Introduction
Bucks Students’ Union (“we”, “our” or “us”) promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe. We aim to be clear when we collect your data and not to do anything you wouldn’t reasonably expect from us.
Facilitating our legal requirements, organisation policy and services to our customers, clients, suppliers, and other parties, through using your personal data, allows us to make better decisions, communicate more efficiently and, ultimately, ensure you receive the services required.
Other parties include:
• visitors to our premises
• individuals or organisations that get in touch with us by email, phone, in writing, through our website or social media channels
• contacts when we act on behalf of our members and in our representative role with Buckinghamshire New University
• contacts when we deliver large key events, such as Union Awards, the Athletic Union Dinner, Varsity, etc
• organisations that deliver student opportunities.
There are separate and specific data privacy statements for students (members of the Students’ Union) and members of the alumni network.
This privacy statement outlines what personal data is processed by the Union, the legal basis for processing personal data, storage and retention requirements, and the data subject’s rights regarding their data.
Definitions
Personal data is any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identified, such as a name, an identification number, cardholder data, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive personal data includes information relating to racial or ethnic origin, disability, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. The processing of sensitive personal data is subject to much stricter conditions.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller is the natural or legal person, public authority, agency or other body which, along or jointly with others, determines the purposes and means of the processing of personal data.
Data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of an individual’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them .
Responsibilities
Our responsibility
In accordance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act (2018), and Data (Use and Access) Act 2025, Bucks Students’ Union is the data controller. That means we are legally responsible for the personal data that we collect and hold about you.
The senior person responsible for ensuring that the Students’ Union is compliant with relevant data protection laws is the Data Protection Officer. The Data Protection Officer for Bucks Students’ Union is the Head of Communications and Marketing.
The Union agrees that personal data shall be:
• processed lawfully, fairly and in a transparent manner, in relation to the data subject
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed
• accurate, and where necessary, kept up to date
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the personal data is processed
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Your responsibility
As a student, it is your responsibility to ensure that all personal data provided to the Union is accurate and up to date. You should also ensure that you have read and understood the applicable data privacy statements and how these apply to you as a member of Bucks Students’ Union. You can either call us on 01494 601 600 or email sudataprotection@bnu.ac.uk if you have any concerns.
Where we collect information from you
We collect information in the following ways:
When you purchase items from us or make a payment
When you purchase items from us or a make payment, you provide us with certain personal data.
When you place an order with us online
When you place an order with us online, which includes, for example, purchasing items from our online store or paying a deposit for activities, registration is required (either in the form of creating a guest account or using your University/
Blackboard log in details). If you are registering for a guest account on our website, you provide us with certain personal data. If you are already a member of the Students’ Union (ie a current student), your personal data is already linked to your membership record with us.
When you become a client
When you become a client, with the Students’ Union, you provide us with certain personal data.
When you become a supplier or contractor
When you become a supplier or contractor, with the Students’ Union, you provide us with certain personal data.
When you visit our premises or enter our venues
When you visit any of our premises or venues, we may collect personal data that could relate to you as an individual. For instance, if you are a non-student, we will ask you to provide certain personal data.
When we deliver larger scale events
When we deliver some of our larger key events, such as Union Awards, the Athletic Union Dinner, Varsity, freshers’ fairs, etc, we may collect personal information that could relate to you as an individual.
When we work with you on student opportunities
When we work together with organisations to provide student opportunities, you may provide us with certain personal data.
When you get in touch with us
When you get in touch with us by email, phone, in writing, through our website or social media channels, you may provide us with certain personal data.
When we act on behalf of our members
When we work on behalf of our members, we may collect personal information that could relate to you or an individual. For instance, this could involve course-related issues or student complaints.
What personal data we collect and how we use it
The type and quantity of information we collect, and how we use it, depends on why you are providing it.
When you purchase items from us, make a payment or place an order online
In most cases, we will ask you to provide us with the following personal information:
• student ID
• name
• delivery address
• email address
• telephone number
We will use your data to administer our contracted duties with you.
Should we need to contact you for any reason regarding an order, we will use the email address registered on your account or the telephone number, where provided.
If you provide us with your student ID number this will allow us to track any payments that you make to us (eg paying money into club accounts), products you purchase and to provide better customer service standards.
Information is also gathered so we can cross-reference any refunds, if required, and to issue any deposits that are paid towards a specific activity or event.
Some information may be used to create demographic reports, which only analyses broad statistics and is non-identifiable.
When you become a client
In establishing a booking with us, as a client, we will ask you to provide us with the following information:
• name
• address
• email address
• telephone number
• job title.
We will use your data to administer our contracted duties with you and may undertake credit reference checks, where appropriate.
When you become a suppliers or contractor
In becoming a supplier or contractor, we will ask you to provide us with the following personal information:
• name
• address
• email address
• telephone number
• bank details
• job title
• health information that is directly related to accessibility.
We will use your data to administer our contracted duties with you.
When you visit our premises, enter our venues or attend a larger scale event
To visit or enter our venues and premises, we may ask you to provide us with the following personal information:
• name
• student ID number
• telephone number
• email address
• health information that is directly related to accessibility
• proof of identity (for non-students) to verify that you are the correct legal age to enter licensed premises and facilitating our licensing obligations.
We will use your data to administer our agreed duties with you.
When we are in contact with you in relation to our members, an event, an activity or any other reason associated with the activities of the Students’ Union
When we are in contact with you, we may ask you to provide us with the following personal information:
• name
• email address
• job title
• telephone number.
We will use your data to administer our agreed duties with you.
When
you get in contact with us
If you get in touch with us by email, phone, in writing, through our website or social media channels, we will retain your contact details. We may share those details with others within the Students’ Union or Buckinghamshire New University in order to complete any agreed activity. The type of information that we will collect will depend on the nature of the query.
When we act on behalf of our members
From time to time, we may be required to act on behalf of members when dealing with student issues that could be course-related or complaints-based. As a representative organisation, we have an obligation to protect the rights of our members and their educational experience, as outlined in the Education Act 1994. In certain circumstances, information that is disclosed to us in express confidence may be treated as such when we act on behalf of students and represent them to the University. Where information is disclosed to us confidentially, we owe a duty of confidence to the third party to protect their rights and may treat the information as being exempt under the UK GDPR and Data Protection Act 2018. In these situations, we will carefully balance the justification for disclosure and respect issues surrounding sensitivity. We believe that the legal basis for processing this information falls under legitimate interests and the representative nature of our work.
How we keep your data safe and who has access
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors.
Some of our suppliers may run their operations outside of the UK and, although they may not be subject to the same data protection laws as companies based within the UK, we will take steps to make sure they provide an adequate level of protection, in accordance with UK data protection laws. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the UK.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Understanding the detail of our data security measures
When we process your data, we will have already carefully assessed the lawful justification for doing so, the parameters in which the data is processed, the length of time the data is held for, the secure storage of your data and undertaken impact assessments to ensure your rights are delivered.
The Students’ Union operates a Data Protection and Information Security Policy which is supported by a practical handbook for our employees and volunteers. All employees handling data are required to undertake general data protection training and third-parties handling data are required to provide a contract which meets the requirements of the Information Commission’s Office.
Your right to know what data we hold about you, make changes or ask us to stop using your data
Data protection laws, and in particular the UK GDPR, gives individuals greater control over their personal data. We have an obligation to enable and facilitate the exercise of data subject’s rights, relating to:
• right to be informed
• right of access
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights related to automated decision-making, including profiling
We will consider requests relating to any of the rights listed above in accordance with all relevant and applicable data protection laws and regulations.
If you want to access your information, you should aim to complete a Subject Access Request Form with a description of the information you want to see and the required proof of your identity, by post, to Bucks Students’ Union, Queen
Alexandra Road, High Wycombe, Buckinghamshire, HP11 2JZ or in person with the Data Protection Officer. Although you can request access to your data in several ways, we will still need to you to verify your identity to ensure we are releasing data that we hold on you to the correct person.
It is preferred that requests to any other rights, including the rectification of personal data that we hold on you, is made in writing to ensure that we maintain accuracy in the data we hold on you.
If you have any questions, or if you would like to exercise your rights on any data that we hold on you, please send them to sudataprotection@bnu.ac.uk. For further information see the Information Commissioner’s Office –guidance document
Changes to this statement
We may change this privacy statement from time to time. If we make any significant changes in the way we treat your personal information then we will make this clear on our website or by contacting you directly.
If you have any questions, comments or suggestions, please let us know by contacting sudataprotection@bnu.ac.uk.