Data handling for Student Groups in Oxford
Every person has a legal right for their personal data to be kept private. When you are privy to personal information it is your responsibility to maintain that privacy unless otherwise told by that person. This guide will explain the best practice when handling data for student groups at Oxford - but is not legal advice. For more information on any aspect of data protection, please refer to the ICO website.
Every student group handles personal data (even yours!):
Personal data is essentially information about a living person that allows them to be identified. As a student group you could collect some of the following:
Why this is important:
Imagine Julia, a first-year student who is part of the LGBTQ+ community but has not come out to her family. She joins the LGBTQ+ student group at her University and someone posts and tags Julia on the group’s public Facebook page that she's a member.
Or imagine Andrew, the only French student on his course, completes a survey to review the abilities of his lecturer. The lecturer then receives the results which have been ‘anonymised’ but sees the satisfaction score broken down by nationality.
In both situations, sharing information about the individual could have huge implications for their personal life, professional life, their wellbeing, or their safety.
Manage those risks:
Almost all risks relating to data stem from the fact that the individual can be identified from the information shared. Any data of this type is considered personal data and its handling is regulated in the law.
As we saw in Andrew’s case, it is possible to be identified from data which doesn’t even include a name. These cases are the ones you must be most careful of. For example:
MCR President of Parks College,
A photo of a person’s face, or
A photo of a dissertation submission showing the BOD card number.
Side note: This does not apply to photographs taken in public spaces as there is no expectation of privacy. However, this is why, in any private event where photographs will be taken, the terms and conditions of attending will include a clause about a photographer being present and what those photos may be used for.
Special category data
Some types of personal data must be handled more sensitively due to the potential for it to be used in a discriminatory nature, whether consciously or unconsciously, against the individual. Information that falls into this category often relates to very personal aspects of an individual’s life and identity, and therefore should be respected and protected. Special category data includes data relating to:
Trade union membership
You should only process this data with explicit consent from the individual, in line with the purpose(s) consented to.
If you are a group targeted at a special category, it is likely that special category data will be impliedly collected by nature of the activity. For example, if you are compiling a report on the experiences of BAME students, readers will know that the respondents belong to a minority ethnic group which brings them one step closer to identification. You should therefore be careful that the quotations included do not identify a person by their experience, and also avoid using names within the report unless expressed consent has been given (see below on direct and indirect identification).
Get That Consent
Before collecting data, getting consent is the best way to ensure you’re compliant with the law.
So, when collecting email addresses at Fresher’s Fair for example, pop a caveat on your form with a tick-box like:
‘Thank you for adding your email address to our list. We will use your information to inform you of events and services related to our activity. You can opt-out at any time. Please tick the box provided to inform us of your consent to use this data in this way.’
Key Fact: Consent must be positively given, meaning you cannot use an opt-out system, such as unticking a box. Plus, everyone has the right to withdraw their consent at any time and should be informed how to do this e.g. ensuring there’s an ‘unsubscribe’ button in all emails and popping a disclaimer onto your website with a clear person to contact to withdraw permission to use personal data (delete data).
What you can collect
Only collect data that is necessary for the purposes of your group.
Don’t collect data that you’d like to keep on file ‘just in case’ or for your personal interest. For example, do you need to know the gender of those completing your survey? If you feel like doing some demographic research, that’s fine, but ensure this is clearly communicated and what you’re doing with that information at the point of signing up
In the EU, or not in the EU, they have slightly different implications under GDPR. So we’ve had a shop around and found the following platforms are likely to fall in the following categories:
For surveys and forms
Inappropriate to use
For mail lists
If you are writing a report, it may take weeks or months to process the data. You must ensure that during this period access to the data is limited to only the people that need access to it for processing purposes. Aim to keep this number as low as possible, ideally only 1 or 2 people. Ensure that any documents and web accounts are password protected and that only the people that require access know these passwords
How Do I Store Data?
Ideally, pop your data online in a secure space such as Office 365 and destroy paper copies. If you collect data on a computer, follow best practice and ensure the file is password protected and a limited number of people have access to the password.
When you write your consent caveats, these are the boundaries that dictate how you can use the data you have collected. Really simple!
The data should not be kept for any longer than is necessary to fulfil the purposes you outlined at the beginning.
Side Note: Publishing. The safest thing to do is to avoid publishing anything that contains personal data without them knowing this was something you wanted to do. Remember that an individual can still be identified even if you don’t use their name so consider the welfare of your fellow students over the promotion of your event.
Hopefully this has helped!
We all have a responsibility to ensure the protection of personal data so we hope this guide has clarified a few things. Moving forward, think about the following and you should be fine:
Is data collection necessary to achieve this aim? If so, what pieces of information will I need?
Does my data collection tool process data within or outside the EU?
How will I protect the data collected on paper/digitally?
If you have any worries contact firstname.lastname@example.org or your Sabbatical Officers and we will point you in the right direction!