Updated as of: 11/05/18
University of Plymouth Students’ Union Advice Centre is committed to protecting and respecting your privacy.
We understand that your personal data is entrusted to us and appreciates the importance of protecting and respecting your privacy. To this end we comply fully with the data protection law in force in the UK (“Data Protection Laws”).
This Privacy Statement sets out the basis on which we collect and process personal data about you including our practices regarding the collection, use, storage and disclosure of personal data that we collect from you and/or hold about you, and your rights in relation to that data.
Please read the following carefully to understand how we process your personal data. By providing your personal data to us or by using our services, website or other online or digital platform(s) you are accepting or consenting to the practices as described or referred to in this Privacy Statement.
For the purpose of Data Protection Laws, the data controller is University of Plymouth Students’ Union, with registered address at: University of Plymouth, Drake Circus, Plymouth, Devon, PL4 8AA, a Registered charity number 1172830, a company limited by guarantee in England and Wales number 10676070.
What personal data we may collect
When you use the UPSU’s Advice Centre a selection of information is used that is pertinent to supporting the case. This information is held independently of University of Plymouth on a secure online service called Advice Pro provided by Advice UK, with the exception of anonymous analysis for statistical reporting.
UPSU Advice has a legitimate interest (Article 6 GDPR) in processing client data, including enquiry/case details. As such consent isn’t required when processing client’s data as part of your enquiry/case, unless special category data is being collected which isn’t integral to your case, but can inform UPSU Advice of any trends. It is necessary for UPSU Advice to protect the interests of the client as well as the interests of the service.
We will collect basic demographic data about you to inform your case, contact details and information about the advice case.
How we collect your personal data
Online Booking portal
Case Data Collection Form
Collecting your data at point of registration aids in the delivery of advice to the individual so we can get a picture of your profile to inform the advice provided. The data provided in the form will be kept securely in the Advice Centre, then inputted onto our Advice Pro system and then securely disposed of once uploaded. The data gathered informs us about the advice sort and enables us to understand the demographic of those accessing the service with the aim to make service improvements. The use of the data provided is made clear on the form for you to see.
Within a case file an Advice Worker may record a client’s health information, criminal record, political opinions, religion, trade union membership and/or sexual orientation (special category data). This information would only be noted if it has implications for the casework being undertaken. This data will not be used for reporting, nor published within a case study unless the client has given explicit consent. This consent is recorded via AdvicePro.
Emails to/from clients are not stored in individual staff accounts and should be deleted once added to Advice Pro.
Client feedback form
We offer clients the opportunity to anonymously feedback on their experience of accessing the service. We use Google Forms and ask five specific questions regarding your contact with the Advice Centre. We use the data provided to measure the effectiveness and quality of the service to inform service improvements.
How we use your personal data
The personal data you provide us will be used to support your advice case and for anonymous reporting only. We do not use case the information you provide us for any other purposes.
On occasion UPSU Advice runs competitions for students in which they may provide us with an email address or phone number. Students will be informed when entering the competition what they data will be used for (contacting them if they win) and that it will be destroyed in confidential waste or permanently deleted once the competition is over. Unless explicit consent is provided the data will not be used for marketing purposes.
Unless explicit consent is provided the data you provide us will not be used for marketing purposes.
In some instances UPSU Advice will require consent from you to use your data in a certain way. UPSU Advice has a strict Confidentiality Statement allowing for breaches of confidentiality: when there is a risk of danger to the student or others, when not doing so would break the law, when the Advice Team discover that it is advising both parties to a dispute and needs to disclose the fact in order to avoid a conflict of interest.
If none of these are applicable, UPSU can only share a client’s data or contact a third party with the clients written consent. See the UPSU Advice Confidentiality Statement for more information.
How we keep your data safe and who has access
All case file information is held on the AdvicePro system, no client case data is held on any other systems in the organisation be it physical or digital. Only our trained Advice Workers have access to the case files on Advice Pro.
AdvicePro is a centralised, secure web-based application. The application is hosted remotely at a secure data centre within the UK. This enables AdvicePro to provide automatic nightly backups which are stored securely offsite together with physical building and network infrastructure compliant with Information Security Code of Practice ISO27001. AdvicePro is a highly trusted case management system within the advice sector and is fully compliant with the GDPR
Securing the office
The last member of staff to leave the UPSU Advice centre is responsible for securing the centre and the data held inside. There is limited access to Advice Centre via a key card entry system, and individual offices are locked when not in use. All staff are individually responsible for locking their PC when left unattended and locking any written notes or client documents in their desk drawers when the office is not in use.
UPSU Advice will store case file data for 4 years from when your case record is closed. All electronic data, including case files, are automatically placed as inactive by AdvicePro on a daily basis after 90 days of inactivity . The Advice Team will then close the case after 1 year from the 90 days of inactivity. If you return to the advice centre during this period, regarding the same issue, the Advice Centre staff will be able to re-open your initial case.
The case records will be deleted by the Advice Team 4 years after your case was closed. All identifying data is deleted. An archived client, case or enquiry will no longer appear in search results; however, the clients and cases still exist in the database so the UPSU Advice Manager can still search on the non-identifying data. This allows the UPSU Advice Manager and staff to run longitudinal reports to aid in identifying trends.
Conflict of Interest
UPSU Advice routinely supports students where more than one student is involved, e.g. academic offences such as collusion, housemate disputes and complaints. UPSU Advice has a legitimate interest in recording the name of the other party, despite the other party not having accessed the service. The name of the other party will be recorded so if they were to approach the service the case could be quickly identified and appropriate action taken. Please refer to our Conflict of Interest Policy for further details.
We will follow the UPSU Data Breach guidance as outlined in the UPSU Data Protection and Information Security Handbook. Advice Pro have a procedure in place in the event of a data breach. The UPSU Advice Manager is responsible for ensuring the Primary Contact details held by AdvicePro are up-to-date to ensure there is no delay in reporting a data breach. If a UPSU Advice Worker is informed of a data breach involving AdvicePro then they are to alert AdvicePro immediately via firstname.lastname@example.org. As well as informing AdvicePro, we are also required to inform the Information Commissioners Office (ICO) ideally within 72 hours and the client/s affected.
Right to Access
Clients have the right to an electronic copy of their data and to know whether or not personal data concerning them is being processed, where and what for. Clients wishing to have a copy of their data can complete the UPSU Subject Access Request form found in the UPSU Student Data Privacy Statement. Once the identity of the enquirer is confirmed as the client, UPSU Advice will provide, free of charge, an electronic copy of the clients data, including all case files within 30 days of the request.
Right to be forgotten
The right to be forgotten entitles the client to have the data controller erase their personal data, cease further dissemination of the data and potentially have third parties halt processing of the data. The UPSU Advice Manager can delete cases and clients from AdvicePro; however, this may not be possible where we have a legitimate interest to retain this data. If you wish for us to delete your data from AdvicePro you can contact the UPSU Data Protection Officer on email@example.com to discuss the feasibility of your request, and where possible, this will be actioned by the UPSU Advice Manager. Before your data is deleted the UPSU Data Protection Officer shall consult a legal adviser to seek advice before informing the UPSU Advice Manager to delete any files. Consideration will be given to whether you have the right to have your data deleted based on the reasoning for wishing to do so and if your desire takes precedent over their long-term interest, e.g. complaint/appeal.
The UPSU Advice Manager will ensure you are fully aware of the implications of deleting your data, highlighting to you the options available. A response to your request will be provided within 30 days from the initial request. The UPSU Advice Manager is responsible for keeping a record of all instances when a client requests to be ‘forgotten’.
Confirmation of your identify will be required before engaging in discussion with you.
You have the right to access your data in a machine readable format. As such AdvicePro has added the option to export the client and case files in XML format.
Right to Rectification
If you inform us that your data is incorrect you can complete another client registration form with the correct details and this will be updated. Alternatively, you can contact us and discuss the updates required, after your identity has been confirmed.
Right to Restrict Processing:
Clients will have the option to consent or not for the differing uses of their data.
Changes to this statement
We may change this Privacy Statement from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on our Website or by contacting you directly.
If you have any questions, comments or suggestions, please let us know by contacting the Data Protection Officer on firstname.lastname@example.org