Data Protection Policy

Policy Statement 

Leeds Beckett Students’ Union (LBSU) is registered with the Information Commissioner’s Office; our registration reference is Z7420837. We recognise that our members, staff, and others, have the right to know what data we hold about them, and that any data held is in compliance with the General Data Protection Regulations (GDPR). We process personal information about our members and staff in accordance with the six Principles of GDPR.

Controllers and Processors

Leeds Beckett Students’ Union is the controller for data collected for its services and activities whereas Leeds Beckett University is the data controller of student records forming our membership records and we are a processor of that information.  

A processor is an individual or company responsible for processing personal data on behalf of the controller.  The Students’ Union is a processor when handling membership records.  Staff members, volunteers and reps are processors when handling data on behalf of the Students’ Union.  

The GDPR places specific legal obligations on processors.  For example, they are required to maintain records of personal data and processing activities and they will have individual legal liability if they are responsible for a data breach.

Personal Data

The GDPR applies to “personal data” meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.  This definition provides for a wide range of personal identifiers to constitute personal data, including name, student identification number, location data etc.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible.

Special Categories of Data (previously known as Sensitive Data)

There are 10 special categories of data which require special measures of risk control to be in place.  These are:

  • Biometric information

  • Genetic information

  • Racial or ethnic information

  • Political opinions

  • Religious or other similar beliefs

  • Membership of trade unions

  • Physical or mental health or condition

  • Sexual life

  • Sexual orientation

  • Gender

Principles of GDPR

Under the GDPR, the main data processing principles require data to be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  Information about lawful processing is provided in Appendix B.  Further processing for archiving purposes in the public interest, research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.;

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  4. accurate and, where necessary, kept up to date.  Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Individual’s rights and freedoms

The GDPR provides the following rights for individuals:

The right to be informed

The right to be informed encompasses the Union’s obligation to provide fair processing information which is done typically through a privacy notice.

The right of access

Individuals have the right to access their personal data and supplementary information which allows them to be aware of and verify the lawfulness of the processing.  Individuals requiring access to the data the Union holds on them should put their request in writing to the Chief Executive who will provide the information within 30 days of receipt of the request.  If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request access.

The right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.  Third parties to whom the Union has disclosed personal data must be informed by the staff member responsible for the contract so that they can rectify their records.  Individuals requiring rectification of data should put their request in writing to the Chief Executive who will co-ordinate the rectification of the individual’s data within 30 days of receipt of the request.  If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request rectification.

The right to erase

The right of erasure is also known as “the right to be forgotten”.  Individuals are entitled to request the deletion or removal of personal data where there is no compelling reason for its continued processing.  Third parties to whom the Union has disclosed personal data must be informed by the staff member responsible for the contract so that they can erase their records.  Individuals should put their request in writing to the Chief Executive who will co-ordinate the administration of the erasure within 30 days of receipt of the request.  If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request erasure.

The right to restrict processing

Individuals have a right to block or suppress processing of personal data. When processing is restricted, the Union is permitted to store the personal data, but not further process it.  An example being members opting out of receiving email communications.  Third parties to whom the Union has disclosed personal data must be informed of the restrictions by the staff members responsible for the contract.

For data processing activities such as email and SMS communications, the Union provides automated opt-out systems which the individual can use to limit processing.  For processes where automated systems are not available, individuals should put their request in writing to the Chief Executive who will co-ordinate the administration of the request within 30 days of receipt.  

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.  Individuals should put their request in writing to the Chief Executive who will arrange for the personal data to be sent to the individual in a suitable format within 30 days of receipt of the request.  If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request their data.

The right to object

Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest, direct marketing, and processing for purposes of scientific/historical research and statistics.  Much of the Union’s data processing activities are based on legitimate interests, research or direct marketing so it is important that employees and volunteers are aware of this right.  Third parties to whom the Union has disclosed personal data must be informed of the objection by the staff member responsible for the contract.  Individuals should put their request in writing to the Chief Executive who will co-ordinate the response to the request within 30 days of receipt.  If the request relates to student member data provided by the University, the individual will be advised to also contact the University to object to processing.

Privacy and Electronic Communications Regulations

The Privacy and Electronic Communications Regulations (PECR) sit alongside the GDPR. They give people specific privacy rights in relation to electronic communications.  There are specific rules on marketing calls, emails, texts, cookies, keeping communications services secure and customer privacy.

The key requirement of the PECR is that individuals contacted by these methods must have given their prior consent other than in very limited circumstances. PECR does not consider that contacting people as a default unless they have opted out is satisfactory.  They look for evidence that individuals have given their explicit consent before any communications take place.

Soft opt-in consent is only acceptable when the following 3 criteria are met:

  1. The contact details were obtained from the individual during a sale or negotiation of a sale for produce or service.  For the Union, this will usually be when a person is becoming a member or we are contacting an existing member; and

  2. The communications relate to similar products or services; and

  3. The option to opt out (or unsubscribe) was provided then the data was collected and is included in each and every subsequent communication.

The conditions are specific and cannot be relied upon in many situations.  Difficulties can arise when using a member’s mobile number to send campaigning messages if the number was not initially collected for the purpose of campaigning.

Individual Responsibilities

The Chief Executive is responsible for the general development, promotion and adherence to this policy, and ultimately responsible for compliance by all elected officers, staff and volunteers. The Chief Executive is also the nominated contact for the Information Commissioner’s Office.

All elected officers, staff and volunteers who process personal data are expected to understand and adhere to the six Data Protection Principles set out in the Act and to ensure that they dispose of records that have reached the end of their retention period, taking care to do so confidentially where necessary.  Staff should refer to the Staff Checklist for Recording Data in their day-to-day work, and this can be found in Appendix A. 

The Chief Executive is responsible for ensuring that adequate and appropriate knowledge and competence for good data protection exists across the organisation. The Senior Management Team is responsible for the oversight of relevant data protection issues and should raise these for discussion, resolution and communication across LBSU.  Our responsibilities will be met by making available this policy and procedures to all colleagues, compulsory training and development for new elected officers, staff and volunteers, and ongoing training and development for colleagues with access to sensitive data, and with management responsibility. 

Key Activities and Data Protection Procedures

Recruitment

Potential employees’ personal data can be collected as long as the people are aware their data is being recorded and retained.  It is imperative that the data collected about potential employees is not excessive and that it is stored securely and not shared with anyone who has no need to see it.  The Office Manager is responsible for the collection and storage of recruitment information.  They will ensure the following:

  • All recruitment packs include a statement which makes potential employees aware that their data will be recorded and retained for no more than 6 months after the recruitment process is complete.

  • Completed Equal Opportunities monitoring forms will be separated from the rest of the recruitment pack and will be analysed by the Office Manager before being disposed of so that the Students’ Union can monitor its performance with regards to equal opportunities in recruitment.

  • All recruitment data will be stored electronically in the HR Folder on the shared drive.  This folder may only be accessed by the Chief Executive, Deputy Chief Executive, Office Manager and the Senior Receptionist.

  • Recruitment panel members will only be provided with a hard copy of the recruitment information for shortlisting and interviewing if the request it.  This will be kept securely by each panel member (i.e. not left on a desk in an open office).  Once recruitment is complete they will return their hard copies and notes to the Office Manager for shredding.

Employee Records

When starting employment with the Students’ Union, employees sign a contract which provides consent to process personal information, sensitive information and transferring this data in the delivery of services such as payroll, the HR Toolkit, pensions, insurance, employee benefits and for employment advice.  Employees have a responsibility for ensuring their data remains up to date.

Students’ Union Membership Records Data Set

The University shares student data with the Students’ Union through a data sharing agreement.  These records are managed by the Students’ Union’s Head of Marketing, Communications and Events and direct access to this data is restricted to the Head of Marketing, Communications and Events, the Chief Executive, the Digital Communications Co-ordinator, the Student Voice and Insight Manager and the Student Voice Researcher.  The Students’ Union will send a welcome email to all members prior to any further information.

Society Membership Data Set

The Students’ Union provides a membership management platform that facilities memberships of societies.  Volunteers running student groups may collect data externally from this system through an approved process.

Employees and volunteers will be assigned specific access levels to handle certain data to administer student activities using the membership platform.

Employees and volunteers may not transfer data to third parties without the explicit consent from the individual students.

Employees and volunteers must be careful to only use personal data for purposes for which it was collected.

Using Members’ Data

Employees and volunteers processing data from members must ensure that the information is:

  • Not widely circulated;

  • Only made available to authorised data handling individuals;

  • Only used for the specific purpose for which it was collected;

  • Held securely; and

  • Securely destroyed after use.

Below is a table of things to do and not do, which should be borne in mind when processing membership data.

Do

Do Not

Only extract and use the information that is needed to complete a task.

Extract more than you need for a task. A lack of time is not a legitimate reason for not considering the exact data needed.

 

Only use data for one task. A new list should be extracted for each task.  This makes sure the data that is being used is up-to-date and accurate.

 

Provide information to others not involved in the task for which the data was extracted.

Keep the information on systems and networks that are recognised as being acceptable for Union work such as University networked equipment.

 

Email information to a personal email address or save it onto a personal device for any reason.

Take care when taking personal data out of the Union buildings.  Only take the information if it is necessary, keep it safe and return it as soon as possible.

 

Keep the information that you have got to use for a very similar exercise that you know you’re going to do in the future.

Update the relevant staff member responsible for the data if an individual’s information is out of date.

 

Leave personal data that has been taken out of the office unattended.

Shred information and use a confidential waste bag.

Put information into a normal bin.  Someone else could find it and misuse it.

 


Data Cleansing

This is a crucial activity in the run up to Freshers and elections.  It is natural for members to leave, change course, or change status and it is therefore important the Union cleanses its data regularly.  The Student’ Union collects and renews data from the University several times through the year to ensure this data is accurate.

Where disciplinary processes, or opt out processes or the death of a member result in the need for that member’s data to be removed, the Chief Executive will inform the Head of Marketing, Communications and Events and any other relevant staff member so that they can remove the member from all relevant Union databases.

Emailing and Text Messages

As all email addresses are deemed to be personal data by the Information Commissioner’s Office,  all bulk communications with members using email and text distribution lists must follow the following rules:

Individuals who have opted out of mailings (apart from core purpose emails) are not included in mailings or bulk text messages;
The blind carbon copy (bcc) field on the email address line is used;
If a member informs the Union that they no longer wish to be contacted via email or text, their name and contact details must be removed from the distribution list, and a note made that they have not consented to receive emails or texts.  The only exception to this is if the message contains statutory Union information and cannot be provided to the member in another way.
An option to unsubscribe to similar communications is added to the bottom of the email or text message each time a message is sent out.

Communications with generic '@leedsbeckett.ac.uk' addresses such as suhelpdesk@leedsbeckett.ac.uk are not considered personal data as they do not identify an individual human being.

Marketing and Publicity

The Marketing, Communications and Events Department are responsible for ensuring that when filming or photography is taking place at Students’ Union events, event notices warning that filming or photography will be taking place are displayed at all entrances to the event.  The Marketing, Communications and Events Department is also responsible for ensuring that specific written consent is obtained from any individual before they are photographed or filmed.

Commercial Marketing

Solely purposed commercial marketing, through email or text, must only be sent to those who have opted-in to receive messages.  Commercial marketing messages must include an opt-out function. 

Advice and Representation Cases

Data relating to advice and representation is extremely sensitive and several of the data protection principles apply.  Advice data is held in the AdvicePro system which may only be accessed by the SU Advice Team.

Live and archived cases are stored securely and are disposed of securely by being shredded and placed in a confidential waste bag if a hard copy.

Democratic Processes

The Union is legally obliged by the Education Act 1994 to engage and facilitate students in elections processes which requires processing specific data.  The data used for this activity is the membership data provided by the University.

Research

The Students’ Union insight gathering activities, such as surveys are undertaken by consent.  Records of individuals views, unless anonymised, are considered personal data and as such are subject to the rights and freedoms already outlined in this document.

Data published must not individually identify any person without their explicit consent.  However, anonymised data from all datasets may be processed and published for statistical purposes.  Data should only be collected through the agreed platforms and by authorised individuals.

Service Administration

This covers data processing activities relating to how the Union delivers administration of services for members, suppliers, contractors and visitors. This data can include:

  • Bank account details for the purpose of making payments

  • Commercial clients for the purposes of credit control and management

  • Drivers details for minibus insurance purposes

  • Contact details for members asking for someone in the SU to contact them

  • Events customers for the purposes of ticket management

  • Information about enquiries at the Headingley office

  • Information declared through the complaints procedure

  • Student ID cards for Amber Taxi payments

Employees and volunteers processing this data must ensure that the information is:

  • Not circulated widely

  • Only made available to authorised data handling individuals

  • Only used for the specific purpose for which it was collected;

  • Held securely; and

  • Securely destroyed after use.

Information Security Procedures

Hard copies, file notes, incoming and outgoing letter correspondence

The Students’ Union has a duty to ensure that data is held securely.  Provisions that employees and volunteers must consider putting in place include:

  • Lockable filing cabinets

  • Clear desk policy

  • Secure storage for archived files

  • Secure destruction – using a shredder or confidential waste bag

Electronic Data

The same requirements apply to electronically held data.  Provisions employees and volunteers must consider putting in place include:

  • Only using storage on the University network

  • Password protection on all files containing personal data

  • Up to date antivirus and malware systems

  • Secure destruction of IT equipment

CCTV

CCTV units are not networked and the systems can only be accessed by the Venue Manager, Chief Executive, Deputy Chief Executive or law enforcement agencies.

Email Security

Employees @leedsbeckett.ac.uk email addresses are assigned individually to them and should not be shared with others.  In an employee’s absence or for specific investigation purposes only, emails may be access by authorised individuals – authority can only be granted by the Chief Executive.

Employees should take the following steps to ensure the security of their email content:

  • Consider whether the content of the email should be encrypted or password protected.  If sending a spreadsheet containing personal data this must be password protected and the password sent in a separate email.

  • Use blind carbon copy (bcc) instead of carbon copy (cc) in order to hide recipients email addresses from other recipients.

  • Be careful when using a group email address.  Check whether the email really should be going to every member of the group.

  • Never click on a link or share any information with anyone you don’t recognise – if in doubt check first.

Sharing Information

Whenever the Union uses a third party processor we must have a written contract in place.  The contract is important so that both parties understand their responsibilities and liabilities.  Examples of third party processors are:

  • ePOS systems providers

  • Payroll

  • Website hosting

  • Pensions providers

As the controller for certain elements of data, the Union is liable for ensuring our compliance with GDPR and we must only appoint processors who can provide sufficient guarantees that the requirements of the GDPR will be met and the rights of data subjects protected.

Third party processors must only act on the documented instructions of a controller.  They will however have some direct responsibilities under GDPR and may be subject to fines or other sanctions if they don’t comply.

Releasing information to prevent or detect crime

The police or other crime prevention/law enforcement agencies sometimes contact data controllers or processors and request that personal data is disclosed in order to help them prevent or detect a crime.  All such requests must be given in writing to the Chief Executive.

The Students’ Union does not have to comply with these requests, but the regulations do allow organisations to release the information if they decide it is appropriate.  Before any decision is made about disclosure, the Information Commissioner asks that organisations carry out a review of the request.  This includes considering:

  • The impact on the privacy of the individual/s concerned

  • Any duty of confidentiality owed to the individual/s

  • Whether refusing disclosure would impact the requesting organisation’s ability to detect, prevent or prosecute an offender

If a decision is made to refuse, it is possible that a subsequent court order may be made by the requesting organisation for the Students’ Union to release the information.  If such a request is received by an employee or volunteer, please refer the request to the Chief Executive.

Information Security Breaches

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

A data security breach can happen for a number of reasons:

  • Loss or theft of data or equipment

  • Inappropriate access controls allowing unauthorised use

  • Equipment failure

  • Human error

Where an employee, volunteer, supplier or contractor discovers a data breach they must report this to the Chief Executive within 24 hours.  

The Chief Executive shall notify the Information Commissioner’s Office within 72 hours of the breach where there is a risk to the rights and freedoms of individuals such as discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.

Where there is a high risk to the rights and freedoms of individuals they shall be notified directly.

New Data Systems or Uses of Data

Whenever a new system to process data or whenever a new project involving data processing is being considered it is important to ensure that a Data Processing Impact Assessment (DPIA) is carried out and documented.  Help with DPIAs can be found on the Information Commissioner’s website.

Disposing of Data

The Union is committed to keeping data for the minimum time necessary to fulfil its purpose.  

Member Data – In line with University policy member files shall be 12 months after a student graduates or otherwise leaves the University.

Below is our data retention schedule.

Record

Statutory retention period

Statutory authority

Accident books, accident records/reports

3 years after the date of the last entry (see below for accidents involving chemicals or asbestos)

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR)

(SI 1995/3163) as amended

Accounting records

6 years for public limited companies

Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006

Income tax and NI returns, income tax records and correspondence with the Inland Revenue

not less than 3 years after the end of the financial year to which they relate

The Income Tax (Employments) Regulations 1993

(SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631)

Medical records and details of biological tests under the Control of Lead at Work Regulations

40 years from the date of the last entry

The Control of Lead at Work Regulations 1998

(SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676)

Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)

40 years from the date of the last entry

The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677)

Medical records under the Control of Asbestos at Work Regulations

·       medical records containing details of employees exposed to asbestos

·       medical examination certificates

40 years from the date of the last entry

  • 4 years from the date of issue

The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/. 2739)

Medical records under the Ionising Radiations Regulations 1999

until the person reaches 75 years of age, but in any event for at least 50 years

The Ionising Radiations Regulations 1999

(SI 1999/3232)

Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)

5 years from the date on which the tests were carried out

The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677)

Records relating to children

until the child reaches the age of 21

Limitation Act 1980

Records relating to events notifiable under the Retirement Benefits Schemes (Information Powers) Regulations 1995, records concerning decisions to allow retirement due to incapacity, pension accounts and associated documents

6 years from the end of the scheme year in which the event took place, or the date upon which the accounts/reports were signed/completed.

The Retirement Benefits Schemes (Information Powers) Regulations 1995

(SI 1995/3103)

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence

3 years after the end of the tax year in which the maternity period ends

The Statutory Maternity Pay (General) Regulations 1986

(SI 1986/1960) as amended

Statutory Sick Pay records, calculations, certificates, self-certificates

3 years after the end of the tax year to which they relate

The Statutory Sick Pay (General) Regulations 1982

(SI 1982/894) as amended

Wage/salary records (also overtime, bonuses, expenses)

6 years

Taxes Management Act 1970


Recommended retention periods (i.e. where no statutory retention periods exist)

For many types of personnel records, there is no definitive retention period: it is up to the employer to decide how long to keep these records and it’s a question of judgment rather than there being any definitive right and wrong. An employer needs to consider what would be a necessary retention period, depending on the type of record. The advice in this document is based on the time limits for potential tribunal or civil claims and aims to draw sensible conclusions as to how long keeping the records will protect an employer.
Where the recommended retention period given is 6 years, this is based on the 6-year time limit within which legal proceedings must be commenced as laid down under the Limitation Act 1980. Thus, where documents may be relevant to a contractual claim, it is recommended that these be retained for at least the corresponding 6-year limitation period.

Record

Recommended retention period

Actuarial valuation reports

permanently

Application forms and interview notes (for unsuccessful candidates)

6 months. (Because of the time limits in the various discrimination Acts, for example the Disability Discrimination Act 1995, minimum retention periods for records relating to advertising of vacancies and job applications should be 6 months. Successful job applicants documents will be transferred to the personnel file in any event.)

Assessments under Health and Safety Regulations and records of consultations with safety representatives and committees

permanently

Inland Revenue approvals

permanently

Money purchase details

6 years after transfer or value taken

Parental leave

5 years from birth/adoption of the child or 18 years if the child receives a disability allowance

Pension scheme investment policies

12 years from the ending of any benefit payable under the policy

Pensioners’ records

12 years after benefit ceases

Personnel files and training records (including one to one notes, disciplinary records and working time records)

6 years after employment ceases

Redundancy details, calculations of payments, refunds, notification to the Secretary of State

6 years from the date of redundancy

Senior executives’ records (that is, those on a senior management team or their equivalents)

permanently for historical purposes

Time cards/flexi forms

2 years after audit

Trade union agreements

10 years after ceasing to be effective

Trust deeds and rules

permanently

Trustees’ minute books

permanently

Works council minutes

permanently

 


Appendix A: Guidelines for Staff including Staff Checklist for Recording Data

Members of staff will process personal data on a regular basis. The University and Students’ Union will ensure that staff and students give their consent to processing, or that another condition for processing applies, and are notified of the categories of processing, as required by the Act. 

Information about an individual's physical or mental health; sexual life; political or religious views; trade union membership; ethnicity or race; the commission of criminal offences and court proceedings dealing with criminal offences is sensitive and can normally only be collected and processed with their express consent. 

Members of staff have a duty to make sure that they comply with the data protection principles, which are set out in the SU Data Protection Policy. In particular, staff must ensure that records are:

  • accurate;

  • up-to-date;

  • fair;

  • kept and disposed of safely, and in accordance with SU policy.

Individual members of staff are responsible for ensuring that all data they are holding is kept securely. 

Members of staff must not disclose personal data, unless for normal democratic, membership or administrative purposes, without authorisation or agreement from the Chief Executive, or in line with SU policy. 

Before processing any personal data, all staff should consider the checklist. 

All staff should either complete online data protection training through Leeds Beckett University staff mandatory training pages or attend an open training session organised by the SU.

Staff Checklist for Recording Data

    Do you really need to record the information?
    Is the information 'standard' or is it 'sensitive'?
    If it is sensitive, do you have the data subject's express consent?
    Has the individual or data subject been told that this type of data will be processed?
    Are you authorised to collect/store/process the data?
    If yes, have you checked with the data subject that the data is accurate?
    Are you sure that the data is secure?
    If you do not have the data subject's consent to process, are you satisfied that one of the other conditions for processing data applies?
    In respect of databases containing personal data, have you notified the Chief Executive that you intend to hold the data and registered the database?
    How long do you need to keep the data for, and what is the mechanism for review/destruction? 

Appendix B:  Identifying Lawful Processing

For processing to be lawful under the GDPR, a lawful basis must be identified before any personal data can be processed.

The table below identifies the lawful processing reasons, provides relevant examples and identifies any steps that must be taken to proceed with this processing method.

Lawful Processing

Organisational Examples

Next Steps

 

Consent of the data subject

Opting in to receive an SU email

There are specific requirements for gaining consent – it must be clear, specific and documented

 

Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

 

Storage of the name and address of individuals and processing of this to send/fulfil an online purchase

A copy of this contract or terms and conditions should be kept as evidence

Processing is necessary for compliance with a legal obligation

The HMRC requires the SU to provide certain information for tax purposes

 

 

Processing is necessary to protect the vital interests of a data subject or another person

If someone was in a medical situation that their personal information needed to be released to medical practitioners to preserve life

 

Post releasing this data, the Chief Executive should be informed

Processing is necessary for the performance of a task carried out in the public interest

 

The Union does not process any data in the public interest

Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

Members could legitimately expect their information to be processed to enable membership focussed services

An assessment must be undertaken and documented to ensure a balance of interests is achieved

 

Data collected relying on legitimate interest must declare the legitimate interest at the point of collection

 

Registered in England Company Number: 7103465
Registered Charity Number: 1139314