The privacy and security of your personal information is extremely important to us. This privacy policy explains how and why we use your personal data, to make sure you stay informed and can be confident about giving us your information. Your personal data is in safe hands with NUS.
Privacy Principles
NUS takes your privacy seriously. The following principles underpin our approach to respecting your privacy:
A few quick notes:
This privacy policy explains what data we collect as well as how and why we use your personal data.
The policy applies to you if you’re a member/supporter of NUS (whether that’s as a member, student, volunteer, Friend of NUS or member of the press), if you are an organisation, we have a working relationship with (e.g. supplier), if you visit our websites or email, call or write to us. In certain circumstances we may also provide an extra privacy notice, which will always refer to this page.
We will never sell your personal data. We will only share it with organisations we work with who meet our high privacy standards.
Index:
What personal data do we collect?
Where your personal data may be processed
Disclosing and sharing information
When we use Legitimate Interest
Changes to this Privacy Policy
In this policy, whenever you see the words ‘we’ it refers to either The National Union of Students (United Kingdom), Company number 08015198 and/or NUS Students’ Union Charitable Service , known as NUS Charity throughout this document, Company Number 07509468 and/or NUS Services, Company Number 01639519.
Our registered office address is Ian King House, Snape Road, Macclesfield, SK10 2NZ.
We operate the following sites:
https://www.nusconnect.org.uk/
https://www.nus-scotland.org.uk/
https://unionstreatkitchen.co.uk/
https://www.learnervoiceframework.org.uk/
https://sulearn.talentlms.com/
https://www.whatstudentsthink.org.uk/
If you have any questions relating to this privacy policy or how we use your personal data, please send them to dpo@nus.org.uk or post them to the Data Protection Officer, NUS Charitable Services, Snape Road, Macclesfield SK10 2NZ.
What personal data do we collect?
We will collect and use your personal data (this means any information which identifies you, or which can be identified as relating to you personally, such as:
We will only collect the personal data we need and we will make it clear at the point of collection why we are collecting it.
Most of the personal information we process is provided to us directly by you for the following reasons:
We also collect information on your website usage through cookies, if your browser accepts them. Some of our websites feature tracking software – this means that if you're a logged-in user, have filled an online form or have previously clicked a link in one of our emails, we may link your website usage information (such as pages visited, IP address, browser and device used) to other information we hold about you, such as your name and organisation. Full information can be found in our cookie policy.
From time to time and only where appropriate, we may provide anonymous aggregate statistical information about our services, competitions, clients, traffic patterns and other site information to third parties, but these statistics will not include any information that could identify you personally.
On our website search terms are captured anonymously for analysis purposes.
If you are a volunteer, we may collect extra information about you (such as references, criminal records checks, details of emergency contacts or medical conditions). We will keep this information for legal or contractual reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes.
Some of our offices have Closed Circuit Television (CCTV) and you may be recorded when you visit them. CCTV is used to provide security and protect both our staff members and visitors. CCTV will only be viewed when necessary (for example, to detect or prevent crime) and footage is stored for a set period of time, after which it is recorded over. NUS UK and NUS Charity complies with the Information Commissioner’s Office CCTV Code of Practice and we put up notices so you know when CCTV is used.
We will use your personal data for the purpose or purposes outlined at the time you gave it to us and examples are:-
a. To administer your membership record and our relationship with you as a member, and to provide you with information about NUS activities and for other related purposes
b. As part of your NUS Charity membership you have associate membership of NCVO or their sister organisations. We will share the details of the Primary Contact at a student union with NCVO and you will be informed of this on an annual basis. In most cases this is the CEO or General Manager. The primary Contact can opt out of this at any point. Please email dpo@nus.org.uk
c. To contact you regarding campaigns which may be of interest to you, provided you have given us consent to do so or you are a member of NUS and the communication is relevant or related to that prior request and made within any timeframes established by applicable laws.
d. Suggest other campaigns (including those of relevant third parties) which we think may be of interest to you
e. Showing public support for an issue (if you asked to be anonymised you will not be named in any petition published).
f. Develop the design and layout of the website to ensure that it is as useful and enjoyable as possible (use of cookies).
g. To enable our fulfilment partner to provide badges to those who have joined the NUS Supporters Circle
As an organisation that archives information for public records, we take privacy seriously. We only collect and process the personal data necessary for our archiving purposes, in accordance with data protection laws.
The personal data we collect may include names, correspondence, documents, photographs, and other materials that become part of the public record. We implement appropriate security measures to protect personal data and only retain data for as long as required by public records legislation.
Archived personal data may be processed for research purposes in the public interest, adhering to ethical codes of conduct. We will not process personal data in any way incompatible with the original archiving purpose, unless we have obtained explicit consent or the processing is otherwise allowed by law.
We may also need to provide your personal data if we are asked by the police, or any other regulatory or government authority in relation to safeguarding.
How we secure your data
We want to keep our supporters, volunteers and members safe, so the security of your data and of our information systems is incredibly important to us. When you entrust your personal information to us, we take care of it as if it were our own. We spend a lot of time, money and resources on ensuring that the personal details you entrust to us are protected from loss, misuse and abuse.
External threats to our data security are changing all the time, so we have a robust process for assessing, managing and protecting all of our new and existing systems to ensure they are up to date and secure.
Our staff complete mandatory information security and data protection training when they start with us and every year afterwards, to reinforce their responsibilities and requirements and ensure they understand and comply with their obligations under the Data Protection Act 2018 and UK GDPR. We carefully control who has access to your information and ensure that it is only used in the way you would expect.
When you trust us with your data we will keep your information secure to maintain your confidentiality.
Where your personal data may be processed
Whenever we transfer personal data out of the EEA or the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the ICO. For further details, see ICO A guide to international transfers
Where we use certain service providers, we may use specific contracts approved by the ICO which give personal data the same protection it has in UK.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the UK and the US.
We also take regular encrypted backups.
At NUS we strive to deliver outstanding events and delegate experience is at the forefront of our events.
We value your attendance and want to be transparent about how we treat your personal information
Personal information we collect through online registration
When you register online to attend one of our events we may collect the following personal information: name, position, union name, union address, email address, contact telephone number, date of birth, gender, any dietary requirements, any access requirements including any medical conditions, enabler details, and if childcare is required. We also collect an emergency contact name and telephone number.
The information is collected to process your registration, communicate with you about your attendance and to make sure your individual requirements are accommodated so you can participate fully in the event.
Once your online registration is complete, you as the delegate, or your union representative, have access to this data to update/change where applicable.
Personal information we archive after an event
Within 3 months of the event taking place, your name and union will be archived together with the name of the event, date of event and location. This information is kept on NUS approved storage systems within the NUS security network. All other information we have collected will be deleted. Our lawful basis for this process is legal obligation. This information will be stored indefinitely in line with safeguarding regulations and will only be accessible to Police upon the receipt of the correct paperwork.
Information obtained during safeguarding incidents at events
If delegates are involved in any safeguarding incidents at events we will collect the following information: name, position, union name, home address, contact telephone number, date of birth, record of incident. If the incident is investigated internally the report will also include the outcome of the investigation. The information will be collected on a Safeguarding incident reporting form. This form will be scanned and then confidentially destroyed. The information will be stored indefinitely in line with safeguarding regulations and will only be accessible to the Police upon the receipt of the correct paperwork.
Information obtained during complaint incidents at or relating to events
If delegates are involved in any complaint incidents at or relating to events – either as the complainant or respondent - we may collect the following information: name, position, union name and contact name/email, contact email, contact telephone number, record of incident.
Once the incident is investigated internally, we may share an outcome email, report or update with the complainant and respondent. In line with the NUS Code of Conduct, we will share information about the nature of any complaint incident with the home union. Information on Code of Conduct cases will be held on NUS’ secure electronic files for 18 months after the date of the complaint. After this date, the record will be destroyed. Our legal basis for processing and sharing this data is that it is in our legitimate interests and those of our member Students’ Unions to ensure that event delegates comply with our standards of behaviour and uphold our policies. It is in our legitimate interests to ensure that complaints are handled appropriately.
Disclosing and Sharing information
We do not sell or share your personal information for other organisations to use unless outlined in point 3b and 3g above. However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Policy. Non-exhaustively, those parties may include suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as cloud storage providers or mailing houses.
The data collected from petitions will only be shared or disclosed to show public support for an issue.
We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements.
Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights. Where we decide how and why personal data is processed, we are a data controller and have provided further information about the rights that individuals have and how to exercise them below:
Right of Access – you have a right to ask us for copies of your personal data held by us. This right may be exercised by emailing us at dpo@nus.org.uk or writing to us at DPO, NUS Students’ Union Charitable Services, Snape Road, Macclesfield SK10 2NZ. We will aim to respond to any requests for information promptly and within the legally required time limit (30 days). This timeframe may be extended by up to two months if your request is particularly complex.
Amendment of Personal data – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. The update or amendment of your personal data will take place within 30 days of receipt of your request.
Right to Restriction of Processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
Your right to erasure – You have the right to ask us to erase your personal information.
Your data will be deleted:
You are not required to pay any charge for exercising your rights. If you make a request we have 30 days to respond to you.
When we use legitimate Interest
Under data protection legislation we are only permitted to use your personal information if we have a legal basis for doing so as set out in the data protection legislation.
The legal basis that permits us to use your information depends on the basis that we are using that information for. We rely on the following legal bases to use your information:
• Where we need information to perform the contract we have entered with you.
• Where we need to comply with a legal obligation.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
In more limited circumstances we may also rely on the following legal bases:
• Where we need to protect your interests (or someone else's interests).
• Where it is needed in the public interest or for official purposes.
Some information is classified as "special" data under data protection legislation. This includes information relating to health, racial or ethnic origin, religious beliefs or political opinions, sexual orientation and trade union membership. This information is more sensitive and we need to have further justifications for collecting, storing and using this type of personal information. There are also additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data.
We may process special categories of personal information and criminal conviction information in the following circumstances:
• In limited circumstances with your explicit consent, in which case we will explain the purpose for which the information will be used at the point where we ask for your consent.
• We will use information about your physical and mental health or disability status to comply with our legal obligations, including to ensure your health, safety and wellbeing at our events.
The legal basis that permits us to use your information is consent.
What to do if you are not happy?
If you have any concerns about our use of your personal information, you can make a complaint to us at dpo@nus.org.uk
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO Website: https://www.ico.org.uk
Changes to this Privacy Policy
We keep our privacy policy under regular review, and we will place any updates on this web page. This privacy policy was last updated on 11 September 2023.