The Student Support Service (“we, us, our”) of University of Cumbria Students’ Union takes your data protection and rights very seriously. We have written this statement to make things as clear as we can, if you have any questions about your privacy in relation to receiving support services* from the UCSU student support service, then please contact us via email: firstname.lastname@example.org or by phone on 01524 510810. You can also view UCSU's Student Privacy Notice here
We promise to respect and protect any data you share with us; we won’t do anything with your data that you wouldn’t reasonably expect us to do when you contact us for support.
Data protection in the UK is overseen by the Information Commissioner’s Office (ICO) https://ico.org.uk/ and the main legislation that underpins it is the UK Data Protection Act (1998) (DPA) http://www.legislation.gov.uk/ukpga/1998/29/contents and the EU General Data Protection Regulations (2014) (GDPR). https://www.eugdpr.org/
*Support services can mean: representation, information, advice etc. and should be read as such throughout this document.
2) What data does the UCSU Student Support Service collect?
When you contact us and ask for support we keep a record of the information you have provided and our response to you. Usually appointments are booked directly through our booking system, 'SimplyBook' via the UCSU website, but sometimes support is provided under other circumstances (e.g. by contacting us in other ways).
The data and information we hold includes basic information about you and records of your case, this can range from one email to detailed notes on face to face or telephone consultations, work we have carried out on your behalf with third parties or meetings we have attended with you, depending on the complexity and nature of your situation. We also collect demographic questions as well as your basic details including preferred contact methods. Some of this demographic data is considered special category data under GDPR. It may also be that you provide us with ‘special category data’ in the course of us supporting you with your case that may be pertinent to your case or in the way we work with you.
In addition we collect data with the aim of measuring the impact that the service has had on you, this is collected at the beginning and again at the end of a case. We also collect feedback about your experience, and quality of the service at the end of the case.
Due to the nature of some of data we collect, we need to get your direct consent to process^ your data. There is more info on what consent means in section 6.
^processing data includes: collecting, recording, storing etc.
*Special category data is anything related to your ethnic origin, religion, health (including disability), sexual orientation etc.
3) How do we Collect and use Your Data
If students book appointments via the online booking system ('SimplyBook.it'), UCSU seeks explicit consent by seeking agreement to this privacy statement/ terms and conditions, as does 'SimplyBook'. We also seek your explicit consent to liaise with third parties pertinent to your case (this is usually the University). We are then also able to share your consent (if provided) with the University.
The Student Support Service is an independent and confidential service (see section 4). We process your data for our own records, it is stored electronically on a case management system called Advice Pro (developed by a partnership of Advice UK and ACM Solutions), this is external to the Union (UCSU) and the University servers (see Appendix one below for Advice Pro’s privacy statement)
We will never use the information we collect about you for this service for marketing purposes.
We collect data about you for the purpose of the service in two main ways, either directly from you or via the UCSU online booking system for the service on the UCSU website. The on-line booking system is hosted by 'SimplyBook'. If you book a first appointment on-line, the booking system gives two options the first is to provide some basic information including name and contact details or some more detailed information (including the Enquiry Impact Assessment). If you opt for an express booking more detailed information is collected over the phone or face to face in the appointment. The booking system at this stage also seeks consent to these service terms and conditions/ privacy statement and consent to share your information with university or other third parties pertinent to your case/ as required (Form of Authority). We may also collect this data from a person/third party you have given consent to share information with us. Students will receive booking confirmations, reminders, and appointment changes and cancellations via email and sms message
We have a data sharing agreement with the University www.ucsu.me/policyto hold basic details about students. This includes your student number, name, student email, gender and course details. However, for the purposes of the Advice Service we store details that you provide us at the time of accessing this particular service including your name, contact details, student number, mode of study, level of study, course and email address to store on Advice Pro. However, if the need arises, we may need to seek additional information from the student data that is shared between us and the university. This has been set up so that we can make the best service for you, and you don’t need to go through it all directly with us. If you have any questions about this see section 11 on how to contact the University’s Data Protection Officer.
We use your data for two purposes. The first and most important is to help you with your case. In terms of GDPR legislation, the legal basis we have to collect your basic data is called a legitimate interest. This means that we feel you would reasonably expect us to process your data when you approach us for support. For example, it would be very difficult for us to give you feedback on an academic appeal if you didn’t provide us with certain information about yourself.
The second reason that we process your data is for monitoring and statistical purposes. At this point any demographic data that we analyse and present is anonymised, so you will not ever be directly identified from it. The data itself is however linked to your ‘client details’ in Advice Pro. We use the anonymised data to look at trends/patterns so that we can focus our work on helping students in the best possible way. For example, if we see that a lot of mature students or students in a particular department are having the same problems we can look at ways to prevent these problems from occurring in the first place by approaching the University about changing a policy or looking at how we can better provide support to a particular group of students. Some of this is considered to be special category data, along with any information you may disclose in the course of your case and therefore the legal basis to collect this data is through gaining your consent (see section 6).
On the closure of your case we may ask you to complete an anonymous survey via a Surveymonkey link. All reporting is anonymous and statistical purposes only.
UCSU’s Support Service provides a confidential service to all our members. Any information that you disclose to a member of the team will remain confidential unless a need arises to breach your confidentiality, usually if we believe that there is a significant risk of harm to you or to others. We may discuss your case within the Service Team to ensure you get the best possible support, but we will not discuss your issues with anyone outside of the Support Team without your explicit consent. If the need ever arises to break confidentiality, information will only be discussed/ shared on a need to know basis and we will seek to talk to you about this first wherever possible. In exceptional circumstances, we may disclose information without your consent, where in our professional judgement, exceptional circumstances apply or it is in your best interests for us to do so (please see Section 5.
5) Sharing Your Data and Disclosure to Others
As mentioned earlier, your data is processed using external systems, Advice Pro and 'SimplyBook'. Both companies have their own privacy notices and SimplyBook also requires agreement of tehir terms and conditions from users accessing the sytem.
In general, we will not share your information outside of the Student Support service without your explicit consent (see section 6 )or more info on consent and what this means.
However, there are some instances where we have a statutory obligation to share your data. These are instances that are set out in Acts of Parliament or by a Court of Law. They include criminal and terrorist activity, adult and child protection concerns, conflict of interest, or if we believe there is a substantial threat to life/harm of you or another person. We may also share your data with the University of Cumbria if we believe there is a safeguarding concern involving you or a third party.
Consent is another legal basis that has been defined in the GDPR for the processing of your data. The process of gaining consent has to be clear and involve a positive choice from the person giving it (for example, we cannot pre-tick boxes for you to uncheck!). You are also able to withdraw your consent at any time for the processing of any sensitive data or to speak to a third party about your case.
We will ask for your explicit consent for two reasons. The first is to process special category data about you (such as your sexual orientation), we use this data to inform our work and monitor our service
7) Authority to act on your behalf
This is an optional element of our service’s terms and conditions; we will ask you when booking appointments with UCSU’s Support Service if you agree to this element. In agreeing to provide UCSU Authority, you consent to UCSU;
The authority to act on your behalf is only valid for 3 calendar months, each time you agree to provide UCSU Authority; a new authority is enacted which is valid for 3 calendar months. You can rescind this authority at any time, by informing us on 01524 590 810 or via email to email@example.com.
The second reason is to get your permission to share your information when it is relevant/necessary to support you. If we deem this necessary we will ask you to sign a form of authority allowing us to share your information, this can only be to specific people for a specific purpose and this will be discussed with you throughout the duration of the case. For example, if you want representation in an academic disciplinary case, you will need to give us your consent to speak with the University about your case.
8) How to Change and Erase Data We Hold on You
You have the right to be able to see the information we hold on you, have any incorrect facts changed and to have your data erased. If you want to exercise any of these rights, please contact us (see section 11) and we will talk you through the process.
9) Your Rights
The GDPR sets out your rights as an individual, we strive to uphold and protect your rights in balance with our legitimate interest in providing support for you.
You can see detailed explanations on each of these rights here. https://ico.org.uk/
10) Keeping Information Secure
We have explained why we process your data; we also want to explain the actions we take to keep it secure. We store all of your data on a system called Advice Pro. This is held externally to both the Union and the University and is only accessible to The Advice Hub staff. All data is held within the UK on servers based in Dundee and Aberdeen.
UCSU gave a lot of thought about what storage system we wanted to use and Advice Pro have clear statements on their commitment to the security and protection of your data (a copy of Advice Pro’s privacy statement is available in appendix 1) .
Any documentation not stored on Advice Pro will be kept in your Caseworker’s secure personal drive or within a locked cabinet.
11) Time Frames
The GDPR sates that we can only keep your data for no longer than it would be reasonable for the purposes that we have outlined. We have considered this, and we feel that a six-year retention period means gives you the opportunity to re-engage with our service throughout your time at University. This means that if an issue in first year occurs again in your fourth year we still have your details and you don’t need to go through the same process twice. Some issues, like complaints, can still be in process after you have left the University, which is why we feel 6 years in an appropriate time scale. After this time all of your data will be automatically archived (fully anonymised and only accessible for statistical reporting) from Advice Pro and any other internal systems. For the avoidance of all doubt, data which is destroyed includes; all personal and identifiable data, including basic client details, contact details, equality monitoring information and any and all case notes and attachments kept on your file.
For the avoidance of all doubt, data which is retained includes; course details (except in cases where this identifies the student), which procedures and processes where enacted, and any actions or outcomes of those procedures and processes.
The data we collect via our On-line Booking system 'SimplyBook' is removed after six months.
12) How to Contact Us
If you have any questions about privacy, confidentiality or your rights under GDPR , please get in touch:
Student Support Service:
Phone: 01524 590810 or Email: firstname.lastname@example.org or
Chief Executive of University of Cumbria Students’ Union, Danny Prescott:
Phone: 01524 590810 or email Daniel.Prescott@cumbria.ac.uk
University of Cumbria Protection Officer:
By Post: Data Protection Officer, Vice Chancellor’s Office, University of Cumbria, Bowerham Road, Lancaster LA1 3JD or email: email@example.com
Date last reviewed: 22/08/2019
Next review due: 22/08/2020
Appendix One : AdvicePro's Commitment to the General Data Protection Regulation (GDPR)
The new EU General Data Protection Regulation (GDPR) comes into force on May 25th 2018 and will affect every organisation which holds or processes personal data. It will introduce new responsibilities, more stringent enforcement and increased penalties than the current Data Protection Act which it will supersede.
All of our staff and those of our hosting provider are familiar with GDPR and their personal responsibilities.
Our staff are trained on Data Protection issues on commencement of employment and this is updated as and when regulations change or are updated.
All data is held within the UK on servers based in Dundee and Aberdeen.
All storage is secure and our hosting provider has GDPR procedures in place.
We have a notification process in place for any breach.
AdvicePro provides appropriate tools to allow all customers to properly enact the right to erasure process.
AdvicePro provides functionality to allow the details of a client to be extracted in a machine readable format (XML).
ACM Solutions, who develop, manage and provide the helpdesk services for AdvicePro expect to have completed ISO27001 certification before GDPR comes into force. Our hosting partners are already ISO27001 certified.