This privacy notice tells you what to expect when Newcastle University Students’ Union (referred to as NUSU herein) collects personal information. It applies to information we collect about:
- Our members, officers and volunteers
- Users of our websites and app
- People who use our services
- People who give us feedback, make suggestions, complete questionnaires, polls or make complaints
- Suppliers and agents
- Donors and supporters
- Job applicants and our current and former employees
Types of data we collect
Personal Information means any information that could be used to identify you as an individual, including but not limited to: first and/or last name, email address, a postal address, any other contact information e.g. mobile telephone number, student ID number etc.
Anonymous Information means any information that cannot directly identify you, or is not part of your personal information.
Special Category Data
We may on occasion, ask you for special category data such as health and disability data. This data will be used only for the purposes of providing the appropriate support and services. We hold this data under one of two legal bases, employment or explicit consent.
Use of data is compliant with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR), specifically:
a) Personal data will be processed lawfully, fairly and in a transparent manner
b) Personal data will be collected for specified, explicitly and legitimate purposes and not further processed in a manner that is incompatible. Further processing for historical research or statistical purposes shall not be considered incompatible.
c) Personal data shall be adequate, relevant and limited to what is necessary.
d) Personal data shall be accurate and up to date, taking reasonable steps to ensure inaccurate data is removed or updated without delay.
e) Personal data shall be kept in an identifiable form for no longer than is necessary for the relevant purposes, with the exception of archive purposes as mentioned above, providing individual safeguards are in place per application.
f) Personal data shall be processed in a manner that ensures appropriate security of the personal data.
Ways we collect data
Data Sharing agreement with Newcastle University
We have a data sharing agreement with Newcastle University.
This agreement permits the transfer of all or part of your personal information from the University to NUSU for the purposes of allowing NUSU to provide you with support services, participate in democratic processes, join societies, buy tickets and communicate with you about Annual Reports and Accounts as well as SU activities and campaigns, elicit your feedback and respond to feedback. It also allows us to monitor the effectiveness of our communications and services, giving scope for communicating with underrepresented groups within the University and to track the effectiveness of our services and activities. We also share data with the University, including details of course reps for the University app and recognition of activities with NUSU to the Higher Education Achievement Record (HEAR).
Occasionally NUSU will share pertinent data with the University. This would be for improving your educational experience, the experience of future students or for academic research purposes.
You can tell the University that you do not wish NUSU to have this data by opting out at enrolment.
Further details on our data sharing agreement with Newcastle University, and the data we share, can be found here www.nusu.co.uk/university-data-agreement
Details you provide at the point of registration with the University can be updated through University data systems. Further information on this can be found here: http://www.ncl.ac.uk/students/progress/student-resources/s3p/studentdata.htm
Newcastle University Students’ Union cannot be held responsible for any inaccurate personal details.
Some details may be recorded or updated through your usage of our website and ecommerce systems. These can include – preferred names, contact details and memberships. Your contact details can be updated by you at any time by visiting www.nusu.co.uk/profile
We gather both personal and anonymous information from you when you visit our website. You may also give us information about you by filling in forms at an event or online, or by correspondence with us by email, phone or otherwise.
Personal Information Collection
- If you are a non-student (including Freshers’ before completing university registration) and sign up for an activity or make a purchase on our website, we will record your contact information, login details and transaction history. You will also have opportunity to update your information at any time whilst you maintain an account with us.
- If you are a registered student at Newcastle University, you will login using your University Username and Password through their login platform, and this data will never be stored on Newcastle University Students’ Union servers. Additionally, for Freshers who register using the previous method, once your University registration is confirmed, the two accounts will be merged and your previous login details will be deleted.
- If you make any transactions through our website, even those free of charge, we will record your billing address and payment method; however we do not store full payment card details. These are collected through either Opayo or PayPal who are our online payment providers.
- We will only send information deemed relevant to your membership at Newcastle University Students’ Union, including those on organisational governance, your memberships and services and offers available to you. You can update your email communications preferences via www.nusu.co.uk/profile We will always respect your privacy within communications between you and the organisation. Updating email marketing preferences can be done from the relevant link within any email received from Newcastle Univeristy Students’ Union.
Newcastle University Students’ Union collects, holds and processes certain information or data about students, staff and other visitors when they use nusu.co.uk or our affiliate websites or engage with our services as a member of the organisation. We collect information on:
- Our members – students at Newcastle University and lifetime members
- Users of our website including staff, alumni and the general public.
- People who use our services both online and in person.
- People who interact with us via feedback, suggestions, market research or complaints.
- Suppliers, agents and third-parties including external auditors.
- Job applicants and records on our current and former employees.
The vast majority of our data processing is done so on the legal basis of legitimate interest in delivering NUSU’s services and activities, in accordance with our constitution and charitable aims. These can be found on the charity commission’s website at http://apps.charitycommission.gov.uk/Showcharity/RegisterOfCharities/CharityFramework.aspx?RegisteredCharityNumber=1138091&SubsidiaryNumber=0
There may be, on occasion, the processing of data for which you have given consent, particularly for the processing of any special category data. In this case, you have the right to withdraw consent at any time.
Information Collected and Data processed via Technology
In addition, we use “Pixel Tags” (also referred to as clear Gifs, Web beacons, or Web bugs). Pixel Tags are tiny graphic images with a unique identifier, similar in function to Cookies, that are used to track online movements of Web users. In contrast to Cookies, which are stored on a user’s computer hard drive, Pixel Tags are embedded invisibly in Web pages. Pixel Tags also allow us to send e-mail messages in a format users can read, and they tell us whether e-mails have been opened to ensure that we are sending only messages that are of interest to our users. We may use this information to reduce or eliminate messages sent to a user.
We may also collect non-personal information from your mobile device if you have downloaded our Application. This information is generally used to help us deliver the most relevant information to you. Examples of information that may be collected and used include your geographic location, how you use the Application, and information about the type of device you use. In addition, in the event our Application crashes on your mobile device, we will receive information about your mobile device model software version and device carrier, which allows us to identify and fix bugs and otherwise improve the performance of our Application(s). This information is sent to us as aggregated information and is not traceable to any individual and cannot be used to identify an individual.
If you have downloaded our App and enabled location services on your phone, we collect your location information to make a map available to the recipients of your messages showing your location. If you do not want this information collected by us, you can disable location services on your phone.
Profiling under GDPR is part of an automated decision-making process whereby NUSU will segment students to ensure the most relevant member information and opportunities are provided.
NUSU only collects the minimum amount of data needed and has a clear retention policy for the profiles created. NUSU also carries out a Data Protection Impact Assessment to identify the risks to individuals, show how we are going to deal with them and what measures we have in place to meet GDPR requirements
NUSU does not use special category data in our automated decision-making systems unless we have a lawful basis to do so, and we can demonstrate what that basis is. We delete any special category data accidentally created.
NUSU sends individuals a link to the privacy statement if personal data has been obtained indirectly.
Use of Your Personal Data
NUSU uses Personal Data in furtherance of our legitimate interests in operating our Student Membership Services, Opportunities, Website and Applications. More specifically:
In general, Personal Data you submit to us is used either to respond to requests that you make, or to aid us in serving you better. We use your Personal Data in the following ways:
- Membership administration for compliance, funding and accountability purposes.
- The delivery of services and activities, including:
- The organisation and delivery of sports clubs and student led societies
- Competition entry, including entry into British Universities and Colleges Sport (BUCS)
- The delivery of activities programmes
- Volunteering projects (including referrals to external organisations as requested by the student)
- The administration of the NUSU/University academic rep system and associated meetings and committees
- Providing training and support to NUSU volunteers
- The provision of entertainments and social programmes
- The awarding of bursaries
- Nominations and decisions on reward and recognition for students, staff and volunteers
- Academic credit and/or recognition through employability programmes
- facilitate the creation of and secure your Account on our network;
- identify you as a student in our system;
- provide improved administration of our Services;
- provide the Services you request;
- improve the quality of experience when you interact with our Site and Services;
- send you administrative e-mail notifications, such as security or support and maintenance advisories;
- make telephone calls to you, from time to time, to solicit your feedback; and
- send newsletters, surveys, offers, and other promotional materials related to our Membership Services.
- Advertising, marketing and public relations.
- Legal requirements and obligations, including the Education Act, Charities Act, Companies Act etc.
- Accounts and financial records.
Testimonials and Feedback
We often receive testimonials and comments from students who have had positive experiences with our Services. We occasionally publish such content. When we publish this content, we may identify our students by their first and last name, and may also additional data such as their home city, student experience, and education. We obtain the Students’ consent prior to posting his or her name along with the testimonial. We may post student feedback on the Site from time to time. We will share your feedback with your first name and last initial only. If we choose to post your first and last name along with your feedback, we will obtain your consent prior to posting you name with your feedback. If you make any comments on a blog or forum associated with your Site, you should be aware that any Personal Data you submit there can be read, collected, or used by other users of these forums, and could be used to send you unsolicited messages. We are not responsible for the personally identifiable information you choose to submit in these blogs and forums.
Creation of Anonymous Data
We may create Anonymous Data records from Personal Data by excluding information (such as your name) that makes the data personally identifiable to you. We use this Anonymous Data to analyse request and usage patterns so that we may enhance the content of our Services and improve Site navigation. We reserve the right to use Anonymous Data for any purpose and disclose Anonymous Data to third parties in our sole discretion.
How we use this personal information – specific scenarios
Fulfil requests for products or services, such as purchasing from the online shop, joining a society or booking an advice appointment. We may also use this information to send you other information you have requested, confirmation emails or to respond to queries.
We may use your provided details to notify you of similar products or services that may be of interest to you, as well as important information related to NUSU, the University or the local area.
You may opt-out from receiving promotional or marketing emails by notifying us using the unsubscribe link with at the bottom of the relevant email. Emails may be sent from NUSU or from other groups such as clubs, societies, volunteer organisations etc. that you have provided your details to. If you unsubscribe from central NUSU emails it does not mean you will be removed from all other groups and vice-versa.
We may create anonymous statistics and reports based on your user information, however all personally identifiable information such as your name, contact details etc. will be excluded at this point. This data is purely used to assess user behaviour as a whole, not as individuals.
When signing up to services and activities, we will use your data in the delivery of these services and may make this public, where appropriate. For example, listing course representative details and club and society committee details on the NUSU website.
Disclosure of Personal information
Your personal information will not be sold, traded or rented to individuals or other entities. However, we may need to share it with third parties to deliver products or services to you, such as with card authorisation services for online transactions, delivery companies to ship products.
Other organisations who we may share data with includes British Universities and Colleges Sport (BUCS) for competition entries; ACM Solutions Limited who provide our online case management system for the Advice Centre; our current insurance provider; Membership Solutions Limited (MSL) who provide our Customer Relationship Management Software (CRM); external volunteering projects where students have signed up to volunteer; and Newcastle University for a number of purposes including the inclusion of extra-curricular achievements on your Higher Education Achievement Record (HEAR). Where we share data, a Data Controller to Data Processor agreement has been signed to ensure security of data and to make it clear that these third parties will be authorised to use your personal information in this necessary capacity only.
We may disclose your Personal information if we believe in good faith that such disclosure is necessary to comply with legal obligations or protect the rights and property of NUSU.
We may disclose your personal data if we believe there is a risk to yourself or others. For example, this could occur when using the Advice Services where a student may be in danger and NUSU would have a legal obligation to disclose such information to the police.
Your Rights and Managing your Data
You can manage information available to groups, organisations and projects you join on nusu.co.uk
via your NUSU Profile – this can be updated at www.nusu.co.uk/profile
Managing your email preferences from central NUSU can be done so through the relevant link of each email.
Emails may be sent from other groups such as clubs, societies, volunteer organisations etc. that you have provided your details to. If you unsubscribe from central NUSU emails it does not mean you will be removed from all other groups and vice-versa, in which case you will need to contact the organization directly to be removed.
Updating University information
Some of your information is provided to us by Newcastle University. This is synchronised on a daily basis. This information cannot be updated by our systems and must be updated by the University.
Subject Access Requests
All individuals have the right to access the personal data that NUSU has in relation to themselves. This can be done so using the online Subject Access Request Form - www.nusu.co.uk/subject-access
If you believe any of your personal details are inaccurate, you also have the right to rectification. Any queries relating to this should be sent to email@example.com
In both access and rectification request, your request will be dealt with within one month and free of charge.
If you object to NUSU continuing to process your personal data, you have the right of erasure or the right to restrict, where we do not have any legal reason to have to keep this data. To exercise this right, please email firstname.lastname@example.org
Security of Your Personal Data
For online payments we use the payment services of Paypal and Opayo (formerly known as Sage Pay). We do not process, record or maintain your credit card or bank account information. For more information on how payments are handled, or to understand the data security and privacy afforded such information, please refer to https://www.paypal.com/uk/webapps/mpp/ua/privacy-prev and https://www.opayo.co.uk/policies/privacy-policy
NUSU is committed to protecting the security of your Personal Data. We use a variety of industry-standard security technologies and procedures to help protect your Personal Data from unauthorized access, use, or disclosure. We also require you to enter a password to access your Account information. Please do not disclose your Account password to unauthorized people. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while NUSU uses reasonable efforts to protect your Personal Data, NUSU cannot guarantee its absolute security.
App Specific Policy
The NUSU Application collects some Personal Data from its Users.
Personal Data collected for the following purposes and using the following services:
Access to third party services' accounts
Access to the Facebook account
Permissions: In app registration, Likes and Publish to the Wall
Access to the Twitter account
Personal Data: In app registration and Various types of Data
Personal Data: Cookie and Usage Data
Interaction with external social networks and platforms
Facebook Like button, social widgets
Personal Data: Cookie, Usage Data, Profile information
Data Controller and Owner
Types of Data collected
Among the types of Personal Data that this Application collects, by itself or through third parties, there are: Cookie and Usage Data.
The Personal Data may be freely provided by the User, or collected automatically when using this Application.
Failure to provide certain Personal Data may make it impossible for this Application to provide its services.
The User assumes responsibility for the Personal Data of third parties published or shared through this Application and declares to have the right to communicate or broadcast them, thus relieving the Data Controller of all responsibility.
Mode and place of processing the Data
Methods of processing
The Data Controller processes the Data of Users in a proper manner and shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.
The Data is processed at the Data Controller's operating offices and in any other places where the parties involved with the processing are located. For further information, please contact the Data Controller.
The Data is kept for the time necessary to provide the service requested by the User, or stated by the purposes outlined in this document, and the User can always request that the Data Controller suspend or remove the data.
The use of the collected Data
The Data concerning the User is collected to allow the Application to provide its services, as well as for the following purposes: Access to third party services' accounts, Creation of the user in app profile, Content commenting and Interaction with external social networks and platforms.
The Personal Data used for each purpose is outlined in the specific sections of this document.
Facebook permissions asked by this Application
This Application may ask some Facebook permissions allowing it to perform actions with the User's Facebook account and to retrieve information, including Personal Data, from it.
The permissions asked are the following:
By default, this includes certain User’s Data such as id, name, picture, gender, and their locale. Certain connections of the User, such as the Friends, are also available. If the user has made more of their data public, more information will be available.
Provides access to the list of all of the pages the user has liked.
Publish to the Wall
Enables the app to post content, comments, and likes to a user's stream and to the streams of the user's friends.
Detailed information on the processing of Personal Data
Personal Data is collected for the following purposes and using the following services:
Access to third party services' accounts
These services allow this Application to access Data from your account on a third party service and perform actions with it.
These services are not activated automatically, but require explicit authorization by the User.
Access to the Facebook account (This Application)
This service allows this Application to connect with the User's account on the Facebook social network, provided by Facebook Inc.
Permissions asked: Likes and Publish to the Wall.
Access to the Twitter account (This Application)
This service allows this Application to connect with the User's account on the Twitter social network, provided by Twitter Inc.
Personal Data collected: Various types of Data.
Content commenting services allow Users to make and publish their comments on the contents of this Application.
Depending on the settings chosen by the Owner, Users may also leave anonymous comments. If there is an email address among the Personal Data provided by the User, it may be used to send notifications of comments on the same content. Users are responsible for the content of their own comments.
If a content commenting service provided by third parties is installed, it may still collect web traffic data for the pages where the comment service is installed, even when users do not use the content commenting service.
Disqus is a content commenting service provided by Big Heads Labs Inc.
Personal Data collected: Cookie and Usage Data.
Interaction with external social networks and platforms
These services allow interaction with social networks or other external platforms directly from the pages of this Application.
The interaction and information obtained by this Application are always subject to the User’s privacy settings for each social network.
If a service enabling interaction with social networks is installed it may still collect traffic data for the pages where the service is installed, even when Users do not use it.
Facebook Like button and social widgets (Facebook)
The Facebook Like button and social widgets are services allowing interaction with the Facebook social network provided by Facebook Inc.
Personal Data collected: Cookie and Usage Data.
Additional information about Data collection and processing
The User's Personal Data may be used for legal purposes by the Data Controller, in Court or in the stages leading to possible legal action arising from improper use of this Application or the related services.
The User is aware of the fact that the Data Controller may be required to reveal personal data upon request of public authorities.
Additional information about User's Personal Data
System Logs and Maintenance
For operation and maintenance purposes, this Application and any third party services may collect files that record interaction with this Application (System Logs) or use for this purpose other Personal Data (such as IP Address).
Information not contained in this policy
More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.
The rights of Users
Users have the right, at any time, to know whether their Personal Data has been stored and can consult the Data Controller to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to the Data Controller at the contact information set out above.
This Application does not support “Do Not Track” requests.
To determine whether any of the third party services it uses honor the “Do Not Track” requests, please read their privacy policies.
Information from the use of our Applications
When you use our mobile apps, we may collect certain information in addition to information described elsewhere in this Policy. For example, we may collect information about the type of device and operating system you use. We may ask you if you want to receive push notifications about activity in your account. If you have opted in to these notifications and no longer want to receive them, you may turn them off through your operating system. We may ask for, access or track location-based information from your mobile device so that you can test location-based features offered by the Services or to receive targeted push notifications based on your location. If you have opted in to share those location-based information, and no longer want to share them, you may turn sharing off through your operating system. We may use mobile analytics software (such as crashlytics.com) to better understand how people use our application. We may collect information about how often you use the application and other performance data.
Definitions and legal references
Personal Data (or Data)
Any information regarding a natural person, a legal person, an institution or an association, which is, or can be, identified, even indirectly, by reference to any other information, including a personal identification number.
Information collected automatically from this Application (or third party services employed in this Application ), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.
The individual using this Application, which must coincide with or be authorized by the Data Subject, to whom the Personal Data refer.
The legal or natural person to whom the Personal Data refers to.
Data Processor (or Data Supervisor)
Data Controller (or Owner)
The natural person, legal person, public administration or any other body, association or organization with the right, also jointly with another Data Controller, to make decisions regarding the purposes, and the methods of processing of Personal Data and the means used, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.
The hardware or software tool by which the Personal Data of the User is collected.
Small piece of data stored in the User's device.
Notice to European Users: this privacy statement has been prepared in fulfillment of the obligations under Art. 10 of EC Directive n. 95/46/EC, and under the provisions of Directive 2002/58/EC, as revised by Directive 2009/136/EC, on the subject of Cookies.
Data Breach Statement
GDPR introduced a duty on all organisations to report certain types of personal data breach to the Information Commissioners Officer with 72-hour of coming aware of the breach. If a breach occurs NUSU will use the ICO’s online self-assessment tool to determine if the data breach should be reported. This process will be managed by NUSU’s Data Protection Officer (Dir of Digital and Communications). In all instances the data subject, whose information has been incorrectly shared, will be informed within 24-hours of NUSU becoming aware of the breach, if it is likely to result in a high risk to their rights and freedoms. All breaches will be recorded by NUSU even if they don’t all need to be reported to the ICO.
Reporting a concern or Breach
If you have any reason to believe that NUSU has not been compliant with the regulations within the Data Protection Act, you have the right to lodge a complaint with the Information Commissioners Officer at www.ico.org.uk
Other Areas and related documentation:
Further information – statement to be reviewed May 2018
ICO register https://ico.org.uk/ESDWebPages/Entry/Z2204599