU will follow the processes outlined within the Constitution (Bye Law Eight: Complaints Procedure) and relevant policies when investigating complaints relating to data protection.