Policy Statement
Leeds Beckett Students’ Union (LBSU) is registered with the Information Commissioner’s Office; our registration reference is Z7420837. We recognise that our members, staff, and others, have the right to know what data we hold about them, and that any data held is in compliance with the General Data Protection Regulations (GDPR). We process personal information about our members, trustees and staff in accordance with the six Principles of GDPR.
Controllers and Processors
Leeds Beckett Students’ Union is the controller for data collected for its services and activities whereas Leeds Beckett University is the data controller of student records forming our membership records and we are a processor of that information.
A processor is an individual or company responsible for processing personal data on behalf of the controller. The Students’ Union is a processor when handling membership records. Staff members, volunteers and reps are processors when handling data on behalf of the Students’ Union.
The GDPR places specific legal obligations on processors. For example, they are required to maintain records of personal data and processing activities and they will have individual legal liability if they are responsible for a data breach.
Personal Data
The GDPR applies to “personal data” meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, student identification number, location data etc.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible.
Special Categories of Data (previously known as Sensitive Data)
There are 10 special categories of data which require special measures of risk control to be in place. These are:
- Biometric information
- Genetic information
- Racial or ethnic information
- Political opinions
- Religious or other similar beliefs
- Membership of trade unions
- Physical or mental health or condition
- Sexual life
- Sexual orientation
- Gende
Principles of GDPR
Under the GDPR, the main data processing principles require data to be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Information about lawful processing is provided in Appendix B. Further processing for archiving purposes in the public interest, research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Individual’s rights and freedoms
The GDPR provides the following rights for individuals:
The right to be informed
The right to be informed encompasses the Union’s obligation to provide fair processing information which is done typically through a privacy notice.
The right of access
Individuals have the right to access their personal data and supplementary information which allows them to be aware of and verify the lawfulness of the processing. Individuals requiring access to the data the Union holds on them should put their request in writing to the Chief Executive who will provide the information within 30 days of receipt of the request. If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request access.
The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. Third parties to whom the Union has disclosed personal data must be informed by the staff member responsible for the contract so that they can rectify their records. Individuals requiring rectification of data should put their request in writing to the Chief Executive who will co-ordinate the rectification of the individual’s data within 30 days of receipt of the request. If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request rectification.
The right to erase
The right of erasure is also known as “the right to be forgotten”. Individuals are entitled to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Third parties to whom the Union has disclosed personal data must be informed by the staff member responsible for the contract so that they can erase their records. Individuals should put their request in writing to the Chief Executive who will co-ordinate the administration of the erasure within 30 days of receipt of the request. If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request erasure.
The right to restrict processing
Individuals have a right to block or suppress processing of personal data. When processing is restricted, the Union is permitted to store the personal data, but not further process it. An example being members opting out of receiving email communications. Third parties to whom the Union has disclosed personal data must be informed of the restrictions by the staff members responsible for the contract.
For data processing activities such as email and SMS communications, the Union provides automated opt-out systems which the individual can use to limit processing. For processes where automated systems are not available, individuals should put their request in writing to the Chief Executive who will co-ordinate the administration of the request within 30 days of receipt.
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Individuals should put their request in writing to the Chief Executive who will arrange for the personal data to be sent to the individual in a suitable format within 30 days of receipt of the request. If the request relates to student member data provided by the University, the individual will be advised to also contact the University to request their data.
The right to object
Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest, direct marketing, and processing for purposes of scientific/historical research and statistics. Much of the Union’s data processing activities are based on legitimate interests, research or direct marketing so it is important that employees and volunteers are aware of this right. Third parties to whom the Union has disclosed personal data must be informed of the objection by the staff member responsible for the contract. Individuals should put their request in writing to the Chief Executive who will co-ordinate the response to the request within 30 days of receipt. If the request relates to student member data provided by the University, the individual will be advised to also contact the University to object to processing.
Privacy and Electronic Communications Regulations
The Privacy and Electronic Communications Regulations (PECR) sit alongside the GDPR. They give people specific privacy rights in relation to electronic communications. There are specific rules on marketing calls, emails, texts, cookies, keeping communications services secure and customer privacy.
The key requirement of the PECR is that individuals contacted by these methods must have given their prior consent other than in very limited circumstances. PECR does not consider that contacting people as a default unless they have opted out is satisfactory. They look for evidence that individuals have given their explicit consent before any communications take place.
Soft opt-in consent is only acceptable when the following 3 criteria are met:
- The contact details were obtained from the individual during a sale or negotiation of a sale for produce or service. For the Union, this will usually be when a person is becoming a member, or we are contacting an existing member; and
- The communications relate to similar products or services; and
- The option to opt out (or unsubscribe) was provided then the data was collected and is included in each and every subsequent communication.
The conditions are specific and cannot be relied upon in many situations. Difficulties can arise when using a member’s mobile number to send campaigning messages if the number was not initially collected for the purpose of campaigning.
Individual Responsibilities
The Chief Executive is responsible for the general development, promotion and adherence to this policy, and ultimately responsible for compliance by all elected officers, staff and volunteers. The Chief Executive is also the nominated contact for the Information Commissioner’s Office.
All elected officers, staff and volunteers who process personal data are expected to understand and adhere to the six Data Protection Principles set out in the Act and to ensure that they dispose of records that have reached the end of their retention period, taking care to do so confidentially where necessary. Staff should refer to the Staff Checklist for Recording Data in their day-to-day work, and this can be found in Appendix A.
The Chief Executive is responsible for ensuring that adequate and appropriate knowledge and competence for good data protection exists across the organisation. The Senior Management Team is responsible for the oversight of relevant data protection issues and should raise these for discussion, resolution and communication across LBSU. Our responsibilities will be met by making available this policy and procedures to all colleagues, compulsory training and development for new elected officers, staff and volunteers, and ongoing training and development for colleagues with access to sensitive data, and with management responsibility.
Key Activities and Data Protection Procedures
Recruitment
Potential employees’ personal data can be collected if the people are aware their data is being recorded and retained. It is imperative that the data collected about potential employees is not excessive and that it is stored securely and not shared with anyone who has no need to see it. The Office Manager is responsible for the collection and storage of recruitment information. They will ensure the following:
- All recruitment packs include a statement which makes potential employees aware that their data will be recorded and retained for no more than 6 months after the recruitment process is complete.
- Completed Equal Opportunities monitoring forms will be separated from the rest of the recruitment pack and will be analysed by the Office Manager before being disposed of so that the Students’ Union can monitor its performance with regards to equal opportunities in recruitment.
- All recruitment data will be stored electronically in the SU’s cloud-based HR software. This data may only be accessed by the Chief Executive, Director of Resources & Operations, Head of People & Governance, and the Learning & Development Manager and any recruiting managers.
- Recruitment panel members will only be provided with a hard copy of the recruitment information for shortlisting and interviewing if they request it. This will be kept securely by each panel member (i.e. not left on a desk in an open office). Once recruitment is complete they will return their hard copies and notes to the Head of People & Governance or Learning & Development Manager for shredding.
Employee Records
When starting employment with the Students’ Union, employees sign a contract which provides consent to process personal information, sensitive information and transferring this data in the delivery of services such as payroll, the HR Toolkit, pensions, insurance, employee benefits and for employment advice. Employees have a responsibility for ensuring their data remains up to date.
Students’ Union Membership Records Data Set
The University shares student data with the Students’ Union through a data sharing agreement. These records are transferred to the Union’s website through an automated feed and direct access to this data is restricted to the Chief Executive, Director of Resources & Operations, Head of Marketing & Communications and the Data & Digital Lead. The Students’ Union will send a welcome email to all members prior to any further information.
Communities Membership Data Set
The Students’ Union provides a membership management platform that facilities memberships of Communities. Volunteers running student groups may collect data externally from this system through an approved process.
Employees and volunteers will be assigned specific access levels to handle certain data to administer student activities using the membership platform.
Employees and volunteers may not transfer data to third parties without the explicit consent from the individual students.
Employees and volunteers must be careful to only use personal data for purposes for which it was collected.
Using Members’ Data
Employees and volunteers processing data from members must ensure that the information is:
- Not widely circulated;
- Only made available to authorised data handling individuals;
- Only used for the specific purpose for which it was collected;
- Held securely; and
- Securely destroyed after use.
Below is a table of things to do and not do, which should be borne in mind when processing membership data.
Do
|
Do Not
|
Only extract and use the information that is needed to complete a task.
|
Extract more than you need for a task. A lack of time is not a legitimate reason for not considering the exact data needed.
|
Only use data for one task. A new list should be extracted for each task. This makes sure the data that is being used is up-to-date and accurate.
|
Provide information to others not involved in the task for which the data was extracted.
|
Keep the information on systems and networks that are recognised as being acceptable for Union work such as University networked equipment.
|
Email information to a personal email address or save it onto a personal device for any reason.
|
Take care when taking personal data out of the Union buildings. Only take the information if it is necessary, keep it safe and return it as soon as possible.
|
Keep the information that you have got to use for a very similar exercise that you know you’re going to do in the future.
|
Update the relevant staff member responsible for the data if an individual’s information is out of date.
|
Leave personal data that has been taken out of the office unattended.
|
Shred information and use a confidential waste bag.
|
Put information into a normal bin. Someone else could find it and misuse it.
|
Data Cleansing
This is a crucial activity in the run up to Freshers and elections. It is natural for members to leave, change course, or change status and it is therefore important the Union cleanses its data regularly. The Students’ Union collects and renews data from the University several times through the year to ensure this data is accurate.
Where disciplinary processes or opt out processes or the death of a member result in the need for that member’s data to be removed, the Chief Executive will inform the Data and Digital Lead and any other relevant staff member so that they can remove the member from all relevant Union databases.
Emailing and Text Messages
As all email addresses are deemed to be personal data by the Information Commissioner’s Office, all bulk communications with members using email and text distribution lists must follow the following rules:
Individuals who have opted out of mailings (apart from core purpose emails) are not included in mailings or bulk text messages;
The blind carbon copy (bcc) field on the email address line is used;
If a member informs the Union that they no longer wish to be contacted via email or text, their name and contact details must be removed from the distribution list, and a note made that they have not consented to receive emails or texts. The only exception to this is if the message contains statutory Union information and cannot be provided to the member in another way.
An option to unsubscribe to similar communications is added to the bottom of the email or text message each time a message is sent out.
Communications with generic @leedsbeckett.ac.uk addresses such as su-helpdesk@leedsbeckett.ac.uk are not considered personal data as they do not identify an individual human being.
Marketing and Publicity
The Marketing and Communications Department are responsible for ensuring that when filming or photography is taking place at Students’ Union events, event notices warning that filming or photography will be taking place are displayed at all entrances to the event. The Marketing and Communications Department is also responsible for ensuring that specific written consent is obtained from any individual before they are photographed or filmed.
Commercial Marketing
Solely purposed commercial marketing, through email or text, must only be sent to those who have opted-in to receive messages. Commercial marketing messages must include an opt-out function.
Casework
Data relating to advice and representation is extremely sensitive and several of the data protection principles apply. Casework data is held in the AdvicePro system which may only be accessed by the SU Community Support Team.
Live and archived cases are stored securely and are disposed of securely by being shredded and placed in a confidential waste bag if a hard copy.
Democratic Processes
The Union is legally obliged by the Education Act 1994 to engage and facilitate students in elections processes which requires processing specific data. The data used for this activity is the membership data provided by the University.
Research
The Students’ Union insight gathering activities, such as surveys are undertaken by consent. Records of individuals views, unless anonymised, are considered personal data and as such are subject to the rights and freedoms already outlined in this document.
Data published must not individually identify any person without their explicit consent. However, anonymised data from all datasets may be processed and published for statistical purposes. Data should only be collected through the agreed platforms and by authorised individuals.
Service Administration
This covers data processing activities relating to how the Union delivers administration of services for members, suppliers, contractors and visitors. This data can include:
- Bank account details for the purpose of making payments
- Commercial clients for the purposes of credit control and management
- Drivers’ details for minibus insurance purposes
- Contact details for members asking for someone in the SU to contact them
- Events customers for the purposes of ticket management
- Information about enquiries at the Headingley office
- Information declared through the complaints procedure
- Student ID cards for Veezu (formerly known as Amber Cars) Taxi payments
Employees and volunteers processing this data must ensure that the information is:
- Not circulated widely
- Only made available to authorised data handling individuals
- Only used for the specific purpose for which it was collected;
- Held securely; and
- Securely destroyed after use.
Information Security Procedures
Hard copies, file notes, incoming and outgoing letter correspondence
The Students’ Union has a duty to ensure that data is held securely. Provisions that employees and volunteers must consider putting in place include:
- Lockable filing cabinets
- Clear desk policy
- Secure storage for archived files
- Secure destruction – using a shredder or confidential waste bag
Electronic Data
The same requirements apply to electronically held data. Provisions employees and volunteers must consider putting in place include:
- Only using storage on the University network
- Password protection on all files containing personal data
- Up to date antivirus and malware systems
- Secure destruction of IT equipment
CCTV
CCTV units are not networked, and the systems can only be accessed by the Head of Venues, Chief Executive, Deputy Chief Executive or law enforcement agencies.
Email Security
Employees @leedsbeckett.ac.uk email addresses are assigned individually to them and should not be shared with others. In an employee’s absence or for specific investigation purposes only, emails may be access by authorised individuals – authority can only be granted by the Chief Executive.
Employees should take the following steps to ensure the security of their email content:
- Consider whether the content of the email should be encrypted or password protected. If sending a spreadsheet containing personal data this must be password protected and the password sent in a separate email.
- Use blind carbon copy (bcc) instead of carbon copy (cc) to hide recipient’s email addresses from other recipients.
- Be careful when using a group email address. Check whether the email really should be going to every member of the group.
- Never click on a link or share any information with anyone you don’t recognise – if in doubt check first.
Sharing Information
Whenever the Union uses a third-party processor we must have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. Examples of third-party processors are:
- ePOS systems providers
- Payroll
- Website hosting
- Pensions providers
As the controller for certain elements of data, the Union is liable for ensuring our compliance with GDPR and we must only appoint processors who can provide sufficient guarantees that the requirements of the GDPR will be met, and the rights of data subjects protected.
Third party processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under GDPR and may be subject to fines or other sanctions if they don’t comply.
Releasing information to prevent or detect crime
The police or other crime prevention/law enforcement agencies sometimes contact data controllers or processors and request that personal data is disclosed to help them prevent or detect a crime. All such requests must be given in writing to the Chief Executive.
The Students’ Union does not have to comply with these requests, but the regulations do allow organisations to release the information if they decide it is appropriate. Before any decision is made about disclosure, the Information Commissioner asks that organisations carry out a review of the request. This includes considering:
- The impact on the privacy of the individual/s concerned
- Any duty of confidentiality owed to the individual/s
- Whether refusing disclosure would impact the requesting organisation’s ability to detect, prevent or prosecute an offender
If a decision is made to refuse, it is possible that a subsequent court order may be made by the requesting organisation for the Students’ Union to release the information. If such a request is received by an employee or volunteer, please refer the request to the Chief Executive.
Information Security Breaches
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
A data security breach can happen for several reasons:
- Loss or theft of data or equipment
- Inappropriate access controls allowing unauthorised use
- Equipment failure
- Human error
Where an employee, volunteer, supplier or contractor discovers a data breach they must report this to the Chief Executive within 24 hours.
The Chief Executive shall notify the Information Commissioner’s Office within 72 hours of the breach where there is a risk to the rights and freedoms of individuals such as discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.
Where there is a high risk to the rights and freedoms of individuals they shall be notified directly.
New Data Systems or Uses of Data
Whenever a new system to process data or whenever a new project involving data processing is being considered it is important to ensure that a Data Processing Impact Assessment (DPIA) is carried out and documented. Help with DPIAs can be found on the Information Commissioner’s website.
Disposing of Data
The Union is committed to keeping data for the minimum time necessary to fulfil its purpose.
Member Data – In line with University policy member files shall be 12 months after a student graduates or otherwise leaves the University.
Below is our data retention schedule.
Record
|
Statutory retention period
|
Statutory authority
|
Accident books, accident records/reports
|
3 years after the date of the last entry (see below for accidents involving chemicals or asbestos)
|
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR)
(SI 1995/3163) as amended
|
Accounting records
|
6 years for public limited companies
|
Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006
|
Income tax and NI returns, income tax records and correspondence with the HMRC
|
not less than 3 years after the end of the financial year to which they relate
|
The Income Tax (Employments) Regulations 1993
(SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631)
|
Medical records and details of biological tests under the Control of Lead at Work Regulations
|
40 years from the date of the last entry
|
The Control of Lead at Work Regulations 1998
(SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676)
|
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)
|
40 years from the date of the last entry
|
The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677)
|
Medical records under the Control of Asbestos at Work Regulations
· Medical records containing details of employees exposed to asbestos
· Medical examination certificates
|
40 years from the date of the last entry
- 4 years from the date of issue
|
The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/. 2739)
|
Medical records under the Ionising Radiations Regulations 1999
|
until the person reaches 75 years of age, but in any event for at least 50 years
|
The Ionising Radiations Regulations 1999
(SI 1999/3232)
|
Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)
|
5 years from the date on which the tests were carried out
|
The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677)
|
Records relating to children
|
until the child reaches the age of 21
|
Limitation Act 1980
|
Records relating to events notifiable under the Retirement Benefits Schemes (Information Powers) Regulations 1995, records concerning decisions to allow retirement due to incapacity, pension accounts and associated documents
|
6 years from the end of the scheme year in which the event took place, or the date upon which the accounts/reports were signed/completed.
|
The Retirement Benefits Schemes (Information Powers) Regulations 1995
(SI 1995/3103)
|
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence
|
3 years after the end of the tax year in which the maternity period ends
|
The Statutory Maternity Pay (General) Regulations 1986
(SI 1986/1960) as amended
|
Statutory Sick Pay records, calculations, certificates, self-certificates
|
3 years after the end of the tax year to which they relate
|
The Statutory Sick Pay (General) Regulations 1982
(SI 1982/894) as amended
|
Wage/salary records (also overtime, bonuses, expenses)
|
6 years
|
Taxes Management Act 1970
|
Recommended retention periods (i.e. where no statutory retention periods exist)
For many types of personnel records, there is no definitive retention period: it is up to the employer to decide how long to keep these records and it’s a question of judgment rather than there being any definitive right and wrong. An employer needs to consider what would be a necessary retention period, depending on the type of record. The advice in this document is based on the time limits for potential tribunal or civil claims and aims to draw sensible conclusions as to how long keeping the records will protect an employer.
Where the recommended retention period given is 6 years, this is based on the 6-year time limit within which legal proceedings must be commenced as laid down under the Limitation Act 1980. Thus, where documents may be relevant to a contractual claim, it is recommended that these be retained for at least the corresponding 6-year limitation period.
Record
|
Recommended retention period
|
Actuarial valuation reports
|
permanently
|
Application forms and interview notes (for unsuccessful candidates)
|
6 months. (Because of the time limits in the various discrimination Acts, for example the Disability Discrimination Act 1995, minimum retention periods for records relating to advertising of vacancies and job applications should be 6 months. Successful job applicants’ documents will be transferred to the personnel file in any event.)
|
Assessments under Health and Safety Regulations and records of consultations with safety representatives and committees
|
permanently
|
HMRC approvals
|
permanently
|
Money purchase details
|
6 years after transfer or value taken
|
Parental leave
|
5 years from birth/adoption of the child or 18 years if the child receives a disability allowance
|
Pension scheme investment policies
|
12 years from the ending of any benefit payable under the policy
|
Pensioners’ records
|
12 years after benefit ceases
|
Personnel files and training records (including one to one note, disciplinary records and working time records)
|
6 years after employment ceases
|
Redundancy details, calculations of payments, refunds, notification to the Secretary of State
|
6 years from the date of redundancy
|
Senior executives’ records (that is, those on a senior management team or their equivalents)
|
permanently for historical purposes
|
Trustees’ records
|
7 years after they cease to be a trustee
|
Timecards/flexi forms
|
2 years after audit
|
Trade union agreements
|
10 years after ceasing to be effective
|
Trust deeds and rules
|
permanently
|
Trustees’ minute books
|
permanently
|
Works council minutes
|
permanently
|
Appendix A: Guidelines for Staff including Staff Checklist for Recording Data
Members of staff will process personal data on a regular basis. The University and Students’ Union will ensure that staff and students give their consent to processing, or that another condition for processing applies, and are notified of the categories of processing, as required by the Act.
Information about an individual's physical or mental health; sexual life; political or religious views; trade union membership; ethnicity or race; the commission of criminal offences and court proceedings dealing with criminal offences is sensitive and can normally only be collected and processed with their express consent.
Members of staff have a duty to make sure that they comply with the data protection principles, which are set out in the SU Data Protection Policy. In particular, staff must ensure that records are:
- accurate;
- up-to-date;
- fair;
- kept and disposed of safely, and in accordance with SU policy.
Individual members of staff are responsible for ensuring that all data they are holding is kept securely.
Members of staff must not disclose personal data, unless for normal democratic, membership or administrative purposes, without authorisation or agreement from the Chief Executive, or in line with SU policy.
Before processing any personal data, all staff should consider the checklist.
All staff should either complete online data protection training through Leeds Beckett University staff mandatory training pages or attend an open training session organised by the SU.
Staff Checklist for Recording Data
- Do you really need to record the information?
- Is the information 'standard' or is it 'sensitive'?
- If it is sensitive, do you have the data subject's express consent?
- Has the individual or data subject been told that this type of data will be processed?
- Are you authorised to collect/store/process the data?
- If yes, have you checked with the data subject that the data is accurate?
- Are you sure that the data is secure?
- If you do not have the data subject's consent to process, are you satisfied that one of the other conditions for processing data applies?
- In respect of databases containing personal data, have you notified the Chief Executive that you intend to hold the data and registered the database?
- How long do you need to keep the data for, and what is the mechanism for review/destruction?
Appendix B: Identifying Lawful Processing
For processing to be lawful under the GDPR, a lawful basis must be identified before any personal data can be processed.
The table below identifies the lawful processing reasons, provides relevant examples and identifies any steps that must be taken to proceed with this processing method.
Lawful Processing
|
Organisational Examples
|
Next Steps
|
Consent of the data subject
|
Opting in to receive an SU email
|
There are specific requirements for gaining consent – it must be clear, specific and documented
|
Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract
|
Storage of the name and address of individuals and processing of this to send/fulfil an online purchase
|
A copy of this contract or terms and conditions should be kept as evidence
|
Processing is necessary for compliance with a legal obligation
|
The HMRC requires the SU to provide certain information for tax purposes
|
|
Processing is necessary to protect the vital interests of a data subject or another person
|
If someone was in a medical situation that their personal information needed to be released to medical practitioners to preserve life
|
Post releasing this data, the Chief Executive should be informed
|
Processing is necessary for the performance of a task carried out in the public interest
|
The Union does not process any data in the public interest
|
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
|
Members could legitimately expect their information to be processed to enable membership focussed services
|
An assessment must be undertaken and documented to ensure a balance of interests is achieved
Data collected relying on legitimate interest must declare the legitimate interest at the point of collection
|