Consumer Data Privacy Statement

Last Revised: 5th January 2018

introduction

uea(su) (“we”, “our” or “us”) promises to respect any personal data you share with us, or that we get from other organisations and keep it safe.  We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect.

Facilitating our legal requirements, organisation policy and services to our customers (consumers) through using your personal data allows us to make better decisions, communicate more efficiently and, ultimately, ensure you receive the services required.

We collect data from a variety of customer and businesses below we detail what data we have, why we keep it for how long and how you can opt out

Should we need to contact you for any reason regarding your order, we will use the email address registered to your account, or the telephone number where provided.

If you subscribe with our box office we will track the products you purchase, provide better customer service standards and develop the product range we offer you. We will contact you about op and coming events and opportunities.

how we keep your data safe, and who has access

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors.
Some of our suppliers run their operations outside the European Economic Area (EEA).  Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.

keeping your information up to date

We request that suppliers, contractors and clients make best attempts to ensure data held by the Students’ Union is up to date and accurate. In the event of any changes to data or the discovery of any inaccuracies please contact union.info@uea.ac.uk.

understanding the detail of our data security measures

When we process your data we will have already carefully assessed the lawful justification for doing so, the parameters in which the data is processed, the length of time the data is held for, the secure storage of your data and undertaken impact assessments to ensure your rights are delivered.
The Students’ Union operates a Data Protection and Information Security Policy which is supported by a practical handbook for our employees and volunteers. All employees and volunteers handling data are required to undertake general data protection training and third parties handling data are required to provide a contract which meets the requirements of the Information Commissioner's Office.

your right to know what data we hold about you, make changes, or ask us to stop using your data

You have a right to ask us to stop processing your personal data, and if it’s not necessary for the purpose you provided it to us for (e.g. union policy) we will do so. Contact us at union.info@uea.ac.uk  if you have any concerns.

You have a right to ask for a copy of the information we hold about you.  If there are any discrepancies in the information we provide, please let us know and we will correct them.
If you want to access your information, you must complete the Subject Access Request Form with a description of the information you want to see and the required proof of your identity by post to uea (su), Union House, UEA, Norfolk NR4 7TJ. We do not accept these requests by email so we can ensure that we only provide personal data to the right person.

changes to this statement

We may change this Privacy Statement from time to time.  If we make any significant changes in the way we treat your personal information we will make this clear on our Website or by contacting you directly.

public data audit

We reviewed our processes to see where data comes in, what we use it for and how we handle it. This covers things like how we use landlord data or suppliers for our commercial teams. You can find out more about this by viewing the document below.

Click here to read our public data audit

If you have any questions, comments or suggestions, please let us know by contacting union.info@uea.ac.uk

You can access our members privacy policy here.

Staff Data Privacy Statement

Last Revised: 15th August 2018

how your information will be used

1. As your employer, the Students’ Union needs to keep and process information about you for normal employment purposes. The information we hold about you and the processing of it will be for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with your employment contract, to comply with any legal requirements, pursue the legitimate interests of the Union and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
2. The Union may sometimes need to process your data to pursue legitimate business interests, for example, to prevent fraud, for administrative purposes or reporting potential crimes. The nature of our legitimate interests are for the performance of your contract of employment. We will never process your data where these interests are overridden by your own interests.
3. Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees.
4. The sort of information we hold includes your application and references, your contract of employment and any amendments to it; correspondence with or about you, for example:
• letters to you about a pay rise
• at your request, a letter to your mortgage company confirming your salary
• information needed for payroll, benefits and expenses purposes
• contact and emergency contact details
• records of holiday, sickness and other absence
• information needed for equal opportunities monitoring
• records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records.
5. You will be referred to in many Union documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the Union. You should refer to the Data Protection & Information Security Policy and Procedure and the Data Protection Guidance document for more detail, both of which are available on relevant HR systems.
6. Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and Union sick pay and pensions.
7. Where we process special categories of data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade company membership, biometric data or sexual orientation, we may obtain your explicit consent to those activities unless:
• we have another legitimate basis on which to process this data
• this is not required by law
• the information is required to protect your health in an emergency.

Where we are processing data based on your consent, you have the right to withdraw that consent at any time.

8. If you provide data which is anonymous (for example, equal opportunities monitoring), we will not use if for your employment purposes.
9. In addition, we reserve the right to monitor computer and telephone/mobile telephone use, as detailed in the Surveillance Policy, available on the relevant HR system. We may also keep records of your hours of work for payroll purposes.
10. Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance, we may need to pass on certain information to our external legal advisors, our HR advisor, Occupation Health consultant or the pension scheme provider.
11. We may transfer information about you to other companies under the umbrella of the Students’ Union for purposes connected with your employment or the management of the Union’s business.
12. In limited and necessary circumstances, your information may be transferred outside of the EEA or to an international organisation to comply with our legal or contractual requirements. We have in place safeguards to ensure the security of your data, details of which can be obtained from the Senior Management Team.
13. We do not use automated decision making (eg profiling).
14. Your personal data will be stored for the period specified in the Retention Schedule.
15. If in the future we intend to process your personal data for a purpose other than that for which it was collected we will provide you with information on that purpose and any other relevant information.

your rights

16. Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
17. If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
18. You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data.
19. If you have any concerns as to how your data is processed please contact a member of the Senior Management Team.

You can access our members privacy policy here.

If we ask you to get involved individually or in a small group with photography or filming we will ask you to complete a photo and video consent form. 

This helps to highlight your rights in terms of your data, what you are consenting to, and what we can use the content in which you featured for. 

We use images and video in a range of materials to promote the work of uea(su) as a whole and also to illustrate particular areas of our work. This includes advertisements and other publicity materialss such as leaflets, prospectuses, brochures and posters, direct mail, books, social media channels, newspapers, magazine articles, television programmes and publications for the internet. For more information about how we use your data more generally, please see our other privacy policies. 

Consent for photo and video continues with no time limit, as the purposes for which we use your information do not change. We may decide to stop using promotional material in which you are featured if it becomes outdated or newer content is generated. 

If you are 16 years or older, and understand the consent process, we will ask you to read the consent form and sign it yourself. 

If you would like to withdraw your consent for photos and videos containing your likeness to be used, please email union.communications@uea.ac.uk.

If we are taking photographs or filming at a location, this will be indicated via signs displayed around the location of filming, as opposed to individual consent forms being given out to all attendees. 

These signs will indicate that if you do not wish to be included in photography or filming, to bring this to the attention of the filming or photography team.  

You can find the privacy notice for members here.

Staff Data Privacy Statement

Last Revised: 15th August 2018

how your information will be used

1. As your employer, the Students’ Union needs to keep and process information about you for normal employment purposes. The information we hold about you and the processing of it will be for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with your employment contract, to comply with any legal requirements, pursue the legitimate interests of the Union and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
2. The Union may sometimes need to process your data to pursue legitimate business interests, for example, to prevent fraud, for administrative purposes or reporting potential crimes. The nature of our legitimate interests are for the performance of your contract of employment. We will never process your data where these interests are overridden by your own interests.
3. Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager, or in some cases, external sources, such as referees.
4. The sort of information we hold includes your application and references, your contract of employment and any amendments to it; correspondence with or about you, for example:
• letters to you about a pay rise
• at your request, a letter to your mortgage company confirming your salary
• information needed for payroll, benefits and expenses purposes
• contact and emergency contact details
• records of holiday, sickness and other absence
• information needed for equal opportunities monitoring
• records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records.
5. You will be referred to in many Union documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the Union. You should refer to the Data Protection & Information Security Policy and Procedure and the Data Protection Guidance document for more detail, both of which are available on relevant HR systems.
6. Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and Union sick pay and pensions.
7. Where we process special categories of data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade company membership, biometric data or sexual orientation, we may obtain your explicit consent to those activities unless:
• we have another legitimate basis on which to process this data
• this is not required by law
• the information is required to protect your health in an emergency.

Where we are processing data based on your consent, you have the right to withdraw that consent at any time.

8. If you provide data which is anonymous (for example, equal opportunities monitoring), we will not use if for your employment purposes.
9. In addition, we reserve the right to monitor computer and telephone/mobile telephone use, as detailed in the Surveillance Policy, available on the relevant HR system. We may also keep records of your hours of work for payroll purposes.
10. Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance, we may need to pass on certain information to our external legal advisors, our HR advisor, Occupation Health consultant or the pension scheme provider.
11. We may transfer information about you to other companies under the umbrella of the Students’ Union for purposes connected with your employment or the management of the Union’s business.
12. In limited and necessary circumstances, your information may be transferred outside of the EEA or to an international organisation to comply with our legal or contractual requirements. We have in place safeguards to ensure the security of your data, details of which can be obtained from the Senior Management Team.
13. We do not use automated decision making (eg profiling).
14. Your personal data will be stored for the period specified in the Retention Schedule.
15. If in the future we intend to process your personal data for a purpose other than that for which it was collected we will provide you with information on that purpose and any other relevant information.

your rights

16. Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
17. If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
18. You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data.
19. If you have any concerns as to how your data is processed please contact a member of the Senior Management Team.

Consumer Data Privacy Statement

Last Revised: 5th January 2018

introduction

uea(su) (“we”, “our” or “us”) promises to respect any personal data you share with us, or that we get from other organisations and keep it safe.  We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect.

Facilitating our legal requirements, organisation policy and services to our customers (consumers) through using your personal data allows us to make better decisions, communicate more efficiently and, ultimately, ensure you receive the services required.

We collect data from a variety of customer and businesses below we detail what data we have, why we keep it for how long and how you can opt out

Should we need to contact you for any reason regarding your order, we will use the email address registered to your account, or the telephone number where provided.

If you subscribe with our box office we will track the products you purchase, provide better customer service standards and develop the product range we offer you. We will contact you about op and coming events and opportunities.

how we keep your data safe, and who has access

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors.
Some of our suppliers run their operations outside the European Economic Area (EEA).  Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.

keeping your information up to date

We request that suppliers, contractors and clients make best attempts to ensure data held by the Students’ Union is up to date and accurate. In the event of any changes to data or the discovery of any inaccuracies please contact union.info@uea.ac.uk.

understanding the detail of our data security measures

When we process your data we will have already carefully assessed the lawful justification for doing so, the parameters in which the data is processed, the length of time the data is held for, the secure storage of your data and undertaken impact assessments to ensure your rights are delivered.
The Students’ Union operates a Data Protection and Information Security Policy which is supported by a practical handbook for our employees and volunteers. All employees and volunteers handling data are required to undertake general data protection training and third parties handling data are required to provide a contract which meets the requirements of the Information Commissioner's Office.

your right to know what data we hold about you, make changes, or ask us to stop using your data

You have a right to ask us to stop processing your personal data, and if it’s not necessary for the purpose you provided it to us for (e.g. union policy) we will do so. Contact us at union.info@uea.ac.uk  if you have any concerns.

You have a right to ask for a copy of the information we hold about you.  If there are any discrepancies in the information we provide, please let us know and we will correct them.
If you want to access your information, you must complete the Subject Access Request Form with a description of the information you want to see and the required proof of your identity by post to uea (su), Union House, UEA, Norfolk NR4 7TJ. We do not accept these requests by email so we can ensure that we only provide personal data to the right person.

changes to this statement

We may change this Privacy Statement from time to time.  If we make any significant changes in the way we treat your personal information we will make this clear on our Website or by contacting you directly.

public data audit

We reviewed our processes to see where data comes in, what we use it for and how we handle it. This covers things like how we use landlord data or suppliers for our commercial teams. You can find out more about this by viewing the document below.

Click here to read our public data audit

If you have any questions, comments or suggestions, please let us know by contacting union.info@uea.ac.uk

The Data Protection Act entitles individuals to request access to personal information that the Union is holding about them. This is known as a Subject Access Request. Requests must be made in writing on the application form below. Persons making the request will also be required to confirm their identity.

To request information held about yourself, please follow the steps below:

1. Print out and complete the from below 
2. Enclose copies of 2 documents as proof of your identity
3. Send all documents to the Information and Data Compliance Officer, uea(su), Union House, UEA, Norwich, NR4 7TJ

On receipt of all relevant documentation the Information Policy and Compliance Manager will contact the appropriate departments to obtain the data. In order to locate the correct information the Information Policy and Compliance Manager may ask the person making the request to give an indication of the types of data they wish to see, what activity the information might relate (being a member of a student group, employment, ticket purchase) where they believe the data is being stored.

The Information Policy and Compliance Manager will consider the rights of third parties who have contributed information to the individual's file(s). If possible, third parties will be anonymised prior to the information being released, if this is not possible, the consent of the third party to release the information to the person making the request will be sought. Where consent cannot be obtained or is refused, the Information Policy and Compliance Manager will consider whether it is reasonable to release the information in accordance to the Data Protection Act.

Some kinds of information are exempt under the GDPR.

Where appropriate, the information will be released to the person making the request.  All requests will be dealt with within 40 calendar days.

Click here to download the subject access request form