Privacy Policy

Who we are
Dundee University Students’ Association (DUSA) offers a range of services to students at the University of Dundee, who are automatically made ordinary members of DUSA by way of matriculation at the University. We aim to provide the highest level of social, recreational, advice and support services to all members irrespective of age, gender, background or beliefs. We operate premises in Dundee at Airlie Place, Dundee, DD1 4HP. We are a charity registered in Scotland (SCO16047) regulated by the Scottish Charity Regulator (OSCR). 

Purpose
DUSA is a “data controller”. This means that we are responsible for deciding how we gather, hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy policy. 

This Policy explains when and why we collect personal information about our members and other people who visit our website, how we use it, the conditions under which we may disclose it to others and how we keep it secure. 

Our commitment
DUSA is fully committed to handling personal information in accordance with data protection legislation and data protection and information security best practices.

This means that your personal information will be: 

  • Processed lawfully, fairly, and in a transparent manner. 
  • Collected for specified, explicit and legitimate purposes. 
  • Only collected so far as required for our lawful purposes. 
  • As accurate and up to date as possible. 
  • Retained for a reasonable period of time, in accordance with our retention policies. 
  • Processed in a manner which ensures an appropriate level of security. 

 Whether through this policy or otherwise, we hope to ensure that everyone has a good understanding of why we process personal information and, where we do, the rights they may have.  

How do we collect personal information?
As students at the University are automatically enrolled as members of DUSA, we obtain information about our members directly from the University as part of the matriculation process. We also obtain information about you when you use our website or social media sites, for example, when you contact us about events and services, purchase tickets, enter competitions, to enquire about commercial services, and if you register to receive our newsletter. In addition, like most organisations that handle personal information, there are various ways in which we collect information from the people we deal with, such as: 

  • Email and written correspondence. 
  • Telephone discussions. 
  • Social media. 
  • Application forms and other information requests. 
  • Direct contact at DUSA and elsewhere. 

 In nearly all instances, it should be obvious to you when we are collecting your personal data. 

 What personal information do we collect?
The personal information most commonly collected is as follows: 

  • Name. 
  • Contact details (including term time and home address, business addresses, email – both University and personal, telephone number). 
  • For visitors to our website – your IP address, and information regarding what pages are accessed and when. 
  • If you make a purchase via our website, your card information is not held by us, it is collected by a third-party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions, as explained below. 
  • Date of birth. 
  • Records of enquiries, meetings and other direct engagement. 
  • Copies of physical and electronic correspondence. 
  • Images obtained from our CCTV system for the purposes of crime detection and health and safety.  

How is your information used?
We may use your information to: 

  • Keep your membership details up to date; 
  • To carry out our obligations arising from any contracts entered into by you and us; 
  • Dealing with entries into a competition; 
  • Seek your views or comments on the services we provide; 
  • Notify you of changes to our services; 
  • Send you communications which you have requested and that may be of interest to you. These may include information about events, campaigns, societies, appeals, other fundraising activities or promotions of our services; 
  • Process a room booking; and 
  • Investigate disciplinary action or complaints brought against our members or guests. 

We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations, for example administration of our membership database. We will hold your personal information on our systems for as long as is necessary for the relevant activity or as long as is set out in any relevant contract you hold with us.  

What is the lawful basis for our processing activities?
We will only process personal information where we believe we have a lawful basis to do so. The basis for processing will vary from activity to activity. In some instances, processing may have more than one lawful basis. 

Processing is necessary for us to meet our legitimate interests as a provider of certain services to our members. The following information below summarises the basis on which we process personal information 

Lawful Basis  Examples of processing activities 
Maintenance of our membership database, and delivery of services we provide to our members, guests and visitors. 
  • General administration for maintaining our membership database. 
  • Corresponding with members in respect of the delivery of our services within the terms of our conditions of membership. 
  • Regulatory activity (e.g. complying with the requirements of OSCR and fulfilling our responsibilities with regards applicable legislation). 
  • Providing members with relevant news and updates which may be of interest to them 
Processing carried out in the public interest 
  • Regulatory activity (e.g. complying with requirements of OSCR and fulfilling our responsibilities with regards applicable legislation) 
Processing necessary for us to comply with our legal obligations.    

  • Providing information to statutory bodies (e.g. HMRC). 
  • Providing information to law enforcement agencies. 
Consent    

  • Providing members, guests and customers with relevant news and updates, marketing and other information. 
  • Use of financial, personal or sensitive information relevant to the delivery of services provided to our members / guests / customers. 
Processing is necessary for the performance of a contract with our staff, members or suppliers. 
  • Processing is necessary for the purposes of carrying out our obligations as a data controller with respect: 
  • our staff members in the field of employment; and 
  • where we use third party suppliers for processing data, such as images captured during our events and published on our website and social media sites. 

 

 

Do we share personal data with third parties?
We will not sell or rent your information to third parties, and we will not share your information with third parties for marketing purposes. However, in certain circumstances the processing activities set out above will require us to share personal information with third parties. Whenever we share personal data, we will make this clear to you at the point we obtain your data, and we will take all reasonable steps to ensure it will be handled appropriately and securely by the third party. When we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure. Please be reassured that we will not release your information to third parties for them to use for their own direct marketing purposes, unless you have requested us to do so. 

When you are purchasing event tickets and merchandise via our website, your transaction is processed using a third-party payment system, such as Eventbrite, which is encrypted to ensure that card data is captured and processed securely. DUSA does not hold payment card data. If you have any questions regarding secure transactions, please contact us. 

We may transfer your personal information to a third party if we’re under a duty to disclose or share your personal data to comply with any legal obligation or to enforce or apply our terms of use or to protect the rights, property or safety of our members, guest and staff. However, we will take steps with the aim of ensuring that your privacy rights continue to be protected. 

The following is a list of the main third parties with whom we share personal information: 

  • Oversight regulators and statutory bodies (e.g. HMRC and OSCR). 
  • The University of Dundee 
  • Membership Solutions Ltd (MSL)
  • Local authorities and health care agencies, such as the NHS 
  • Software providers which allow us to operate efficient digital processes 

For practical reasons, this is an indicative, but not exhaustive list. Please also note that the list may be updated from time to time. 

How long do we retain personal information?
The periods for which we retain personal information depends on the purpose for which the information was obtained but, in general terms, we will retain personal data for so long as required by law, or as may be required for record keeping and legal claims purposes. 

Where do we store personal information?
Personal information is mostly processed by our staff at our premises in Dundee. To allow us to operate efficient digital processes, we need to store information in servers owned by the University which are located in the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy. 

We use Membership Solutions Ltd (MSL) as our student membership management system. Examples of the personal data that may be transferred by DUSA to MSL are, but not limited to: 

  • Student names; 
  • Student number; 
  • Student card ID number;  
  • Date of birth; 
  • Gender; 
  • Student Type; 
  • Enrolment status; 
  • Year of study; 
  • Faculty; 
  • Course details; 
  • University email address;  
  • Personal email address; 
  • University address;
     

The MSL System is hosted at the UKFast data centre in Manchester, UK. This location is a secure facility certified to ISO 27001 and PCI DSS compliant in accordance with the best security and safety industry practice. The data file is transferred by the University of Dundee IT team using Amazon S3 as a staging area. Amazon’s S3 environment is a secure upload location in an Amazon data region specific to our jurisdiction, and the S3 bucket is subject to Amazon server-side-encryption. MSL has implemented security processes and controls that will help protect customer and member data, promote internal operations resilience and safeguard MSL’s reputation. Controls are in-line with best practice guidelines, ISO 27001, ISO 22301 and the eight principles covered by the UK Data Protection Act 1998.  

DUSA also uses Eventbrite for our online payment processing. Eventbrite is hosted by Amazon Web Services (AWS) EC2 environment which holds users’ personal information on servers located in the United States of America (the U.S.) and other countries located outside of Europe. For EU residents, this means that your personal information will be transferred outside of the European Economic Area (EEA). To ensure that data is adequately protected AWS is certified as a Payment Card Industry Data Security Standard Level 1 Service Provider, the highest level of assessment available. 

By entering personal information into Eventbrite, you consent to that personal information being hosted on servers located outside of the EEA. While your personal information will be stored on servers located outside of the EEA, it will remain within Evenbrites’s effective control at all times. The data hosting provider’s role is limited to providing a hosting and storage service to Eventbrite, and Eventbrite have taken steps to ensure that its data hosting provider does not have access to, and uses the necessary level of protection for, your personal information. They do not control and are not permitted to access or use your personal information, except for the limited purpose of storing the information. 

If you require further information about these protective measures, you can request it using the contact details below. 

Third-party Payment Gateway
DUSA uses a third-party payment gateway to facilitate payment of the Black Card. The gateway we use is Stripe. We receive from this platform:

Name
Email
Billing Address
Transaction Value

The platform manages payment details. You can access their privacy policy below:

Stripe

IP addresses
We may collect information about the computer or device which is used to access our website. We use this information to improve the user experience and to help us better understand the ways in which our website is used. This may include information about: 

  • The computer or device type. 
  • IP address. 
  • Operating system. 
  • Browser type and version. 
  • Time zone setting and browser plug-in types and versions. 

This is statistical data about our users’ browsing actions and patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.  

Security precautions in place to protect the loss, misuse or alteration of your information 

When you give us personal information, we take steps to ensure that it’s treated securely.  

Non-sensitive details (your email address etc.) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.  

Profiling
We may analyse the personal information which you have submitted to create a profile of your interests and preferences so that we can contact you with information relevant to you. We do not make use of additional information about you from external sources. In some circumstances we may use your personal information to detect and reduce fraud and credit risk.  

Cookies
Our website makes use of cookie files to distinguish you from other users of our site, to provide you with a bespoke user experience tailored to your individual preferences. A cookie file (a small file of letters and numbers) will be placed on your computer or other access device each time you visit our site. 

We also use analytical cookie files. These allow us to recognise and count the number of visitors to our site and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily. 

If you wish to delete any such cookie files, please refer to the instructions for your file management software to locate the file or directory that stores cookies. Our cookies will contain the domain name dusa.co.uk within the file name. 

You may refuse to accept cookie files when visiting our site, by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you choose this setting, you may not get an optimal web site experience and be unable to access certain parts of our site. 

Other websites
Our website and emails may contain links to other websites, such as the University or carefully selected commercial partners. We are not responsible for the content or practices of these other sites and we recommend that you check their own privacy policies. 

Your rights where we are processing your information 

UK and EU data protection law gives certain rights to individuals whose information is being processed by an organisation. The following is a quick summary of these rights: 

  • Access to your information – you have the right to request a copy of the personal information about you that we hold. If such a request is deemed unnecessarily excessive, you will be quoted a charge for the staff time we incur for sourcing and providing this information. 
  • Correcting your information – we want to make sure that your personal information is accurate, complete, and up to date, and so you may ask us to correct any personal information about you that you believe does not meet these standards. 
  • Deletion of your information – you have the right to ask us to delete personal information about you where: 
  • You consider that we no longer require the information for the purposes for which it was obtained 
  • We are using that information with your consent and you have withdrawn your consent – see ‘withdrawing consent to using your information’ below. 
  • You have validly objected to our use of your personal information – see ‘objecting to how we may use your information’ below. 
  • Our use of your personal information is contrary to law or our other legal obligations. 
  • Objecting to how we may use your information – you have the right at any time to require us to stop using your personal information for marketing or newsletter purposes. In addition, where we use your personal information to perform tasks carried out in the public interest, or in exercising official authority vested in us then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue. 
  • Restricting how we may use your information – in some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold, or assessing the validity of any objection you have made to our use of your information. The right might also apply if we no longer have a basis for using your personal information but you don’t want us to delete the data.  Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims, or where there are other public interest grounds to do so. 
  • Withdrawing consent using your information – where we use your personal information with your consent, you may withdraw that consent at any time, and we will stop using your personal information for the purpose(s) for which consent was given. 

Please contact us in any of the ways set out in the ‘contact information and further advice’ section if you wish to exercise any of these rights.  

Changes to our privacy policy
We keep this policy under regular review and will place any updates on this website, alongside emailing you when any changes are made to it.  Paper copies of the privacy statement may also be obtained by emailing dataprotection@dusa.co.uk or in writing to our office at DUSA, Airlie Place, Dundee DD1 4HP.  

Your choices
You have a choice about whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us about the services we offer then you can select your choices by ticking the relevant boxes situated on the form on which we collect your information, for example during the University’s matriculation process, or you can opt out at any time by emailing us at dataprotection@dusa.co.uk 

We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. You can change your marketing preferences at any time by contacting us by email: dataprotection@dusa.co.uk or telephone on 01382 386060.   

 

Contact information and further advice
If you have any questions which are not covered in this policy, we suggest that you email us through dataprotection@dusa.co.uk.  To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject ‘FAO Data Protection Lead’. If you would prefer to submit your questions in writing, please write to us at DUSA, Airlie Place, Dundee DD1 4HP addressing your letter to the Data Protection Lead.  

 

Complaints
While we seek to resolve directly all complaints about how we handle personal information, you also have the right to lodge a complaint with the Information Commissioner’s Office, whose contact details are as follows: 

Information Commissioner’s Office – Scotland
45 Melville Street
Edinburgh
EH3 7HL 

Telephone – 0303 123 1115 

Email – Scotland@ico.org.uk