Data Protection & Privacy Notices
Last Updated: 25th May 2018
London South Bank University Students' Union is a registered not-for-profit charity, set up for the sole benefit of students at London South Bank University. The work we undertake seeks to represent the academic interests of our members and improve their student experience.
London South Bank University Students' Union, takes your right to privacy seriously. London South Bank Students' Union is committed to preserving the privacy of all of our members, and visitors to lsbsu.org. Please read the following privacy policy to understand how we use and protect the information that we hold about you.
For the purpose of the Data Protection Act 1998 ("Act"), the data controller is London South Bank Students' Union of 103 Borough Road, London, SE1 0AA. By registering to any service offered by London South Bank University Students' Union, you consent to the collection, use and transfer of your information under the terms of this policy.
What data do you know about me?
Students' Union Advice Service
What are we going to do with your information
Changing this privacy notice & lettting you know
How we have obtained your data
Data Sharing Agreement with London South Bank University
Your Rights and how to object to processing
Legal basis for processing under GDPR
Categories of Individuals we hold data on
Explanation of how profiling is done
Purpose of this policy
This “Privacy Policy” explains our approach to any personal information that we might collect from you, or which we have obtained about you from a third party i.e. from London South Bank University, and the purposes for and basis upon which we process your personal information. This Privacy Policy also sets out your rights in respect of our processing of your personal information.
This Privacy Policy applies to LSBSU.org and any of its affiliated websites, applications and other telecommunication and digital services (such as bulk email services) in connection with which this Privacy Policy is linked or posted (collectively and non-exhaustively, “Sites”), as well as services, that we physically make available in the Union, through telephony services, face to face customer/member services or facilities and any other activity that is inline with our charitable objects (collectively and non-exhaustively, “Services”).
This Privacy Policy explains how London South Bank University Students' Union collects and uses data and information that may identify or can be directly associated with an individual person (“Personal Information”). London South Bank University Students' Union respects your right to privacy. Your ability to make informed choices about the uses of your information is important to us and how you can request that we delete, update, transfer it and/or provide you with access to it.
This Privacy Policy is intended to assist you in making informed decisions when using our Sites and our Services. Please take a moment to read and understand it. Please note that it should be read in conjunction with University Privacy statement and our data sharing agreement
Please also note that this Privacy Notice only applies to the use of your personal information obtained by us, it does not apply to your personal information collected during your interactions with third parties, such as the University, or any other legal entity that we may link to from our Sites or Services.
This Privacy Notice may vary from time to time so please check it regularly. Please see below for further details.
Who we are
Our Sites and our Services are operated by London South Bank University Students’ Union (“we”, “us”, “our”, “London South Bank Students’ Union”, “The Union”, “The Students’ Union”, or “LSBSU”).
We are a controller of your personal information obtained in connection with the provision of our Sites and Services and your personal information will be used in accordance with this Privacy Notice.
Feel free to get in contact with us to resolve any issue, question or concern you may have:
Information and Data Protection Officer
Post:
The Information and Data Protection Officer
London South Bank Students' Union
103 Borough Road
London
SE1 0AA
London South Bank University Students’ Union is a charity registered in England and Wales with the Charity Commission, registration number: 1158441 and whose registered office is at London South Bank University, 103 Borough Road, London, SE1 0AA, and whose agreed aims, activities and charitable objects, which have been agreed with the regulator, are set out below.
Aims & Activities of the Union
Promoting the interests and welfare of students at London South Bank University during their course of study and representing, supporting and advising students as the channel between students and the University. Providing social, cultural, sporting and recreational activities and forums for discussions and debate for the personal development of its students.
The Union’s objects are the advancement of education of students at London South Bank University for the public benefit by:
- promoting the interests and welfare of students at London South Bank University during their course of study and representing, supporting and advising students;
- being the recognised representative channel between students and London South Bank University and any other external bodies; and
- providing social, cultural, sporting and recreational activities and forums for discussions and debate for the personal development of its students.
What data do you know about me?
London South Bank Students' Union collects information to operate our charity/membership organisation that seeks to represent the academic interest of our members and improve the student experience at London South Bank University and in the wider world inline with our charitable objects. To this end we collect both Personal Data, Sensitive Data, Criminal Convicitions & Offences Data (limited) and Other Information in support of delivering this work.
"Personal Data" is information that can be used, directly or indirectly, alone or together with other information, to identify you as an individual. This may include your precise Location Data.
"Special Category" data is information which the GDPR says is more.ensitive, and so needs more.rotection. See below for fuller details.
"Criminal Convictions & Offences Data" - in a strictly limited number of circumstances we will process data about criminal convictions and offences of those whom we come into contact with. See below for fuller details
"Other Information" is information that is anonymous, aggregate, de-identified, or otherwise does not reveal your identity. Some examples include browser and operating system, time spent using our Sites and Services, and referring webpages visited. We collect and use this information to understand how you individually and collectively use our Sites and Services to constantly tune, enhance, innovate and build products and services to reflect the needs of our users. We also collect responses from trusted payment service providers when you make purchases through our Sites and Services. Depending on payment method, this may include a subscription ID that is sent to the payment service provider. To complete purchases we require you to provide certain financial information (e.g. your PayPal user name, credit card information etc) in order to facilitate the processing of payments.
Special Data - What is it? Why do we process it?
Special Category data is defined by the GDPR as data that is more.ensitive, and when an additional requirment is needing to be met prior to any processing occuring. This data includes:
- race;
- ethnic origin;
- politics;
- religion;
- trade union membership;
- genetics;
- biometrics (where used for ID purposes);
- health;
- sex life; or
- sexual orientation
Article 9(2) of the GDPR sets out just 10 instances where this is allowed. London South Bank Students' Union is a not-for-profit charity and membership organisation as well as an employer. We process special category data usually under only these three conditions:
For members, former members and those with whom we have regular contact (i.e. volunteers):
GDPR:9.2(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
and/or
GDPR:9.2(a) the data subject has given explicit consent to the processing of those personal data for one or more.pecified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
For Staff (prospective, current and former)
GDPR:9.2(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
and/or
GDPR:9.2(a) the data subject has given explicit consent to the processing of those personal data for one or more.pecified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
Why we want to know this stuff
As a Students' Union, equality of opportunity is one of our core values, and we often want to know specifically the views and opinions of groups who are often marginalised in education settings, the workplace (for our employees), as well as wider society, so we can undertake activity that promotes equality of opportunity. When we undertake our work, and where we deem it appropriate, both legally and ethically, we will process information around special category information. For example, the Students' Union often carrries out research aimed at better understanding the student experience, and we know that Black, Asian Arab & Ethnic Minority students have a very different educational experience to their White/Caucasian peers, and we want to ensure the only limit to academic success in the future, is academic ability.
As a service provider, and as part of good professional practice, we want to ensure that every student feels they can access our services and facilities and seek to assure ourselves that no inequalities, both in access and provision, are being faced by our service users, as such we may collect or use existing personal and/or special data we hold on you to undertake benchmarking, in the purasance of equality of opportunity.
We are also a democratic member-led organisation. Our membership has agreed that "self determination and self organisation" is one of the values that we have - an example being they think only disabled students should vote for the Disabled Students' Officer in our student elections, so we process information about 'health' (disability status) and other special category fields, in order to function aspects of your membership and democratic rights.
Criminal convictions and offences data
Under the General Data Protection Regulation (GDPR), personal data relating to criminal convictions and offences can be processed only:
- under the control of official authority; or
- when it is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects.
However, the Data Protection Act 2018, which supplements the GDPR, authorises the use of criminal records checks by organisations other than those vested with official authority. The Act allows employers to process criminal convictions data where necessary for the purposes of performing or exercising employment law obligations or rights. The Act also authorises processing criminal records data in other circumstances, including where the subject has given their consent. This would allow employers and volunteer involving organisation to request a criminal records check where the prospective employee/volunteer agrees to it, provided that the consent meets the specific requirements under the GDPR.
CCTV
London South Bank Students' Union does not run it's own CCTV system - all areas that are covered by CCTV in Union premises/space and surrounding, are operated by London South Bank University.
Students' Union Advice Service
Given the highly confidential nature of the Students' Union Advice Service in providing 'free, impartial and confidential advice' we have drafted a specific addendum schedule to this Privacy Notice that details specifically what, and how, we process the additional information from our Advice Service Users.
>> Addendum Schedule for Students' Union Advice Service
Please note: this is an addedum document to this Privacy Notice, and both notices work in partnership with one and other. i.e. if you access Students' Union Advice Service webpages on LSBSU.org or you send an email to our Students' Union Advice Staff, this main Privacy Notice applies.
What are we going to do with your information
We are a registered charity that is set up to benefit London South Bank University students. We are classified as a small charity, and have approximately 24 employed staff and over 2,500 volunteers based from the above premises. The Union stores and processes some of its data remotely:
Changing this privacy notice & letting you know
To ensure that you are always aware of how we use your personal information we will update this Privacy Policy from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. If we make significant changes, we will make that clear on our Sites or where appropriate through other Services, or by some other means of contact such as email, so that you are able to review the changes before you continue to use our Services & Sites.
However, we encourage you to review this Privacy Policy periodically to be informed of how we use your personal information.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Where we store your personal data
Some of the third parties that we describe here may be located outside of the EEA or may otherwise transfer your personal data outside of the EEA - for instance we use Google's Gmail to deliver email services, whose servers are located globally.
Where we transfer your personal data to external third parties, we take appropriate steps to ensure that your personal information is treated securely and in accordance with this Privacy Policy and all applicable laws. In respect of transfers of your personal information outside of the EEA, this means that we will ensure that there is a lawful basis for transferring personal information outside the EEA. Our standard practice is to use ‘model clauses’ which have been approved by the European Commission for such transfers. We may also rely on other mechanisms, where appropriate, including reliance on a third party’s ‘binding corporate rules’ or ‘EU-US Privacy Shield’ certification. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. As a member, user or other user of our services you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.
Some Countries, such as the United States of America, have not been deemed to have data protection laws in place that afford you the same rights as data stored in the UK/EU, because of this we only store and process your data with partners who can ensure your rights are upheld - in the main this means working with partners who use the EU-U.S. Privacy Shield. The EU-U.S. Privacy Shield is an approved in accordance with Article 46(2)(f) of the General Data Protection Regulation. More information about the EU-U.S. Privacy Shield can be found here: http://ec.europa.eu/justice/
How we protect your information
London South Bank Students' Union ensure that we have incorporated appropriate organistional training, technical and process measures to increase the security of your personal information held by us. We also ensure the processors that we work with also have an appropriate level of organisational security. Some of the aspects of our security include:
ensuring only those who need access to your data to carry out work on our behalf have access to it, including tiered and segmented access priveledges
training all of our staff within 8 weeks of starting their employment in Data Protection, your rights and their responsibilities, and retraining as appropriate. (NB initially, we will train/retrain all staff within 8 weeks of the implementation of the Data Protection Act 2018 and GDPR)
- using ICT services that store your data securely.
- website payment processing secured by the Payment Card Industry Data Security Standard (PCI DSS) more.nformation at www.pcisecuritystandards.org
- HTTPS certification with, where appropriate, encrypted connections using the HTTPS standard using usually one of two secure protocols to encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
Who will we share it with
We do not, and will not, sell any of your personal data to any third party – including your name, address, email address or bank, debit/credit card information. We want to earn and maintain your trust, and we believe this is absolutely essential in order to do that.
As an essential part of being able to deliver our charitable services we use external service providers who have limited access to your data and these are carefully managed usually by contracts and high levels of security standards. Below we have outlined some of those who may process your data and where possible linked to their security information
We may share your personal information, in part or in full for the purposes described in this Privacy Policy with:
- London South Bank University, our parent institution, and it's subsidaries.
- The National Union of Students UK, with whom members have agreed to affiliate.
- National Governing Bodies for Sports & Societies and Groups you additionally become a member of
- Membership Services Solutions - who provide membership management services including our membership CRM and some Sites of the Union.
- Google who supply both administration services, including G-Suite, and Google Analytics Services.
- Mailchimp who provide our bulk email system
- SurveyGizmo/WidgixEU who provide digital survey software
- AdvicePro an industry standard Advice Casework system provided by AdviceUK
- internally with other companies and legal entities in our group (which means our subsidiaries), as defined in section 1159 of the UK Companies Act 2006; and
- MoorePay - for our Payroll systems
- HSBC for bank payments and transfers
- Legal & General for staff pension payments
- BreatheHR for HR related administrative systems.
- Governmental and regulatory bodies such as HMRC, Charity Commission etc.
- additional we may also share externally with other third party service providers, categories of whom we have detailed below.
The categories of third party service providers that we share your personal information with are, or may include:
- providers of online ticketing systems;
- providers of systems and services that help us deliver our membership offer
- providers of systems and services that help us deliver employer responsibilities,
- payment processors and providers of BACS, direct debit and credit card facilities;
- printers, delivery and postal companies;
- suppliers who host, provide, manage, support or administer certain aspects of our websites, and telephone services;
- providers of customer surveys and customer insight analytics;
- suppliers who host, provide, manage, support or administer certain aspects of our IT and business administration systems and data centres;
- providers of Wi-Fi access for customers in our facilties;
- suppliers of email, online and social media advertising and other marketing systems and services;
- third parties who help us to run or administer competitions or deliver prizes;
- third parties who host our events;
- with our professional advisers such as our lawyers, accountants, health and safety consultants and insurance brokers for our business administration and legal purposes;
- debt collection agencies and others for the purposes of enforcing any agreements that we have with you;
- any other third party where we are obliged to, or permitted to do so, by law, court order or to comply with any search warrant or similar instrument presented to us by any law enforcement, government officer or regulatory authority;
We may provide third parties with aggregated but anonymised information and analytics about our customers and, before we do so, we will make sure that it does not identify you.
How we have obtained your data
The lawful bases for processing are set out in Article 6 of the GDPR. At least one these apply whenever we process personal data about you:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
In the main, London South Bank Students' Union process data under four lawful basis these are:
Contract As student or staff you will likely have a contract with us when you use our services which allows us to facilitate our obligations to you.
| Legitimate Interest We carefully balance your rights when we think there is a legitimate interest in us processing data to support you.
|
Consent We may ask you to consent to us processing your data for marketing purposes or engaging with our Sites and Services. | Legal obligation We are obliged by various laws including the Education Act, Contracts Act and employment law to process certain data. |
We rely on legitimate interest as justifying much of our processing of Personal Data as we have assessed that the majority of our processing activity would be in the reasonable expectations of those we process data about. Our activities reliant on legitimate interest are as follows:
Employees: We require the data processing to enable us to be a good employer and pay employees. Whilst they are candidates we require it to assess them for employment. Employees and candidates expect us to hold and process that personal data for those purposes. We destroy candidate personal data inline with our retention schedule if the candidate is unsuccessful.
Members: As a membership organisation, processing individual data is central to our service provision. Members are able to opt-out of processing by either opt-ing out at enrolment/re-enrolment and/or terminating their membership with the London South Bank University's Registry. To provide a high standard of service and personalise our provision we record and process data relating to members engagement and communications preferences. The maximum study term for a student on a single course is 8 years and we retain student data for a further 3 years, to a maximum of 11 years. Our core data is refreshed usually nightly by the University.
Suppliers, partners and clients: Our suppliers, partners and customers are not usually individuals so here we are dealing with the identifiable employees of our suppliers and clients who require us to deal with such individuals or self employed individuals. We require their personal data (email, office address, telephone numbers) to enable us to contact them in the context of their job. If an employee leaves a client or supplier we remove their details from the our records/CRM and other systems (or we would be communicating with the wrong person). They expect that we will hold their contact details for this purpose.
Customers: When individuals purchase products or utilise services through us, or a subsidary, we access personal data to process and/or administer our contracted duties as well as sending them carefully selected information about our products and services.
Site users: Sites that we operate both directly such as lsbsu.org, or indirectly such as social media pages, may collect identifiable data about our digital services users. This information helps us improve the functionality and user experience that we can offer these Site users.
In all the above cases we believe that we have as a minimum a legitimate interest in carrying out that processing, and that the processing has no significant risk to the rights and freedoms of the individuals concerned.
Membership of the Union
The Students' Union like the vast majority of Students' Union around the country share data between themselves and their institution, under legitimate interest grounds. During the enrolment process for your course with London South Bank University, you completed and signed an enrolment declaration, which is published on the University’s website, however for your convenience an example of which can be found here:
Enrolment Declaration 2017/18 (PDF File 128 KB)
In that document, which you had to sign to become a student at London South Bank University, you agreed to sharing data with the Students’ Union. As an example, the following clause was used in the 2017/18 Enrolment Declaration:
“I accept that the University will share my Personal Data with the LSBU Student Union to facilitate my entitlement to membership of the Student Union unless I opt out of this membership. The details of the type of information shared by LSBU with the Student Union are specified in the Student Data Collection Notice available at https://www.lsbu.ac.uk/__data/assets/pdf_file/0008/95642/data-protection-notice.pdf .”
Every student of London South Bank University is offered the opportunity to opt-out of membership of the Students’ Union, through London South Bank University at the point of enrolment, in-line with the Education Act (1994).
This data is transferred to us under ‘legitimate interest’ grounds by the University, in order for us to deliver the charitable services that we offer to our members/you, who are the beneficiaries. We call this data “core data” with a data sharing agreement with London South Bank University, and a schedule expressing its usual usage which is detailed here
Data Sharing Agreement with London South Bank University
We believe, when a student goes to University they would reasonably expect their University and Students' Union to work together to improve their student experience. Similary in the Education Act (1994) it specifically identifies that every student who joins a university automatically becomes a member of their students' union unless they opt-out. As such, London South Bank Students' Union and London South Bank University have a data sharing agreement in place that allows us to, and describe the purposes for, data sharing between us, to enable that membership right. A copy of which can be found here:
We also share some limited data with the University about our staff, such as their name and what role they are working for us in, and whether they are a temporary or permanent recruitment. This allows them to offer LSBSU Staff access to University services such as the barrier entry system and ICT services.
How long will we keep your data
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Your Rights and how to object to processing
London South Bank Students' Union is committed to empowering you to understand your rights when it comes to the data we hold about you. If you have any questions, issues or concerns, feel free to contact us.
The Data Protection Officer is the Chief Executive at the Union. The Data Protection Officer is responsible for:
- Informing and advising the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (students, employees, customers etc).
Information and Data Protection Officer
Post:
The Information and Data Protection Officer
London South Bank Students' Union
103 Borough Road
London
SE1 0AA
(e) [email protected] (t) 0207 815 6060
Data Rectification Form | Data Erasure Form | Data Restriction & Objection | Subject Access Request Form |
UNIVERSITY CONTACTS
You may also wish to talk with the University Data Protection Officer - please note they are not the Data Controller for our services
Director of University Archives and Information Compliance
London South Bank University,
103 Borough Road,
London SE1 0AA
Email: [email protected]
What is Processing?
The General Data Protection Regulation defines Processing as:
Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data.
The legal basis for processing under the General Data Protection Regulations
It is important to understand that under the EU's General Data Protection Regulations and the Data Protetection Act (2018), that "consent" is only one legal basis for processing data relating to an individual.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
You have the following rights in relation to the personal information we hold about you. You can exercise these rights by contacting us using the contact details set out above.
- Your right of access.
If you ask us, we’ll confirm whether we’re processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
- Your right to rectification.
If the personal information we hold about you is inaccurate or incomplete, you’re entitled to have it rectified. If we’ve shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.
If you are a current LSBU Student and a Member of LSBSU and wish to amend Core Data about you (Name, Address etc), your data is usually updated every 24hrs to match that of the University records, and therefore it is not necessary to tell us of changes. Our system will automatically, align itself with the records held by the University, even if you change/rectify that Core Data with us. To change this Core Data, you will need to talk to the University Registry Team - details of which can be found here.
- Your right to erasure.
You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If we’ve shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.
- Your right to restrict processing.
You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances such as where you contest the accuracy of that personal information or you object to us processing it. It won’t stop us from storing your personal information though. We’ll tell you before we lift any restriction. If we’ve shared your personal information with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.
- Your right to data portability.
With effect from 25 May 2018, you have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Your right to object.
You can ask us to stop processing your personal information, and we will do so, if we are:- relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or
- processing your personal information for direct marketing.
- You can ask us to stop sending you marketing communications sent to you by email at any time by using the ‘opt-out’ or ‘unsubscribe’ link that we will present to you in the marketing communication. Please note that it may take us a few days (but usually no longer than 14 days) to ensure our marketing systems are updated and during this period you may still receive marketing communications from us.
- Your rights in relation to automated decision-making and profiling.
You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.
- Your right to withdraw consent.
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
- Your right to lodge a complaint with the supervisory authority.
If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the UK Information Commissioner’s Office (ICO).
Categories of individuals we hold personal data on
London South Bank University Students’ Union have identified the following categories of individual that we hold personal data.
Category | Descriptor | |||
LSBSU Staff | As an employer, London South Bank Students’ Union has an obligation to hold data on our current, former and prospective staff members. The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract, we may also process this data under article 6(1)(f) legitimate interest, where we have a legitimate interest in processing outside of the confines of just fulfulling our contractual obligation. The legal basis we usually rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
| |||
LSBSU Job, Volunteer and Trustee Applicants ("Applicants") | Our purpose for processing this information is to assess your suitability for a role you have applied for. The legal basis we usually rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. We may also process this data under article 6(1)(f) legitimate interest, where we have a legitimate interest in processing outside of the confines of just fulfulling our contractual obligation. The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
| |||
Members of the Union | We will process data about you to facilitate your membership of LSBSU as deemed appropriate and inline with our charitable objects. Every student of London South Bank University is offered the opportunity to opt-out of membership of the Students’ Union, through London South Bank University at the point of enrolment, in-line with the Education Act (1994). This data is transferred to us under ‘legitimate interest’ article 6(1)(f) of the GDPR (more.etails here) by the University, in order for us to deliver the charitable services that we offer to our members/you, who are the beneficiaries. We call this data “core data” with a data sharing agreement with London South Bank University, and a schedule expressing its usual usage which is detailed here The legal basis we usually rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. However with regard to our responsibilities under the 1994 Education Act our legal basis for processing your personal data is article 6(1)(c) Legal Obligation and article 6(1)(e) of the GDPR The legal basis we rely on to process any special category data you provide about yourself as part of being this category, such as health, religious or ethnic information, is article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you must be, or have been, a member of the organisation to become this category of individual. LSBSU holds data on current, former and interrupted members of the Union as per it’s data retention schedule.
| |||
Members of LSBSU Sports Teams | We will process data about you to facilitate your membership of an LSBSU Sports Team We may also combine this with other data we have also collected about you creating a single member profile. If the interaction with you relates to meeting our obligations to you and your purchase of additional membership etc., the legal basis usually is article 6(1)(b) of the GDPR, we may also process this data under article 6(1)(f) legitimate interest, where we have a legitimate interest in processing outside of the confines of just fulfulling our contractual obligation. If your interaction is in relation to us processing membership to facilitiate your participation the legal basis usually is article 6(1)(f) because the processing is within our legitimate interests as a organisation. The legal basis we rely on to process any special category data you provide about yourself as part of being this category, such as health, religious or ethnic information, is article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you must be, or have been, a member of the organisation to become this category of individual.
| |||
Members of LSBSU Student Societies | We will process data about you to facilitate your membership of an LSBSU Society. We may also combine this with other data we have also collected about you creating a single member profile. If the interaction with you relates to meeting our obligations to you and your purchase of additional membership etc., the legal basis usually is article 6(1)(b) of the GDPR, we may also process this data under article 6(1)(f) legitimate interest, where we have a legitimate interest in processing outside of the confines of just fulfulling our contractual obligation. If your interaction is in relation to us processing membership to facilitiate your participation the legal basis usually is article 6(1)(f) because the processing is within our legitimate interests as a organisation. The legal basis we usually rely on to process any special category data you provide about yourself as part of being this category, such as health, religious or ethnic information, is article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you must be, or have been, a member of the organisation to become this category of individual.
| |||
Members of other Groups | We will process data about you to facilitate your membership of any other formal group of the Union we set up, and you choose to be a member of. We may also combine this with other data we have also collected about you creating a single member profile. If the interaction with you relates to meeting our obligations to you and your purchase of additional membership etc., the legal basis usually is article 6(1)(b) of the GDPR, we may also process this data under article 6(1)(f) legitimate interest, where we have a legitimate interest in processing outside of the confines of just fulfulling our contractual obligation. If your interaction with us is in relation to us processing membership to facilitiate your participation the legal basis is usually article 6(1)(f) because the processing is within our legitimate interests as a organisation.The legal basis we usually rely on to process any special category data you provide about yourself as part of being this category, such as health, religious or ethnic information, is article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you must be, or have been, a member of the organisation to become this category of individual.
| |||
Union Office Bearers/Officials/Student Reps/Executive Officers and Student Trustees ("Union Official") | We will process data about you to facilitate your role of being an LSBSU Union Official. We may also combine this with other data we have also collected about you creating a single member profile. The legal basis usually we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. For all types of Union Official, the legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests, an example of which would be communicating with you on a day to day basis. If your interaction is in relation to us processing personal data with regard to your role as Trustee, the legal basis usually in addition would include article 6(1)(e) Public Task, as you will be carrying out duties as a charity trustee as well as 6(1)(c) legal obligation, as there are legal responsibilities you will be taking on in law. The legal basis we rely on to process any special category data you provide about yourself as part of being this category, such as health, religious or ethnic information, is usually article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you must be, or have been, a member of the organisation to become this category of individual.
| |||
LSBSU Volunteers | We will process data about you to facilitate your membership of being an LSBSU Volunteer. We may also combine this with other data we have also collected about you creating a single member profile. The legal basis we usually rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. The legal basis we rely on to process any special category data you provide about yourself as part of being this category, such as health, religious or ethnic information, is usually article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you must be, or have been, a member of the organisation to become this category of individual. For non-members, the legal basis we usually rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is consent, as defined in article 9(2)(a) of the GDPR.
| |||
Students' Union Advice Service Users | We will process data about you to facilitate your usage as a LSBSU Advice Service User. We may also combine this with other data we have also collected about you creating a single member profile. For all types of Advice Service User, the legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests, an example of which would be communicating with you on a day to day basis.
| |||
External Trustees of the Union | As a registered charity with the Charity Commission for England and Wales, we have Trustees who constitute our governing body. The legal basis we usually rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. For reporting information to regulatory bodies The legal basis we usually rely on is 9(2)(c) Legal Obligation of the GDPR. The legal basis we usually rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is consent, as defined in article 9(2)(a) consent of the GDPR.
| |||
Event, Activity, Seminar or Workshop Attendee | The Students' Union operate a number of events and activities, where we need to collect personal information about you. If you are a member,The legal basis we rely on for processing your personal data is article 6(1)(f) Legitimate Interest of the GDPR. We sometimes collect "special category" data about you as part of registering attendance this data includes information about dietary or access requirements is usually article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you are a member of the organisation. If you are not a member: The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as "special category" data.
| |||
Respondents to polls, surveys, research activity (collectively known as "Respondents") | We carry out polls, survey and research activity, to better understand LSBU Students and our membership to improve our understanding as to their collective views and opinions in order to offer better services for them. We carry out polls, survey and research activity, to better understand our staff to improve our understanding as to their collective views and opinions in order to offer better services as an employer. Occassionally, we carry out polls, survey and research activity, to better understand our staff to improve our understanding as to their collective views and opinions in order to increase our understanding of other peoples views, usually to benchmark our own internal metrics against. The legal basis we rely on to process in your personal data if you are a Member, LSBSU Student or Staff Member is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. If you are not a Member, LSBSU Student or Staff Member, the legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. Our work with Respondents sometimes requires us to collect Special Categories of data. When this data is collected from our members it is usually processed under article 9(2)(a) explicit consent and/or article 9(2)(d) legitimate activities as defined in the GDPR, as we are a not-for-profit membership organisation, and you are a member of the organisation.
| |||
Service Users | We process personal data of our Service Users in order to both offer and maintain a range of Services. If you are a member, the legal basis we rely on for processing your personal data is article 6(1)(f) Legitimate Interest of the GDPR and on occassion consent under article 6(1)(a) of the GDPR. We sometimes collect "special category" data about you as part of registering attendance this data includes information about dietary or access requirements is usually article 9(2)(d) of the GDPR, as we are a not-for-profit membership organisation, and you are a member of the organisation. If you are not a member: The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR and on occassion article 6(1)(f) Legitimate Interest of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as "special category" data.
| |||
Sites Users - including all LSBSU websites, applications and other telecommunication (such as Bulk eMail) and digital services in connection with which this Privacy Policy is linked or posted (collectively and non-exhaustively, “Sites”) | We process personal data to offer a range of digital services to our users, across a varity of mediums, with a number fo emerging technologies and third party technologies (data processors). We, like the rest of the internet process HTTP/HTTPS headers, which include a broad range of data including personal data about you. information regarding IP Address, browser information, page location, document, referrer and person using the website. To maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users this is often called Site Analytics, and is carried out by us directly and on our behalf through third party processors.Our sites use web beacons which on our Site and in email that are used to monitor the behavior of the user visiting the Site or interacting with the email. It is often used in combination with cookies. We operate a range of Cookies on our site as described on our cookie page. The legal basis we rely on to process in your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests and on occassion consent under article 6(1)(a) of the GDPR.
| |||
Business Contacts | We hold the names and contact details of individuals acting in their capacity as representatives of their organisations/business, across LSBSU. If the interactions relate to suppliers, contracts, buildings management, IT services etc., the legal basis is article 6(1)(b) Contractual obligation (or looking to start one) of the GDPR in other circumstances (i.e. communicating with LSBU Staff ) article 6(1)(f) of the GDPR Legitimate Interest, will be our legal basis as we have a legitimate need to process your personal data to engage and work with you as a business contact, beyond the confines of a contractual obligation.
| |||
Purchaser/Customer of Goods and Services from LSBSU | London South Bank Students' Union sell goods and services to individuals and we process personal data in order to fulfill our contractual obligations to that individual. The legal basis for our processing in this instance is article 6(1)(b) Performance of a Contract under GDPR, we may also process this data under article 6(1)(f) legitimate interest, where we have a legitimate interest in processing outside of the confines of just fulfulling our contractual obligation. |
Explanation of how profiling is done
London South Bank Students' Union does not make any automated decisions, including those based on profiling, that have a legal or similarly significant effect on you.
Our Cookie Policy
What are "cookies"?
Cookies are small text files that are placed on to your computer by websites that you visit. They are used to make websites work, to improve efficiency of websites, to improve the user’s experience and to provide usage information on websites. This information should make your website visits more.roductive by storing and using information on your website preferences and habits.
Your web browser can choose whether or not to accept cookies. Most web browser software is initially set up to accept them. Independent information can be found out about cookies, what they, and how to manage them and your data, by visiting aboutcookies.org
We store information about you using cookies (files which are sent by us to your computer or other access device) which we can access when you visit our site in future.We do this to distinguish you from other users of our website and is essential for you to use our site fully.
By continuing to browse the site, you are agreeing to our use of cookies.
We use the following cookies:
Strictly necessary cookies: these are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services. They are also used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Analytical/performance cookies: they allow us to recognise and count the number of visitors and to see the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more.elevant to your interests. We may also share this information with third parties for this purpose. Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control.
Marketing cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you i.e. greet you by name and remember your preferences. These cookies also record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website, the advertising displayed on it and communications sent more.elevant to your interests.
How to stop the use of cookies
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all, or some, cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
A full list of our cookies and their use can be found on our cookies policy page here
Seeing LSBSU Marketing online
You are a member of your Students' Union, or you are a key partner or an interested party in the Students' Union, and we want you to know what we're offering, so you get the most out of your membership with us, so we also engage in online advertising, to keep you aware of what we’re up to and to help you see and find our products.
We always provide a way to opt out of our bulk email communications, without affecting your membership and we will never sell your data to third parties.
Like many organisations, we target LSBSU banners and ads to you when you are on other websites (like Facebook) and apps. We may do this using a variety of digital marketing networks and ad exchanges, and we may use a range of advertising technologies like web beacons, pixels, ad tags, cookies, and mobile identifiers, as well as specific services offered by some sites and social networks, such as Facebook’s Custom Audience service.
The banners and ads you see will be based on information we hold about you, or your previous use of LSBSU Sites or Services (for example visiting LSBSU.org) or on LSBSU banners or ads, or links in our membership emails you have previously clicked on.
SMS/Text Message Announcements
London South Bank Students' Union operates a text messaging alert system, to give what we feel are key updates but, no matter how brilliant our text message is, some people just prefer not to receive them and that’s OK. You can opt out effortlessly - we offer a opt out blacklisting feature, anyone who texts STOP to 84433 will be added to our ‘Blacklist’ and will no longer receive any messages.
- Any message starting with STOP to 84433
- Any message starting with a space and then STOP to 84433
- Any message starting with a non-character and then STOP (for instance .STOP) to 84433