Last updated 14th Nov 2020
The University of St Andrews Students’ Association (the Students’ Association) offers a range of services to students of the University of St Andrews, who are automatically members of the Students’ Association. We are here to make the student experience as strong as it can be, to provide services, and to represent student views to the University and beyond. We operate premises at St Mary’s Place, St Andrews, Fife KY16 9UZ. We are a registered charity, number SCO19883, regulated by the Office of the Scottish Charity Regulator (OSCR).
This policy explains:
- When and why we collect personal information, about our members and people who visit this website
- How we use any personal information collected
- The conditions under which we may disclose information to others
- How we keep information secure
The Students’ Association is a “data controller”. This means that we are responsible for deciding how we hold and use personal information. We are required by data protection legislation to notify you of the information contained in this privacy notice.
The Students’ Association is fully committed to handling personal information in accordance with data protection legislation, and information security best practices. This means that your information will be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes
- Only collected so far as required for our lawful purposes
- As accurate and up to date as possible
- Retained only for a reasonable period of time, in accordance with retention policies
- Processed in a manner which ensures an appropriate level of security
Whether through this notice or otherwise, we aim to make it clear why we process personal information, and the rights you have if we hold your information.
We will not take a photo of an individual or small group on Association premises without consent. Group shots will be taken at our discretion. Photos taken on Association premises may be used on our social media and for future publicity. However, if you would like a photo of yourself removed from any of our social media, please contact [email protected] and we will remove it as soon as possible. If you would like a photo removed from any printed publicity, please contact us and we will remove your image from any future print runs. Note that we may share photos with third parties, such as the University and media.
If you have any questions which are not covered in this notice, please email [email protected]. To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject: "FAO Data Protection Lead". If you would prefer to submit your questions in writing, please write to us at University of St Andrews Students’ Association, St Mary’s Place, St Andrews, Fife, KY16 9UZ, addressing your letter to the Data Protection Lead.
You have a choice about whether or not you receive information from us. If you do not want to receive direct marketing communications about the services we offer, you can opt out at any time via yourunion.net/contactoptions.
We will not contact you for marketing purposes by email, phone, or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. You can change your marketing preferences at any time by emailing [email protected] or phoning 01334 462700.
How we collect personal information
As students at the University are automatically enrolled as members of the Students’ Association, we obtain information about our members directly from the University as part of the matriculation process.
We also obtain information when you use our website. For example, when you purchase goods or tickets through the website, contact us about events, room bookings, or commercial services, and if you register to receive our newsletter.
Like most organisations that handle personal information, there are various ways in which we collect information:
- Email and written correspondence
- Telephone discussions
- Social media
- Application forms and other information requests
- Direct contact at the Students' Association and elsewhere
In nearly all instances, it should be obvious to you when we are collecting your data.
Personal information that we collect
The information most commonly collected is as follows:
- Date of birth
- Contact details, including home address, term time address, business addresses, personal email, University email, and telephone number
- Records of enquiries, meetings, and other direct engagement
- Copies of physical and electronic correspondence
- Images obtained from our CCTV system, for the purposes of crime detection and health and safety.
- For visitors to our website, your IP address, and information regarding what pages are accessed and when
If you make a purchase through our website, your card information is not held by us; it is collected by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions, as explained below.
How we use personal information
We may use your information to:
- Keep membership details up to date
- Deal with entries into a competition
- Seek your feedback on the services we provide
- Notify you of changes to our services
- Process a room or event booking
- Carry out our obligations arising from any contracts entered into by you and us
- Send you communications which you have requested and that may be of interest to you, including information about events, campaigns, societies, appeals, and other fundraising activities or promotions of our services
We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations; for example, the collection of Gift Aid.
We will hold your information on our systems for as long as is necessary for the relevant activity, such as membership or room bookings, or as long as is set out in any relevant contract you hold with us.
Basis for our processing
We will only process personal information where we believe we have a lawful basis to do so. The basis for processing will vary between activities. In some instances, processing may have more than one lawful basis.
The following summarises the basis on which we process personal information:
||Examples of processing
|Necessary for us to meet our legitimate interests as a provider of certain services to our members
- General administration for maintaining our membership database
- Correspondance about the delivery of services we provide to members, guests, and visitors
- Providing members with relevant news and updates which may be of interest to them
|Necessary for us to comply with legal obligations
- Complying with the requirements of OSCR
- Providing information to HMRC
- Providing information to law enforcement agencies
- Use of financial, personal, or sensitive information relevant to the delivery of services provided to our members, guests, and customers
|Necessary for the performance of a contract with our staff members or suppliers
- Use of third party suppliers for processing data, such as images captured during our events and published on our website and social media
We do not sell or rent personal information to third parties, and we will not share your information with third parties for marketing purposes. However, in certain circumstances the processing activities set out above will require us to share personal information with third parties.
Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.
When working with a third party, we will have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. We disclose only the personal information that is necessary to deliver the service.
We will not release your information to third parties for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law; for example, by a court order, or for the purposes of prevention of fraud or other crime.
When you are purchasing event tickets and merchandise via our website, your transaction is processed using an encrypyted payment system which ensures that card data is processed securely. If you have questions regarding secure transactions, please contact [email protected].
The main third parties with whom we share personal information are as follows:
- Oversight regulators and statutory bodies, such as HMRC and OSCR
- Local authorities and health care agencies, such as the NHS
- Software providers which allow us to operate efficient digital processes, including Opayo (previously known as Sage Pay)
For practical reasons, this is an indicative, but not exhaustive list, and may be occasionally updated.
Retaining personal information
The period for which we retain personal information depends on the purpose for which the information was obtained. In general, we will retain information for so long as required by law, or as may be required for record keeping and legal claims purposes.
Storing personal information
Personal information is mostly processed by staff of the Students’ Association. To allow us to operate efficient digital processes, we need to store information in servers owned by the University, which are located in the UK. By submitting your personal data, you are agreeing to this transfer, storing, or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.
We use Opayo for our online payment processing. Opayo holds users' personal information on servers located in the United States of America (the US), which is recognised by the EU as an 'adequate' (i.e. safe) country to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU. For EU residents, this means that your information will be transferred to the US. Opayo has transfer mechanisms in place which satisfy the requirements relating to the transfer of data from the EU to the US.
By entering personal information into the services, you consent to that information being hosted on servers located in the US. While your information will be stored on servers located in the US, it will remain within Opayo’s effective control at all times. The role of each data hosting provider is limited to providing a hosting and storage service to Opayo, and Opayo have taken steps to ensure that its data hosting providers do not have access to, and use the necessary level of protection for, your personal information. They do not control, and are not permitted to access or use, your information, except for the limited purpose of storing the information.
To ensure that your information receives an adequate level of protection, we have put in place measures to ensure that information is treated by third parties in a way that is consistent with EU and UK laws on data protection. For example, a binding data sharing agreement which includes data access, data security, and information sharing clauses. If you require further information about these protective measures, you can request it by emailing [email protected].
We may collect information about the computer or device which is used to access our website. This information is used to improve the user experience, and to help us better understand the ways in which our website is used. This information may include:
- IP address
- Type of device and operating system
- Type and version of browser
- Time zone setting
This is statistical data about browsing patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.
When you give us personal information, we take steps to ensure it is held securely. Any information submitted on our website is encrypted and protected. When you are on a secure page, a lock icon will appear on the URL bar of the web browser such as Google Chrome, or the web address will start with https://
Non-sensitive details, such as your email address, are transmitted normally over the internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure it is secure within our systems. Where you have set a password to enable you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We may analyse the personal information you have submitted to create a profile of your interests and preferences, so that we can contact you with information relevant to you. We do not make use of additional information about you from external sources. In some circumstances we may use your information to detect and reduce fraud and credit risk.
Our website makes use of cookie files to distinguish you from other users of our site, providing you with a user experience tailored to your individual preferences. A small file will be stored on your device each time you visit our site.
We also use analytical cookie files. These allow us to recognise and count the number of visitors to our site, and to see how visitors move around our site when they are using it. This helps us to improve the way our site works; for example, by ensuring that users are quickly finding what they are looking for.
To see what cookies we use, check cookieserve.com.
You may refuse to accept cookie files when visiting our site. However, you may not get an optimal user experience, and may be unable to access certain parts of our site.
Our website and emails may contain links to other websites, such as the University or carefully selected commercial partners. We are not responsible for the content or practices of these other sites, and we recommend that you check their own privacy policies.
UK law gives certain rights to individuals whose information is being processed by a third party. The following is a quick summary of these rights:
|Access to your information
||You have the right to request a copy of the personal information about you that we hold
|Correcting your information
||We want to make sure that your personal information is accurate, complete, and up to date; you may ask us to correct any personal information about you that you believe does not meet these standards
|Deletion of your information
||You have the right to ask us to delete personal information about you where:
- You consider that we no longer require the information for the purposes for which it was obtained
- We are using that information with your consent and you have withdrawn your consent (see "withdrawing consent to using your information" below)
- You have validly objected to our use of your personal information (see "objecting to how we may use your information" below)
- Our use of your personal information is contrary to law or our other legal obligations
|Objecting to how we may use your information
||You have the right to require us to stop using your personal information for marketing or newsletter purposes. In addition, where we use your personal information to perform tasks carried out in the public interest, or in exercising official authority vested in us then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
|Restricting how we may use your information
||In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold, or assessing the validity of any objection you have made to our use of your information. The right might also apply if we no longer have a basis for using your information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims, or where there are other public interest grounds to do so.
|Withdrawing consent to using your information
||Where we use your information with your consent, you may withdraw that consent at any time, and we will stop using your personal information for the purpose(s) for which consent was given.
Please contact [email protected] if you wish to exercise any of these rights.
While we seek to resolve directly all complaints about how we handle personal information, you also have the right to lodge a complaint with the Information Commissioner's Office, whose contact details are:
Information Commissioner's Office, Scotland
45 Melville Street
Telephone: 0303 123 1115
Email: [email protected]