Privacy Policy

How we keep your information and why

Table of Contents

Who we are

Dundee University Students’ Association (DUSA) provides services to students at the University of Dundee. Students are automatically enrolled as members of DUSA upon matriculation.

We operate from University of Dundee City Campus, Dundee, DD1 4HP and are a registered Scottish charity (SC016047), regulated by the Scottish Charity Regulator (OSCR).

Our commitment to your data

For the purposes of data protection law, DUSA is the data controller. This means we are responsible for how your personal information is collected, used, and stored. We are committed to handling personal data in accordance with UK GDPR and the Data Protection Act 2018.

We ensure that your personal data is:

  • Processed lawfully, fairly, and transparently
  • Collected for specific, legitimate purposes
  • Limited to what is necessary
  • Accurate and kept up to date
  • Retained only as long as necessary
  • Kept secure using appropriate technical and organisational measures

 

How we collect personal information

We collect personal data in the following ways:

  • From the University of Dundee as part of matriculation
  • When you engage with our services (e.g. advice, events, bookings)
  • When you contact us (email, phone, social media, in person)
  • When you use our website or social media

What personal information we collect

This may include:

  • Name and contact details
  • Student and course information
  • Date of birth
  • Records of interactions (emails, meetings, case notes)
  • Website usage data (e.g. IP address, browsing activity)
  • CCTV images for safety and security purposes

For advice and support services, we may also process sensitive (special category) data, such as information relating to health or personal circumstances, where necessary to support your case.

Payment card details are not held by DUSA and are processed securely by third-party providers.

How we use your information

We use your information to:

  • Deliver services and support to members
  • Manage membership records
  • Process bookings, purchases, and event participation
  • Respond to enquiries and provide customer support
  • Improve our services (including anonymised analysis)
  • Meet legal and regulatory obligations
  • Investigate complaints or disciplinary matters

Lawful basis for processing

We process personal data under the following lawful bases:

  • Legitimate interests to deliver services and support to students
  • Contractual, where processing is necessary for bookings or purchases
  • Legal, with our obligation to comply with regulatory and legal requirements
  • Consent for marketing communications and certain sensitive data processing

Where we process special category data, this is done with your explicit consent or where otherwise permitted by law.

Sharing your information

We do not sell or rent your data. We only share personal information, where necessary, including with:

  • The University of Dundee
  • Regulatory bodies (e.g. HMRC, OSCR). For example, HMRC may require payroll or tax information for students employed by DUSA, and OSCR may require student trustee information as part of our charity reporting obligations
  • Trusted service providers (e.g. IT systems, payment processors)
  • Public authorities or law enforcement where required

All third-party providers are required to handle your data securely and in line with data protection law.

Systems we use

We use Membership Solutions Ltd (MSL) as our student membership and case management system. MSL acts as a data processor on behalf of DUSA and provides secure hosting and system infrastructure.

Personal data is accessed by authorised DUSA staff and securely stored within MSL systems. MSL hosts the system on infrastructure it controls and manages, and we do not host this data directly on our own premises. MSL may use approved sub-processors to support the delivery of its services. All such arrangements are subject to appropriate contractual and data protection safeguards in line with UK GDPR.

We also use trusted third-party providers (such as event and payment platforms) to deliver specific services. These providers process data on our behalf under appropriate contractual arrangements.

International data transfers

In some cases, personal data may be processed outside the UK or European Economic Area (EEA), for example by third-party providers. Where this occurs, we ensure appropriate safeguards are in place to protect your data in accordance with data protection law.

How long we keep your information

We retain personal data only for as long as necessary for the purposes it was collected.

This includes:

  • Legal and regulatory requirements
  • Operational needs
  • Handling of complaints or legal claims

Specific retention periods vary by service. Further details are available on request.

Data security

We take appropriate measures to protect your personal data, including:

  • Secure systems and storage
  • Access controls for staff
  • Encryption and secure data transfer methods

While we take all reasonable steps to protect your data, no transmission over the internet can be guaranteed as completely secure.

Your rights

Under data protection law, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data where appropriate
  • Restrict or object to processing
  • Withdraw consent at any time (where applicable)
  • Lodge a complaint with the Information Commissioner’s Office

Cookies

Our website uses cookies to improve functionality and user experience, including analytics to understand how the site is used. You can control cookie settings through your browser.

Links to other websites

Our website may contain links to external sites. We are not responsible for their privacy practices and recommend reviewing their policies.

Changes to this policy

We review this policy regularly and will update it as needed. The latest version will always be available on our website.

Contact us

If you have any questions or wish to exercise your rights, please contact: dataprotection@dusa.co.uk

Complaints

If you are unhappy with how we handle your data, we encourage you to contact us first so we can try to resolve your concern. If you wish to escalate this, you can contact the Information Commissioner’s Office:

Information Commissioner’s Office – Scotland
45 Melville Street
Edinburgh EH3 7HL
Telephone: 0303 123 1115

Last updated: April 2026