It's important to keep your membership and event attendee information secure, not share it to third parties, and only use if for the purposes of managing your group. 

Students' Union UCL has its own Data protection and privacy policy but is also subject to UCL's policies - see Understanding Data Protection at UCL.

Club and society members are entitled to best practice data protection - their details should be private, secure, and used only for the purposes they have consented to (or for legitimate reasons related to these purposes).

The purpose for all Clubs and Societies is defined in the ‘consent text’ students will see when they purchase club or Society Membership:

"When you purchase membership of a club or society we will process the data provided in accordance with the Union's Data protection and privacy policy. Your data will also be given to the Principal Officers of the specific Club or Society you have joined so that they can contact you with relevant information about the group’s activities, events and opportunities."

This means clubs and societies need to:

  • ensure that they handle personal data about their members (and any other people) in line with the data protection principles; and

  • be able to recognise and respond to requests from members and others exercising their individual rights under the Data Protection & GDPR.

As Presidents and Treasurers, or any club officer or member, please do your best to apply the principals of Data Protection & GDPR detailed here, below and in the Data protection and privacy policy.


UCL provides GDPR training at

Please complete this as soon as possible to ensure you are aware of the principles of data protection as applied to UCL.

Note that Freedom of Information requests to do not apply to Students' Union UCL, and therefore to its clubs and societies.

Membership lists

When you download your membership lists from the website you are processing data and it is important you ensure you only use the information (email addresses for example) for the purpose for which it was collected.

You can only use the data provided from membership list downloads or sign ups to your newsletters to contact your members with ‘relevant information about the groups activities, events and opportunities’ directly relating to your societies activity E.g. advertising an EGM, a talk being hosted by your society, the timings of pre-season trials etc. It would not be appropriate to share an email directly from a sponsor unless it has a strong link to your club or societies core activity.

The membership data you have must not be shared with any other clubs or society, organisation, sponsor, individual or external group of any kind without express written consent.​

Key rules for data protection

  • You can only retain the membership data of your members for the period in which they are a member – this means that as soon as someone stops being a member they should be removed from any mailing lists (mailchimp etc.). The list of members downloaded from your page on the Union website is the definiative list you need to follow. You must check this regularly and if anyone has stopped being a member delete all data you hold on them.
  • It must be easy and clear for people to unsubscribe/leave your mailing lists/groups. As soon as someone leaves you must delete all data you hold on that individual immediately.
  • Only Presidents and Treasurers are allowed to access membership data – there are no exceptions to this rule.
  • When you download or store membership data it must be kept on a secure computer and network – ideally within the UCL network on a UCL computer and in a UCL account.
  • In the event that a device with data on it is lost or stolen or if there is any other issue with relation to GDPR you must report this to the Activities Reception immediately.
  • For group e-mails and mailing lists, make sure you BCC all recipients to ensure you do not share your members data inappropriately.
  • For welcome fair remember If you are gathering data/sign ups for your mailing lists you must ensure that as soon as it is uploaded (e.g. into mail chimp) the paper and any other copies are securely deleted or destroyed.

Recognising rights requests

You need to be aware of people’s rights under data protection legislation. People have a right to copies of their personal data, including emails about them. They can ask for inaccuracies to be corrected and they can object to how their personal data is being handled, even asking for it to be deleted. Although many of these rights are not automatic, people do not have to follow standard channels when exercising them and so any officer of your society might receive, and needs to recognise, a rights request.

If it relates to information on our website or another Union or UCL system, refer the student to [email protected] for action.

The ICO website provides guidance on how to handle a rights request once it has been submitted.

Recognising and reporting data breaches

You need to be aware of your legal obligation to inform the ICO if there is a breach of security that includes personal data, or if personal data is accidentally destroyed beyond recovery. An example could be that your membership export has been accessed by someone who shouldn't have, or accidentally shared online.

The ICO website provides guidance on how to recognise, handle and report a data breach.

Please report any breaches to [email protected] for assistance as soon as possible.

Additional info

Knowledge base


Did you find this article useful?