skip to content
 

Each University student club and society is responsible for its own compliance with data protection legislation insofar as the personal data it holds and uses is outside the control and responsibility of the University.

Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). From 25 May 2018, the main piece of relevant legislation is the General Data Protection Regulation (GDPR).

The below guidance aims to help University of Cambridge student clubs and societies meet their core obligations with regard to data protection legislation. The University does not need, and is not able, to review and/or approve the arrangements in place at each individual club or society.

 

Registration with, and payment of fees to, the Information Commissioner’s Office (ICO)

Under the Data Protection Act 1998, data controllers need to register with the ICO, the UK’s data protection regulator. However, most student societies will be exempt from this requirement because they are small not-for-profit organisations. The exemption from the registration system does not mean that student societies are exempt from compliance with the rest of the DPA 1998.

Under the GDPR, the registration system ceases and is replaced by one where data controllers simply need to pay fees to the ICO.  Those data controllers that were exempt from registration under the DPA 1998 are similarly exempt from the requirement to pay fees under the GDPR.  The exemption from the requirement to pay fees does not mean that student societies are exempt from compliance with the rest of the GDPR.

 

Data protection responsibilities

In short, student societies need:

  • To ensure that they handle personal data about their members (and any other people) in line with the data protection principles.

  • To be able to recognise and respond to requests from members and others exercising their individual rights under the GDPR.

In practice, the following are the main things that a student society needs to put in place.  Unlike larger organisations using personal data in more complex ways, most student societies will not need to worry about many of the additional accountability requirements under the GDPR, such as the need for policies, Data Protection Impact Assessments, personal data registers or Data Protection Officers.  The term ‘you’ is used below to refer to the Officers responsible for the administration of any particular society.

 

Personal data audit

In order to manage personal data effectively, you will need to think through:

  • What personal data you hold – you should not collect or keep more than you need.

  • Why you hold personal data – this is likely be membership administration for all student societies, but may also extend to marketing and/or fundraising for some larger societies.

  • How you use personal data – you should keep it accurate and you should not keep it for longer than you need.

  • Where you store personal data – you should hold it securely, with access limited to those who need to see it (e.g. through password protection of membership lists, including when sharing them by email).

  • When you might share personal data with third parties (i.e. any individual or organisation external to the society – there are certain rules about how you can share personal data lawfully.

 

Privacy notice – telling your members how their personal data will be used

You will need to produce a privacy notice and issue/communicate this to your members.  You should provide this to your new members at the point at which they join the society and otherwise you should make it readily available (e.g. in your handbook or on your website).  The privacy notice must include a range of statutory information but most importantly it should inform your members how you will use their personal data.  It is then equally important that you follow what you have said – if you want to do something else or different, you should contact your members again to inform them about the new/changed personal data use.

A template privacy notice has been prepared for use by Cambridge student societies. All areas in highlighted in yellow in the attached template will need to be adapted/completed by you depending on the facts.

The template privacy notice refers to your ‘legal basis’ for processing personal data.  While there are a number of these legal bases, it is most likely that you will either rely on consent from your members (which must be proactively provided through an ‘opt-in’ mechanism, e.g. at the point of joining), or otherwise that it is in your ‘legitimate interests’ to process the data in the way you describe.  You will need to determine the most appropriate legal basis for yourself.  If you want to send emails to your members which might constitute marketing or advertising, it is best to rely on consent in order to comply with separate electronic marketing legislation.

 

Data sharing

You should not publish or share the contact details of your members with third parties unless it has been clearly outlined to members in the privacy notice that you will do this.

Where you share personal data with a third party that handles the society’s personal data on your behalf – such as a company that manages your tickets sales, mailings or cloud storage – you need to have a written agreement (e.g. a contract or a terms of service document) that outlines clearly the responsibilities of that company in handling personal data for you.  The information that needs to be contained in this agreement is quite detailed.  The ICO website provides a checklist to help.

If your society works with people or organisations overseas, personal data should not be transferred outside of the European Economic Area without your members’ explicit consent.  (There are other lawful ways of transferring data abroad, but this is the most straightforward way for a society to do this.)

 

Recognising rights requests

You need to be aware of people’s rights under data protection legislation.  People have a right to copies of their personal data, including emails about them.  They can ask for inaccuracies to be corrected and they can object to how their personal data is being handled, even asking for it to be deleted.  Although many of these rights are not automatic, people do not have to follow standard channels when exercising them and so any Officer of your society might receive, and needs to recognise, a rights request. The ICO website provides guidance on how to handle a rights request once it has been submitted.

 

Recognising and reporting data breaches

You need to be aware of your legal obligation to inform the ICO if there is a breach of security that includes personal data, or if personal data is accidentally destroyed beyond recovery.  An example could be that your membership database has been hacked into and/or accidentally published online.  The ICO website provides guidance on how to recognise, handle and report a data breach.

 

Other guidance on data protection

  • Further information aimed at student sports clubs is available on the University's Sports Service website.

  • Further information aimed at clubs and societies that have an alumni relations or fundraising dimension is available  from CUDAR.

  • Guidance for College societies should be sought from the relevant College.

  • General guidance is available from the ICO, which also has a dedicated GDPR helpline for small organisations, and from the University.