Last updated: 22/05/2018 Approved by Communications Committee: 30/05/2018
Contents
Introduction
What is personal data?
What are special categories of data?
Data protection principles
Your rights
Telling you about the collection and use of your personal data
Our bases for processing personal data
Keeping your information secure
Personal data breaches
The Students’ Union believes that your data should be respected and that you should be able to confidently trust us with your personal data.
All personal data held by us will be securely processed, held and deleted in line with relevant data protection laws and our moral responsibilities. This page sets out how we will do this.
When we collect your data we will let you know what we will use it for and the basis for processing.
Your data is handled by the University of Sussex Students’ Union and/or USSU Trading Ltd, both at Falmer House, Falmer, East Sussex, BN1 9QF.
You can contact our Data Protection Officer, Paul Newton, via email - dpo@sussexstudent.com - or by post at the address above.
You can see the categories of personal data we use (where this is not obtained from the person it relates to), the recipients or categories of recipients of the personal data, retention periods and details of transfers to any third countries or international organisations in our summary of the data we process and/or by viewing the data collection assessment for the area(s) you’re interested in. Additionally, we maintain a list of the sub-processors we use which includes details of their data protection measures.
The General Data Protection Regulation (GDPR) applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
For us this means information such as students’ names and email addresses, our employees’ personnel records and the members of sports clubs and societies.
Special categories of data have extra protections as they are considered particularly sensitive in relation to fundamental rights and freedoms:
Personal data revealing
The processing of the following for the purpose of uniquely identifying a natural person:
Data concerning
Note that personal data relating to criminal convictions and offences is not included in the definition of special categories of data, but similar extra safeguards apply to its processing.
All personal data will be processed in accordance with the data protection principles in the Article 5 of the General Data Protection Regulation which states that personal data shall be:
Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”, a duty overseen by our Data Protection Officer.
You have a number of rights over your data:
These are explained fully at https://ico.org.uk/for-the-public/ which also contains information about how to make a complaint about how we or any other organisation uses your data.
To exercise your rights over the data we hold about you please contact us via dpo@sussexstudent.com and we’ll act on your request within a calendar month unless the request is complex or a number of requests have been received, in which case we will notify of the expected delay and reasons why.
Whenever we collect your personal data we will give you a privacy notice explaining what we are collecting it for and the legal basis for processing it as well as if we’ll use it for automated decision-making.
We may give this to you verbally, via a sign at the point of collection and/or digitally. You can also see our privacy notices in each of our data collection assessments.
There are six bases for processing personal data. When we choose to collect and process your data will be establish the correct basis and state this in a data collection assessment. You can view these in our summary of the data we process and/or by viewing the data collection assessment for the area(s) you’re interested in.
We use a number of technical and organisational measures to keep your information secure including:
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data.
If we suspect there may have been a breach of our data we will immediately notify our Data Protection Officer. They will investigate immediately and if there has, or may have been, a notifiable breach they will notify the Information Commissioner’s Office without undue delay and within 72 hours of becoming aware of it.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay and in many cases we’ll let people know about a breach even if there isn’t a high risk of damage to them.
Sources of information
www.sussex.ac.uk/ogs/policies/information/dpa/staff ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ www.lochlaw.co.uk
Additional information can be found in our summary of the data we process and/or by viewing the data collection assessment for the area(s) you’re interested in.