University of Birmingham Dubai Students’ Association

Student Privacy Notice

1. Statement of Policy 

The Dubai Students’ Association (‘the DSA ’) is fully committed to compliance with the requirements of the Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR). 

The DSA will therefore follow procedures which aim to ensure that all members, elected leaders, employees, contractors, agents, consultants, volunteers and other partners of the DSA who have access to any personal data held by or on behalf of the DSA, are fully aware of and abide by their duties under the DPA and the GDPR. 

In order to operate efficiently, the DSA has to collect and use information about people to whom it delivers services and with whom it works. These may include members of the DSA, current, past and prospective employees, workers, consultants, volunteers, clients and customers, and suppliers.  In addition it may be required by law to collect and use information in order to comply with the requirements of central government. 

This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the Act to ensure this. 

The DSA regards the lawful and correct treatment of personal information as very important to its successful operations and to maintaining confidence between the DSA and those with whom it carries out business. The DSA will ensure that it treats personal information lawfully and correctly. 

To this end the DSA fully endorses and adheres to the principles of Data Protection as set out in the DPA. 

The Principles of Data Protection 

• The DPA states that data must be processed in accordance with six ‘Data Protection Principles.’ Data will: 

• be processed fairly, lawfully and transparently;
• be collected and processed only for specified, explicit and legitimate purposes;
• be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
• not be kept for longer than is necessary for the purposes for which it is processed; and
• be processed securely. 

We are accountable for these principles and must be able to show that we are compliant.

The DPA makes a distinction between personal data and “special” personal data.

 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data. 

• ‘Special categories of personal data’ are types of personal data consisting of information as to: 

• your racial or ethnic origin;
• your political opinions;
• your religious or philosophical beliefs;
• your trade union membership;
• your genetic or biometric data;
• your health; or
• your sex life and sexual orientation. 

The DPA is about processing personal data. ‘Processing’ means any operation which is performed on personal data such as: 

• collection, recording, organisation, structuring or storage; 
• adaption or alteration; 
• retrieval, consultation or use;
• disclosure by transmission, dissemination, sharing or otherwise making available;
• alignment or combination; and
• restriction, destruction or erasure. 

Handling of Personal/Special Information 

The DSA will, through appropriate management and the use of strict criteria and controls, comply fully with the Data Protection Principles in processing all personal and special information. 

Individuals will have the rights: 

• to be informed that processing is being undertaken;
• to access their personal information within 30 days;
• to prevent processing or erase information in certain circumstances; and
• to correct or rectify information regarded as wrong information.

 Lawful Bases for Processing Personal Data 

If we process your personal data, we must have one of the following “lawful bases” for processing: 

• Your consent;
• Processing is necessary for the performance of a contract with you or to take steps to enter into a contract;
• Processing is necessary for compliance with a legal obligation;
• Processing is necessary to protect your vital interests or those of another person;
• Processing is necessary in the public interest or in the Data Controller’s official authority; or
• Processing is necessary because it is in our legitimate interests, or those of a third party, unless these interests are overridden by yours. 

Lawful Bases for Processing Special Data 

We are also required by law to tell you if we want to process your special personal data (see list above), and we need to have one of the following lawful bases for processing special data: 

• Your explicit consent, unless reliance on consent is prohibited by EU or Member State law;
• Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;
• Processing is necessary to protect your vital interests or those of another individual if you are physically or legally incapable of giving consent;
• Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent;
• Processing relates to personal data which you have manifestly made public;
• Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity;
• Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional;
• Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which is proportionate and contains appropriate safeguards;
• Processing is necessary for the public interest in the area of public health; and

Processing is necessary for archiving in the public interest, or scientific and historical research purposes or statistical purposes.

2. How the DSA uses your personal information

The DSA processes personal information to enable us to provide a range of services to members (students) at the University of Birmingham (UoB) which may include: administering membership records; providing and organising activities for members; promoting services; maintaining accounts and records; and supporting and managing our employees and volunteers.

This privacy notice explains how and when Guild processes personal information. It applies to information we collect and process about:

• Members (students)
• Enquirers, complainants
• Volunteers
• Trustees
• Survey respondents
• Suppliers and service providers 

3. Who will my personal information & data be shared with?

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we will always comply with all aspects of the DPA and where necessary we will ask for your consent. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

We may share information with:

• Current, past or prospective employers
• UoB
• Suppliers and service providers
• Employment and recruitment agencies
• Family, associates and representatives of the person whose personal data we are processing
• Educators and examining bodies
• Financial organisations
• Survey or research organisations
• Business associates and professional advisors
• Other voluntary and charitable organisations
• Healthcare, social and welfare organisations
• Pension providers
• Law enforcement officials
• Credit reference agencies
• Debt collection agencies
• Trade union and employer associations
• Professional bodies
• Data processors
• Central government 

4. Types of personal information collected by the Guild 

If you are a student at the UoB, when you register as a student (on completion of the University Registration process which includes giving data processing consent including sharing data with the DSA), you will automatically become a member of the DSA. You can view the Code of Practice pursuant to the requirements of the Education Act 1994 for more information about the University’s relationship with the DSA. The University then provides the DSA with your name, gender, date of birth, nationality, residency for fees (home/EU or overseas), student ID number, term-time addresses, home addresses, programme title and whether undergraduate or postgraduate, mode of study (full-time, part-time, distance learning etc), School, year, University email contact details and whether you have dependents.

When you register with the University, the personal information above is automatically shared with the DSA and your data is registered with the DSA. The DSA will use this information to contact you and so that you can participate in a range of activities as a member of the DSA including, for example, voting in elections.

The DSA would also like to use your personal data to send you information about activities and events that may be of interest to you. The DSA will contact you separately to ask for your consent in relation to this and to enable you to update your communication preferences.

If you do not wish to be a member of the DSA, you should contact the Student Experience & Wellbeing Team via (dubaiexperience@contacts.bham.ac.uk), in which case your data will be removed and you will cease to be a member of the DSA. This means that you will no longer be able to participate in activities associated with your membership such as those outlined above.

Your details will be held by the DSA in its membership database/data management system, unless you have opted out of DSA membership (via the process outlined above). The details held are the details provided to the UoB within the registration process.

The DSA cannot be held responsible for any inaccurate personal details provided to the UoB. Please let UoB and the DSA know if your personal details change and these will be updated within our systems.

As you then interact and take part in activities associated with your membership with the DSA, for example, by voting in elections and a record of your activity is held within the membership management database uobdubaistudentsassociation.com).

Some DSA services and activities collect personal information about you in other ways and require your consent to do so, and these are also outlined within this privacy notice.

The DSA may need to process some special data about you.  We will generally ask you for consent to do this unless the law allows us to process this data without your consent, (for example if the processing is necessary to protect your vital interests and you are incapable of giving consent, or if the processing is necessary for us to defend a legal claim).

Your personal data is created, stored and transmitted securely in a variety of paper and electronic formats, including databases. Only those DSA and Student Experience and Wellbeing staff who need access for the purpose of delivering the relevant services will be able to access your personal data.  Our use of your personal data will not be excessive.

5. How does the DSA use your personal information? 

a.com

uobdubaistudentsassociation.com also acts as a data management system to allow students (members) to participate in a range of activities associated with your DSA membership – such as voting in elections.

Our Privacy Statement sets out the information practices for the DSA  website (uobdubaistudentsassociation.com) including the type of information gathered, how the information is used, and our policy regarding sharing information with others/organisations.

By usinguobdubaistudentsassociation.com, you agree to these information practices as set out in the Privacy Statement. A copy of the Cookie Policy for uobdubaistudentsassociation.com can be found here.

We gather both Personal Information and Anonymous Information from you when you visit uobdubaistudentsassociation.com. "Personal Information" means any information that may be used to identify you as an individual, and includes, from the personal information above: name (first and last); email address, and address. "Anonymous Information" means information that is not associated with or linked to your Personal Information; and does not permit or allow the identification of individual persons.

If you are not a UoB student, or if you are a UoB student but have not completed the University Registration process or have chosen not to join the DSA, then if you purchase goods and services from us we shall process your personal information on the basis of the contract that you form with us through such purchase, rather than your consent to data processing.

The DSA, via the site, collects Personal Information and Anonymous Information, as described below.

• Personal Information (collected fromuobdubaistudentsassociation.com)

Personal Information is collected whilst using the site from you at the following points:

• If you are not a UoB student and register to the Site as a ‘guest’ to purchase goods or services, we will record your contact information, username and password.
• If you are a registered student at the UoB, you will use your University log credentials to access the site. Your password is not stored on the site or by the DSA in any form.
• If you make any purchases through the Site, the site will record your billing address,
  • However, it will not record your payment card details. This information is collected through Sage Pay, our online payment provider. No card payment details are stored through or on the Site directly. 

• Information (collected automatically viacom)

As you navigate the site, certain information will be collected automatically. This data helps us to improve the content of the Site and to customise the content or layout of the Site for you.

A cookie is an element of data that a website sends to your computer's hard drive while you are viewing a website. The DSA uses session cookies (which expire once you close your web browser). You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it. You can also set your browser to turn off cookies. If you do so, however, some areas of the site may not function properly. For further information on our use of cookies please see our Cookie Policy.

• How else we might use your personal information (via uobdubaistudentsassociation.com)

We collect personal information from you in order to fulfil your requests. For example, we may use your personal information to process an online purchase or interact with a service or feature on the site. We may also use your personal information to send you information that you requested, or to confirm registrations, purchases, or to respond to your feedback.

We may use your email address to notify you of products or services that may interest you, such as events or activities - subject to your communications opt-in preferences. In addition, we may notify you of recent updates to the site, or to provide you with latest news on the DSA.

• Anonymous records

We may create Anonymous Information records from uobdubaistudentsassociation.com activity and personal Information by excluding information (such as your name) that makes the information personally identifiable to you. We use this anonymous information to perform statistical analyses of users' aggregated behaviour so that we may enhance the content of our services and improve site navigation.

• Internet traffic/monitoring

When someone visitsuobdubaistudentsassociation.com, we collect standard internet log information and details of visitor behaviour patterns. We do this to measure data such as the number of visitors to the various parts of our Site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We also use Google analytics, which provides anonymous information such as the type of device you are using to access the site, and other information such as age range and interests, which Google collects from your internet activity. We use this information to improve the user experience, and to gather general statistics about the users of our services (not user specific).

• Disclosure of Personal Information (from uobdubaistudentsassociation.com)

Your Personal Information will not be sold, traded, or rented to individuals or other entities. However, we may need to share your Personal Information with third parties to charge your credit card or deliver specific services to you such as support services. These third parties are required not to use your Personal Information other than to provide the services requested by the DSA.

We may disclose your Personal Information if we believe in good faith that such disclosure is necessary to:

• comply with any relevant legal obligations or;
• protect and defend the rights or property of the DSA or users of the site; 

but only where this complies with the six Data Protection Principles and the rules of the DPA. 

• Other Websites

Uobdubaistudentsassociation.com contains links to other websites. We are not responsible for the content, accuracy or opinions expressed in such websites, and such websites are not investigated, monitored or checked for accuracy or completeness by the DSA.

Inclusion of any linked website on or through uobdubaistudentsassociation.com or other DSA services does not imply approval or endorsement of the linked website by us. If you decide to leave the DSA website and access these third-party websites, you do so at your own risk.

•  Support Services

The DSA delivers a number of support services (e.g. Advice) where your consent or if you have one, then your contract with us or the UoB, is the lawful basis for the DSA to process your personal data. A summary of how each of these services use and process your personal data is provided below. Further details and information is available from the services directly. 

ii. Advice

When you visit, contact or access services provided by DSA Advice, you will be asked to provide consent so that DSA Advice can collect and process your personal and special data in order to provide advice and deliver support services to you. This information will also be used to inform anonymous statistical information for analysis and used to improve the DSA Advice service to students.

In order to provide you with the most comprehensive service and ensure all possible enquiries have been made in order to advise and support you with your case, DSA Advice may request your further consent to share your personal information and information related to your enquiry or case with a third party or parties. For example, it may be relevant to your case that DSA Advice contact a UoB support service or department or an external service or organisation on your behalf to provide you with additional advice, guidance and support. Only on receipt of your express written consent will DSA Advice act on your behalf and discuss any matters related to you or your case with a third party.

Upon receiving your written consent, DSA Advice will record and process your personal (and in some cases special) data in accordance with your consent. All personal data and subsequent enquiry or case notes are recorded in hard copy and then uploaded on to our ‘Advice Pro’, case management software. Any supporting evidence you provide will also be scanned and uploaded on to Advice Pro. Following your initial interaction with DSA Advice, every subsequent interaction will be recorded on to the Advice Pro case management software. Your data is generally only accessible by staff members within DSA Advice.

On the rare occasion that a student visiting DSA Advice is unable to provide consent, action may be taken to protect vital interests.

You have the right to withdraw your consent to share your data at any point. Please contact your appointed Advisor or the Advice Manager for further information.

c. Communications & Marketing

The DSA will only send you information directly to your UoB email address that is deemed relevant to your membership of the DSA. When first contacted by the DSA (following completion of UoB online registration) you are able to update your communication preferences – which includes additional information you would like to receive about wider events and activities which may be of interest to you – and thereby provide consent to be contacted with relevant promotions, offers or information that you have expressed an interest in (in addition to information directly linked to your membership of the DSA)..

If at any point you do not wish to receive further updates and wish to opt out go to guildofstudents.com/profile/ or if you are logged in, go to the ‘Profile’ icon within the left hand menu and modify your preferences or contact details. 

• Opt-out

You may opt-out from receiving promotional or marketing emails by notifying us at the address specified at the bottom of any unwanted email. Emails may be sent to you from the DSA or from its societies, clubs or other student groups affiliated to the DSA (if you have joined a group and are therefore a member of that group). If you unsubscribe from a DSA email, you may still receive emails from these affiliated groups and vice versa.

In some cases the opt-out facility is not available unless you have opted out of DSA membership completely. These instances include: transactional or relationship messages, such as those that are necessary to provide you with confirmation of a completed transaction (such as a purchase, request, or change in your user profile atuobdubaistudentsassociation.com); emails providing notification of changes of terms of service; or those providing information related to your membership such as notice for General meetings, elections, or referenda. 

d. Undertaking Research

Sometimes we may commission a specialist company or consultants to carry out research to help us improve our services to you. In this case we may share your personal data so that the company or consultants can contact you to ask if you wish to take part. If you do not, then your details are deleted from their database. Your personal data is not used by them for any other purpose. We enter into data processor agreements with our data sharing partners (data processors) to make sure that they comply with their data protection obligations to us and to you. 

e. Award Schemes

We may also use your personal data to nominate, enrol or enter you in any relevant competitions or award schemes and publicise your name in such scheme. You will always be informed of your nomination or entry and have the right to withdraw and have your name removed from publication. 

6. How long will we keep your personal information for (data retention)?

Where possible we will only keep your information for the period of your membership of the DSA and will then delete it. 

1. Membership data/personal information

Membership data/personal information held within the DSA’sdata management system (uobdubaistudentsassociation.com) will be held for 8 years from the leaving date of the student. 

1. Support Service user data/personal information

Support Service user data will be retained for 6 years from the last time the service was used/accessed or contract ended so that we can deal with any complaints or claims raised. 

1. Volunteer & Trustee data information

Personal data on volunteers will be retained for 3 years from when the individual stops volunteering for the DSA . Information on Trustees and Directors will be retained for the life of the company, as required by Companies House and Charity Commission records.

7. How do we protect your personal information (data security)?

We safeguard the personal information you send to us with certain physical, electronic, and managerial procedures within the DSA and within our systems. The DSA’s central IT infrastructure is managed by the UoB, and subject to related policies and procedures.

We also store your personal information behind our firewall and utilise appropriate security measures in our physical facilities to prevent loss or unauthorised use of special information. We limit access to personal information in electronic databases to those persons, including DSA employees, in our organisation who have a need for such access.

While we make every effort to protect your personal information when it is in our care, we urge you also to take every precaution to protect your personal information when you are online. We suggest that you change your passwords often, use ‘strong’ passwords that include a combination of letters and numbers, and use a secure browser.

For any students who are committee members, or issued with a Guild email address, you will be subject to the DSA’s Data Security Policy and regularly required to update your password.

Products and services are available which can help give you privacy protection while navigating the internet. While we do not anticipate breaches in security, if one occurs, we will use all reasonable efforts to correct the problems that led to the breach and we will report it to the Information Commissioner as required under data protection law, and those directly affected.

We do not send your personal data outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained. 

8. Your rights - access to personal information & subject access requests

You have the right to request:

• Access to the personal data we hold about you, free of charge in the majority of cases.
• The correction of your personal data when incorrect, out of date or incomplete.
• That we erase your personal data where we were not allowed to process it or it is no longer necessary to process it for the purpose for which it was collected or once the purpose for which we hold the data has come to an end (such as the end of our student data retention period).
• That we stop data processing where we are relying on a legitimate interest and you think that your rights and interests outweigh our own and you wish us to stop.
• For example, when you withdraw consent, or object and we have no legitimate overriding interest, or
• That we stop using your personal data for direct marketing (for example, via email).
• While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made.
• That we stop any consent-based processing of your personal data after you withdraw that consent. 

You have the right to request a copy of any information about you that the Guild holds at any time, and also to have that information corrected if it is inaccurate.

If we do hold information about you we will:

• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.

This information will be provided to you within one month.

To ask for your information and make a subject access request, please contact:

Data Protection Officer, University of Birmingham Guild of Students, Edgbaston Park Road, Edgbaston, Birmingham, B15 2TU;

Or email: dpo@guild.bham.ac.uk.

To ask for your information to be amended, please update your online account via guildofstudents.com, or email: dpo@guild.bham.ac.uk

If there is a circumstance where we choose not to or are unable to action your request we will explain to you the reasons for our refusal.

Your right to withdraw consent:

Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

You have the right to stop the use of your personal data for direct marketing activity through all channels. We will always comply with your request. 

9. About this Notice

For clarity, this Privacy Notice does not provide exhaustive detail of all aspects of the Dubai Students’ Association collection and use of personal information. However, we are happy to provide any additional information or explanation needed. 

10. Further Information & Complaints

We are committed to dealing with your data lawfully.

If you have a query, question, would like to speak to our Data Protection Officer, or if you have any questions or complaints about how we handle your personal data please contact: complaints@guild.bham.ac.uk.

You also have the right to complain to the Information Commissioner if you think there is a problem with how we handle your data. For further guidance on matters relating to Data Protection and Privacy, please refer to Information Commissioner’s Office by calling 0303 123 1113 or online via www.ico.org.uk/concerns.