Skip to the main content

Students’ Union UCL has its own Data protection and privacy policy but is also subject to UCL’s policies - see Understanding Data Protection at UCL.

Club and society members are entitled to best practice data protection - their details should be private, secure, and used only for the purposes they have consented to (or for legitimate reasons related to these purposes).

The purpose for all Clubs and Societies is defined in the ‘consent text’ students will see when they purchase club or Society Membership, this states:

“When you purchase membership of a club or society we will process the data provided in accordance with the Union’s Data protection and privacy policy. Your data will also be given to the Principal Officers of the specific Club or Society you have joined so that they can contact you with relevant information about the group’s activities, events and opportunities”

As Presidents and Treasurers, or any club officer or member, please do your best to apply the principals of GDPR detailed here, below and in the Data protection and privacy policy.

Training

UCL provides GDPR training at https://www.ucl.ac.uk/data-protection/data-protection-overview/online-training/data-protection-online-training

Please complete this as soon as possible to ensure you are aware of the principles of data protection as applied to UCL.

Note that Freedom of Information requests to do not apply to Students’ Union UCL, and therefore to its clubs and societies.

Membership lists

When you download your membership lists from the website you are processing data and it is important you ensure you only use the information (email addresses for example) for the purpose for which it was collected.

You can only use the data provided from membership list downloads or sign ups to your newsletters to contact your members with ‘relevant information about the groups activities, events and opportunities’ directly relating to your societies activity E.g. advertising an EGM, a talk being hosted by your society, the timings of pre-season trials etc. It would not be appropriate to share an email directly from a sponsor unless it has a strong link to your club or societies core activity.

The membership data you have must not be shared with any other clubs or society, organisation, sponsor, individual or external group of any kind without express written consent.

Key rules for data protection

  • You can only retain the membership data of your members for the period in which they are a member – this means that as soon as someone stops being a member they should be removed from any mailing lists (mailchimp etc.). The list of members downloaded from your page on the Union website is the definiative list you need to follow. You must check this regularly and if anyone has stopped being a member delete all data you hold on them.
  • It must be easy and clear for people to unsubscribe/leave your mailing lists/groups. As soon as someone leaves you must delete all data you hold on that individual immediately.
  • Only Presidents and Treasurers are allowed to access membership data – there are no exceptions to this rule.
  • When you download or store membership data it must be kept on a secure compute and network – ideally within the UCL network on a UCL computer and in a UCL account.
  • In the event that a device with data on it is lost or stolen or if there is any other issue with relation to GDPR you must report this to the Activities Reception immediately.
  • For group e-mails and mailing lists, make sure you BCC all recipients to ensure you do not share your members data inappropriately.
  • For welcome fair remember If you are gathering data/sign ups for your mailing lists you must ensure that as soon as it is uploaded (e.g. into mail chimp) the paper and any other copies are securely deleted or destroyed.