Privacy Notice

The University of Essex Students Union – Privacy notice

Effective 31st January 2019

At the University of Essex Students’ Union we’ve made it our mission to always protect and respect your privacy and to ensure that all Personal Information shared with us is treated with the utmost care. The Union has created this Privacy Notice in order to demonstrate our commitment to the privacy of all our Student Members, Guests and Service Providers.

This Privacy Notice explains when and why we collect personal (“data”) information about you, how that data is stored, used and kept safe. This notice also explains your rights and choices in relation to your personal data.

Personal data is any information, held in any form that relates to you as an identifiable individual.

 

Who We Are

The University of Essex Students’ Union is a charity registered in England & Wales (No. 1140278). Our registered office is Wivenhoe Park, Colchester, Essex, CO4 3SQ.

UESU Limited is a wholly owned subsidiary of the University of Essex Students’ Union, a company registered in England and Wales (No. 073231517). Our registered office is Wivenhoe Park, Colchester, Essex, CO4 3SQ.

Our Website can be found https://www.essexstudent.com

 

How To Contact Us

Any questions regarding this Privacy Notice and our privacy practices should be sent for the attention of the Data Controller:

By email to: sudata@essex.ac.uk;

In writing to: University of Essex Students’ Union, Wivenhoe Park, Colchester, Essex CO4 3SQ; OR

By telephone: 01206 863211

 

For general and business enquiries:

Please contact: SU Reception

By email to: su@essex.ac.uk

By telephone to: 01206 863211

In writing to: University of Essex Students’ Union, Wivenhoe Park, Colchester, Essex CO4 3SQ; OR

Or visit: SU Reception, Square 3, Wivenhoe Park, CO4 3SQ   

 

Scope

This Privacy Notice applies to websites on behalf of the University of Essex Students’ Union and UESU Limited (here after “The Union”), and the entirety of its operations within the UK

If you are a current or prospective Tenant, Landlord, Guarantor or Service Provider of SU Homes please refer to the SU Homes Privacy Notice which can be found here: https://www.essexstudent.com/suhomes/privacy/. SU Homes is the trading name of Essex Student Lets Limited, a company registered in England and Wales (no. 7413547). Our registered office is Wivenhoe Park, Colchester, Essex, CO4 3SQ. Essex Student Lets Limited is a wholly owned subsidiary of the University of Essex Students’ Union.

 

CONTENTS

How Do We Collect Information From You

What Type Of Personal Information Do We Collect

How We Use Your Personal Information

Lawful Basis For Processing Your Personal Information
How We Process Your Personal Information

Your Choices and Access to Your Personal Information
Sharing Personal Information with Third Parties
Personal Information Security
Cookies and Web Beacons
Changes To This Privacy Notice
Data Controller

How Do We Collect Information From You?

  • Information you give us directly

For example:

When you register an interest in an event, activity, club or society etc.

When you register with the SU Website

When you register for a SU Saver Card

When you join a student group, such as Sports Clubs, Societies, VTeam etc.
When you participate in an SU event or activity, such as Just Play
When you use one our services, such as SU Reception or SU Advice

When you book event tickets via the SU Website

When you enter into a contract with the Union for the supply or provision of goods and/or services

When you participate in a Union campaign or project
When you choose to run for an elected position within the Union

When you vote

When you complete a survey

When you correspond with us including contacting us with queries, complaints etc.

When you opt in to receive marketing information about our events, services, activities and promotions  

When you raise an invoice for goods or services provided to the Union

When you use buildings and venues which operate CCTV systems for the security of our members and customers

 

  • Information we receive indirectly from the University of Essex

All students who study at the University of Essex automatically become members of the Students’ Union. In order to enable the Union to comply with its obligations under the Education Act 1994 the University of Essex automatically transfers information about students when they register with the University.  This information is used to promote the general interests of its members as students, and to represent students in academic, disciplinary and other matters relating to academic governance of the University of Essex.

 

All students have the right to opt out of Student Union membership. Should you exercise this right you will not be disadvantaged with regards to the provision of services and otherwise. You can opt out of membership by contacting both the Registrar at the University of Essex and the Chief Executive at the University of Essex Students’ Union in writing.

When you visit our website

It is standard practice for web servers to collect data automatically about all requests for files (web pages, images, etc.). Data automatically collected will include:

  • your IP address
  • details about your web browser
  • details about files requested
  • date and time of requests for each file requested
  • the referring page, if any, from which you may have followed a hyperlink
  • search times and search results
  • the domain from which your request originated
  • your username, if you have authenticated with the web server

This information is used to improve the services we offer.

 

Information on the use of cookies can be found under the “Cookies and Web Beacons” section below.

 

Some websites of the Union may contain links to websites not owned or operated by the Union. The Union is not responsible for the content, privacy policies, or practices of those websites. We recommend that you review the privacy policies of each site you visit.

 

  • Social Media

 

When you interact with us on social media platform such as Facebook and Twitter we may obtain information about you (for example when you tag us in on photos). The information we receive will depend on the privacy preferences you have set up on those types of platforms.

 

What Type of Personal Information Do We Collect?

 “Personal Information” that will be collected or processed by the Union includes:

  • Contact details such as name, address, email, phone number, next of kin
  • Date of birth;
  • Answers to security questions;
  • Equality information including sex/gender, sexuality, religion and nationality;
  • Academic records;
  • Demographic data;
  • Course details, such as department, course, type of study, year of study;
  • Medical information such as prescriptions when you use the prescription service;
  • Images on CCTV or Photos taken at events;
  • Student registration identification number (PRID);
  • Purchasing history;
  • IP address;
  • ID such as passport, driving license, including, where necessary, visa details and passport numbers;
  • Financial information; such as that which could be used to process invoices and payments;
  • Hardship loan details, such as loan issued, and loan repayment date;
  • Driving Licenses and motor insurance details when you register as an “Approved” driver of our vehicle fleet or use your own vehicle to carry passengers on Union business, such as attending Club matches;
  • Training records;
  • Signatures;
  • Documents required enabling the provision of advice on Visa Applications, disciplinary and academic issues etc.
  • If you are a sole trader providing certain services we may require insurance documentation
  • If you register to the Students’ Union website, we collect contact information, username and password and can collect additional information submitted through registration or via updating your information.
  • If you make any purchases through the site, we will record your billing address; however, we do not record your payment card details. This information is collected through Sage Pay, our online payment provider. No card payment details are stored through the site.
  • If you email us directly via an email hyperlink or contact form to provide us with feedback on the site, or to ask a question regarding the site, we will record any information contained in such emails for a period of up to one year to analyse trends and ensure improvements to the site.
  • Some web browsers may transmit “do not track” signals. Web browsers may incorporate or activate these features differently, making it unclear if users have consciously activated them.  As a result, at this time we do not take steps to respond to such signals. 

The Union may collect Personal Information in a variety of ways including directly from students while online when you use any of our online tools or features or applications.

We also collect anonymous information for longitudinal statistical purposes. Any anonymous information is not linked to your personal information and cannot be used to identify you.

How We Use Your Personal Information

The Union collects and uses your Personal Information to:

  • Provide membership, representation and support services
  • Provide administrative support and membership facilities to student groups, such as Sports Clubs, Societies, Volunteering, and Student Reps etc.
  • Manage and maintain accounting records on behalf of Sports Clubs and Societies
  • Provide booking facilities for events and services
  • Create and maintain accounts
  • Provide voting facilities for members for elections run by the Union
  • Administration of Parliament and Referendums
  • Help you receive email and direct mail
  • Help you provide us with feedback or other communications
  • Evaluate and improve the services we offer
  • Collect views and opinions of the membership, including minority groups and to weight the data to ensure the results are representative
  • Generate of demographic reports to track student engagement
  • Facilitate incident management, welfare support, security and crime prevention

We process Personal Information submitted by students for the purpose of providing the above-referenced services (collectively, the “Services”) to students, guests and service providers. To fulfill these purposes, we may access Personal Information to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of a customer who submitted the Personal Information, or in response to contractual requirements with our students.

Lawful Basis For Processing Your Personal Information

Contractual

Where you have entered into a contract with the Union, we will process your Personal Information in order to meet our obligations and exercise our rights in terms of that contract.

 

Consent

There may be some occasions where we seek your consent to process Personal Information but in those cases we will provide full details of what the Union is seeking consent for, so that you will be able to carefully consider whether to provide that consent.

 

Legal

If the law requires us to, we may need to collect and process your data, for example where we are ordered by a regulatory body, such as the Charities Commission or for fraud and crime prevention.

 

Legitimate Interest

In other cases, the Union has a legitimate interest in processing Personal Information in a way which might be reasonably expected for the purpose of running a membership organisation.

 

How We Process Your Personal Information

When processing Personal Information the Union ensures that:

 

  • it is processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
  • it is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’)
  • it is all adequate, relevant and limited to what is necessary in relation to the purposes for which the Personal Information is processed; (‘data minimisation’)
  • it is all accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that Personal Information that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  • it is kept in a form which permits identification of you for no longer than is necessary for the purposes for which the Personal Information is processed; (‘storage limitation’)
  • it is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The Union will facilitate any request from you to exercise you rights under data protection law and the General Data Protection Regulation as appropriate, always communicating in a concise, transparent, intelligible and easily accessible form and without undue delay. 

 

The Union will also:

 

  • ensure that the legal basis for processing Personal Information is identified in advance and that all processing complies with the law.
  • not do anything with your Personal Information that you would not expect given the content of this policy.
  • ensure that appropriate information is provided advising how and why Personal Data is being processed, and in particular advising data subjects of their rights.
  • only collect and process the Personal Information that we need for the purposes we have identified in advance.
  • ensure that as far as possible the Personal Information we hold is accurate, or a system is in place for ensuring that it is kept up to date as far as possible.
  • only hold onto your Personal Information for as long as it is needed after which time we will securely erase or delete the personal data. The Union Data Retention Policy sets out the appropriate period of time.
  • ensure that appropriate security measures are in place to ensure that Personal Information can only be accessed by those who need to access it and that it is held and transferred securely.

Your Choices and Access to Your Personal Information

Direct Mailing:

The Union will only send direct mail via email or post if you have opted in to receive such information. You can opt out from receiving these communications at any time by following the opt out instructions provided in the email or written correspondence.

 

The Union honors a “once out – always out” policy. Once you opt out, you are opted out of that type of communication and that brand until we are explicitly told in writing to opt you back in.

 

The Union may send you periodic information via email or post for legitimate interest purposes. These communications will provide updates and information that would be reasonably expected for membership purposes. These communications may be in the form of a newsletter or email updates. You have the right to opt out of receiving these communications by contacting The Union directly via email, post, telephone, or by visiting the SU Reception. The Business contact details for The Union can be found above under “How to contact us”. 

 

Subject access: the right to request information about how Personal Information is being processed including whether Personal Information is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:

 

  • the purpose of the processing
  • the categories of personal data
  • the recipients to whom data has been disclosed or which will be disclosed
  • the retention period
  • the right to lodge a complaint with the ICO in the United Kingdom
  • the source of the information if not collected direct from the subject
  • the existence of any automated decision making.

Rectification: the right to allow a data subject to rectify inaccurate Personal Information concerning them.

 

Erasure: the right to have data erased and to have confirmation of erasure, but only where:

 

  • the data is no longer necessary in relation to the purpose for which it was collected; or
  • where consent is withdrawn; or
  • where there is no legal basis for the processing; or
  • there is a legal obligation to delete data.

Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:

  

  • if the accuracy of the personal data is being contested; or
  • if our processing is unlawful but the data subject does not want it erased; or
  • if the data is no longer needed the data for the purpose of the processing but it is required by the data subject for the establishment, exercise or defence of legal claims; or
  • if the data subject has objected to the processing, pending verification of that objection.

Data portability: the right to receive a copy of Personal Information which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller.

 

Object to processing: the right to object to the processing of Personal Information relying on the legitimate interests processing condition unless the Union can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.

Personal Information is to be used for a purpose other than those for which it was originally collected or subsequently authorised by such user.  We will treat as sensitive any Personal Information received from a third party where the third party identifies and treats it as sensitive.

Sharing Personal Information With Third Parties

We may pass your Personal Information to our carefully selected third party providers, suppliers, and agents for the purpose of providing services to you on our behalf or providing services to support the Union’s functions, such as email, website, payment processing and market research. We will also share information with associated parties, such as our subsidiaries and the University of Essex. We may also transfer personal information to agents for email marketing purposes.

 

In order to provide for adequate protection of your Personal Information, we have in place security and contractual arrangements with such third parties, agents and suppliers to ensure the protection of your Personal Information. If Personal Information is transferred from within the UK to a jurisdiction outside the EEA, it is done so under a Data Transfer Agreement, which contains standard data protection contract clauses, which have been adopted by the European Commission, and where safeguards have been put in place for personal information that is transferred outside of the EEA. By submitting your Personal Information to us, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.

 

The Union and the University of Essex work in partnership to improve the student experience, retention and representation and may collaborate on joint initiatives and service provision to help deliver these aims. Both entities also have a shared responsibility to look after the welfare and security of students of the University of Essex. In addition the Union occupies premises owned by the University of Essex and therefore shares a number of services provided directly by the University and third party providers.  We may share data with the University of Essex for the purposes of:

  • Facilitating the assessment of needs and the provision of advice when you use the services of  SU Advice, with your consent
  • Anonymised statistics and student feedback to aid the evaluation and improvement of student services
  • Incident management, health & safety, security, welfare and crime prevention
  • Where we have serious concerns regarding the wellbeing of a student we have provision within our SU Advice confidentiality agreement to share our concerns with appropriate departments within the University

 

The “Information Sharing Agreement in Safeguarding cases” between the Union and the University also makes provision for information sharing with regards to safeguarding matters

 

We have in place a Data Sharing Agreement in order to provide adequate protection of your personal information which is due to be ratified by the Union’s Trustee Board in March 2019 and University Council in May 2019.

In addition to disclosures to third party providers and Agents as described above, we may disclose or transfer Personal Information in connection with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition. We may also disclose Personal Information to prevent damage or harm to us, our Services, or any person or property, or if we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities.  Except as described in this Privacy Notice, we will not otherwise disclose Personal Information to third parties unless you have been provided with an opportunity to opt in to such disclosure.

The Union does not release the Personal Information it collects from you to any unrelated third parties so that they may send you commercial promotions or offers for products or services.

Except as described in this Privacy Notice, we will not otherwise disclose personal data to any third parties unless you have provided consent to such disclosure and, in the case of personal data collected from children, the appropriate verifiable consent is obtained.

If an individual wishes to opt out or limit the use and disclosure of their personal data to a third party or a use that is incompatible with the purpose for personal data was originally collected or authorised, the individual may send such request to sudata@essex.ac.uk.

When the Union transfers Personal Information to countries other than the country where it was provided, we do so in compliance with applicable data protection laws. Copies of the Personal Information at the point of origin are deleted on a regular basis. Any transfers of Personal Information from guests outside the European Economic Area (the “EEA”), will comply with GDPR requirements, as appropriate, in all respects.

Personal Information Security

The Union maintains reasonable and appropriate security measures designed to help protect against loss, misuse, and alteration of Personal Information collected by The Union, which include:

  • physical and logical access controls, including firewall, limited access, and SSL encryption technology, that limit who can access personal data based on business/processing need;
  • Privacy Notices for personal data (this document) and for employee personal data (a copy of which may be requested at sudata@essex.ac.uk);
  • employees who are bound by confidentiality obligations;
  • annual employee training on our privacy policies;
  • the appointment of a Data Controller to handle all personal data incidences or issues, including, without limitation, the handling of individual requests related to his/her personal data processed by The Union; and
  • The University’s Information Security Policy, and the Union’s Data Breach Policy that contain incident response plans for escalation and resolution of data breach incidents.

Cookies and Web Beacons

The Union uses web beacons in emails to track traffic from the email to specific pages on our websites. You may be able to adjust your browser so that your computer either does not accept cookies, or notifies you when a website tries to deposit a cookie into your computer. Our website uses cookies however; our cookies do not contain confidential Personal Information such as your home address, telephone number, or credit card information. We do not exchange cookies with any third parties. 

Changes to This Privacy Notice

We may amend this Privacy Notice at any time. If we make any changes in the way we collect, use, and/or share your Personal Information, we will notify you by sending you an email at the last email address that you provided us, or by prominently posting notice of the changes on the web sites covered by this Privacy Notice.

Data Controller

Your Personal Information is protected in the United Kingdom by the Data Protection Act 2018 (the “Act”), the General Data Protection Regulation 2016/679; and all relevant EU and UK data protection legislation. Under the Act we will only process your Personal Information in a lawful and fair manner. We will secure your Personal Information to prevent unauthorised access by third parties. 

For the purposes of the Act, the data controller is the Union, registered at Wivenhoe Park, Essex, CO4 3SQ and registered with the Information Commissioner’s Office with registration number Z4727539.

 

All Personal Information collection and processing in the United Kingdom by the Union will be undertaken by the Union in accordance with the terms of this Privacy Notice.

The Union are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. We cooperate with country data protection authorities if they believe that a privacy problem has occurred.

If you believe that the Union has not complied with your rights in relation to your personal data in relation to processing in or related to the United Kingdom, you can complain to the Information Commissioner’s Office. Their contact details are available at www.ico.org.uk

Contact Us

If you have any questions regarding your privacy, please contact The Union directly:

University of Essex Students Union

Wivenhoe Park

Essex

CO4 3SQ

Telephone: +44(0)1206 863211

Email: su@essex.ac.uk        

If you believe that the Union has not complied with your rights in relation to your personal data in relation to processing in or related to the United Kingdom, you can complain to the Information Commissioner’s Office. Their contact details are available at www.ico.org.uk