Please also note our Union wide Data Protection Policy (available at www.sunderlandsu.co.uk/dataprotection)
Our basis for retaining information
From the moment you approach Sunderland Students’ Union for advice, there is information we may collect and retain. It is up to you to decide what you share with us.
We collect data under the following conditions and lawful basis of GDPR.
- Personal information, including your name, date of birth, address, phone number and academic details.
- Personal information is kept for contractual1 reasons in order to provide ongoing and personalised support as well as to note issues from any previous case you may have had with us. Academic details may also affect the advice given, for instance if your course is subject to a professional regulatory body.
- During the life of the case(s), you may disclose information, which due to legitimate interest2 is retained by us for quality assurance; to ensure the advice we are giving is accurate and proportional.
- Special Category Data;
Sensitive information related to your racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexuality or sex life, offences or convictions.
- If you inform us of health issues or a disability, Sunderland Students’ Union will seek to make reasonable adjustments. Information pertaining to health and disability may be kept to ensure Sunderland Students’ Union carries out any obligations3 of legal compliance4 with the Equality Act (2010).
- During the life of the case(s), you may disclose special category information, which may affect the advice given. Such data will be retained in the course of our legitimate activities5, specifically in advising current or former members6, as a not-for-profit body. For example disclosure regarding health issues may result in specific and nuanced advice regarding extenuating circumstances. In such cases we also note our legitimate interest2 in quality assurance; to ensure the advice we are giving is accurate and proportional.
- We may send feedback questionnaires (print or digital) that ask optional questions about special category data and is held anonymously and not connected to your case file.
1. article 6 1.(b) -Regulation (EU) 2016/679 of the European Parliament and of the Council, 2016
2. article 6 1.(f) -Regulation (EU) 2016/679 of the European Parliament and of the Council, 2016
3. article 9 2.(b) -Regulation (EU) 2016/679 of the European Parliament and of the Council, 2016
4. article 6 1.(c) -Regulation (EU) 2016/679 of the European Parliament and of the Council, 2016
5. article 9 2.(d) -Regulation (EU) 2016/679 of the European Parliament and of the Council, 2016
6. key constitutional provisions 2.1, Memorandum and Articles of Association of University of Sunderland Students’ Union
Right to access Data
At any time you may request a copy of your case file(s), provided that disclosure does not compromise the privacy of another party, extracted from our case management system; Advice pro. Such requests should be made to email@example.com.
At any time you may access a copy of personal data held by simply book it, the appointment booking system, by clicking “My personal data” found at the bottom of the https://ussuadvice.simplybook.it webpage.
The right to erasure/Automatic deletion of records
We want you to be comfortable about the data that we hold about you and we provide the facility for you to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. Requests should be made to firstname.lastname@example.org.
We anonymise your data 7 years after last contact. These records are used for statistical purposes. Anonymised records will be held indefinitely. For the avoidance of doubt, anonymised records may retain academic details and details regarding processes and their outcomes (where possible and where it does not identify individuals) – however all case notes and personal data are removed.
Data Storage and external processing
If you book appointments via the online booking system (Simply Book it), you are required to agree to our terms and conditions which encompasses this privacy statement, as well as agree to the terms and conditions for Simply Book it.
If you book appointments to access support via whatsApp Ireland Limited you are required to agree to the terms and conditions of whatsApp when downloading and accessing the app/service. Devices used to support whatsApp or telephone appointments may retain basic informaiton; details stored on the ‘advice phone’ will be limited to client name, case number and telephone number from our end (although you may share via chat or via your phone settings other information at your own risk including email addresses etc)
WhatsApp Inc. has certified to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework with the U.S. Department of Commerce regarding the collection and processing of personal data from our business partners in the European Union and Switzerland (Partners) in connection with the products and services described in our Privacy Shield Notice (Partner Services). WhatsApp processes the personal data provided by our Partners to provide Partner Services in accordance with the terms applicable to the relevant Partner Service and otherwise with the Partners' instructions. https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status=Active
Our case files are kept on a secure electronic case recording system called AdvicePro. Any written notes or physical documents are scanned to AdvicePro at the earliest opportunity and then disposed of via confidential waste bins or shredded. We do still store Client Consent Forms in a locked filing cabinet for any client’s pre 2016. These are stored for a period of seven years from the end of the academic year in which the data is created.
Authority to Act on your behalf
We seek your explicit authority at the point of booking online, to liaise with relevant third parties, such as the university, regarding your issue and for copies of paperwork pertaining to your case.
There is no breach of confidentiality if you have given permission for caseworkers to contact a third party on your behalf. We’ll include a copy of our Authority to Act Form in all written communications with third parties. We’ll support you to give verbal authority to act in telephone conversations where you and the caseworker are present in the same room together.
In some cases we may need to seek specialist advice from another agency such as the National Housing Advice Service (NHAS) or a solicitor, for example, and it may be necessary to give them specific personal details, such as age or ethnic identity or gender. We will inform you of this in advance.
Any information that you disclose to us will remain confidential unless a need arises to breach your confidentiality, usually if we believe that there is a significant risk of harm to you or to others as outlined in the safeguarding policy. If the need ever arises to break confidentiality, information will only be discussed/ shared on a need to know basis and we will seek to talk to you about this first wherever possible. In exceptional circumstances, we may disclose information without your consent, where in our professional judgement, exceptional circumstances apply or it is in your best interests for us to do so.
There are some instances where we have a statutory obligation to share your data. These are instances that are set out in Acts of Parliament or by a Court of Law. They may include criminal and terrorist activity, adult and child protection concerns, conflict of interest, or if we believe there is a substantial threat to life/harm of you or another person. We may also share your data with the University of Sunderland if we believe there is a safeguarding concern involving you or a third party.
Information regarding how we respond to criminal matters in regards to confidentiality is outlined in our Handling Criminal Issues Policy.
There is no breach of confidentiality for members of Sunderland Students’ Union staff who give advice, and who are named in these terms and conditions, to discuss cases or share information amongst ourselves. This is because you’re a client of Sunderland Students’ Union’s advice service, and not an individual caseworker. There may be some cases where colleagues in other advice services provide additional case support, but this will be discussed with you in advance.
How we manage unauthorised breaches of confidentiality
If a caseworker discovers an unauthorised breach of confidentiality they should inform their line manager immediately; who will seek support as to the potential consequences and the best method to mitigate them from Advice UK or the insurers.
Unauthorised breaches of confidentiality can be accidental - letters sent to the wrong address or email address, for example, but nevertheless any such breach should still be discussed between the caseworker and line manager, who should reflect on how the breach arose and how to avoid any repetition in the future. Persistent accidental breaches of confidentiality due to carelessness or a lack of appreciation of the required standards will be potentially considered a capability issue and the matter will be addressed appropriately in line with our performance management process.
Where confidentiality has been breached wilfully or maliciously or if a caseworker has repeatedly breached confidentiality despite previous disciplinary action a formal investigation will be carried out and disciplinary action may be required. Such breaches of confidentiality are likely to be considered gross misconduct.
Where confidentiality is breached and a complaint ensues Sunderland Students’ Union will be in a position of conflict of interest if it continues to provide advice to the client, and must withdraw the service.