Data Protection Policy

This policy applies to the University of ExeterStudents’ Guild “the Guild”or “Guild” which is a registered company in England and Wales underregistration number 07217324 with aregistered office at Devonshire House,Stocker Road, Exeter, EX4 4PZ. “The Guild” is the ‘Controller’ or sometimesthe ‘Processor’ of personal information it processes.

The University of Exeter Students’ Guild is committed to theprotection of the personal data of people with whom it deals with. Thisincludes current, past, and prospective employees, students of the universityof Exeter who are automatically members of the Guild and others with whom itcommunicates. This personal data must be dealt with properly, however it iscollected, recorded, and used

PURPOSE OF THIS POLICY

The purpose of this policy is to set out how the Guildhandles personal data. This policy should be read at induction and updatescirculated as and when necessary.

This document sets out the obligations regarding dataprotection and the rights of people with whom it works with in respect of theirpersonal data under the UK General Data Protection Regulations (UK GDPR), DataProtection Act 2018, the Privacy and Electronic Communications Regulations 2003and other applicable laws. It also applies to non-UK laws such as the EUGeneral Data Protection Regulation which might apply in certain circumstances.These and all other applicable laws are collectively referred to as ‘ApplicableLaws’ in this policy.

SCOPE OF THIS POLICY

The Students’ Guild is a data controller under the UK GDPR.It may also be a data processor in some situations.

This policy applies to all theGuilds’ personal data processing functions, including those performed onstudents, employees, contractors, the University of Exeter, and any otherpersonal data the organisation processes from any source.

· Thispolicy covers all aspects of handling information, including (but not limitedto):

· Structuredrecord systems – paper and electronic.

· Transmissionof information – email, cloud sharing, post, and telephone.

· Informationsystems managed and/or developed by or used by the Guild. e.g., our studentmembership systems.

RESPONSIBILITIES

Students’ Guild Career Staff

The Guild holds various items of personal data about itsemployees which are detailed in the relevant privacy notice at https://www.exeterguild.com/privacy. Employees must ensure that allpersonal data provided to the Guild in the process of employment is accurateand up to date.

During day to day working, it is likely that staff willprocess personal data. Prior to handling any data, staff are required to havecompleted the data protection training course which includes UK GDPR and CyberSecurity. In addition to this, staff must maintain a current knowledge of dataprocessing best practice through training updates, delivered by the OperationsManager. When handling personal data, staff are required to follow the guidanceset out in the data protection and information security policies.

Students’ / Casual staff

Society committee members,representatives, volunteers and student staff may handle personal data toadminister their activities and services. Students handling such data arerequired to have completed the Guilds’ Data Protection training prior to receivingpermission to handle any personal data related to Students’ Guild activitiesand services. When handling personal data, students are required to follow theguidance set out in the data protection and information security policies,including the reporting of data breaches, respecting the rights of individualsand secure processing procedures. Details of the training can be found at www.exeterguild.com/privacy.

Students’ Guild Managers

Guild managers must ensure thatstaff handling data during their roles have conducted the appropriate training,are processing data within the frameworks agreed and following the guidance setout in the data protection and information security policies. Managers are alsorequired to conduct termly audits of their relevant spaces and processingactivity to identify weaknesses in information security

DataPrivacy Guardian

This role of Data Privacy Guardian (DPG) is held by theGuilds Operations manager and will oversee the day-to-day data protectionactivity. All matters regarding personal data that requires escalation will bedealt with internally by the Data Privacy Guardian in the first instance.

Other responsibilities are:

· Beingfirst point of contact for reporting data breaches or any other data incidents

· Receivingand processing data subject access requests

· Liaisingwith the appointed DPO for support and guidance to ensure compliance

· Reportto Finance & Risk Committee the organisations Operational ComplianceDashboard

· Ensurethe organisation is sufficiently trained in Data Protection

· Reportall Data Protection activity and risk to SLT and trustee subcommittee level

· Liaisewith the University’s information governance team for alignment

· Ensurewe have a sufficient SLA with an external consultant that can deliver the DPOroll

DataPrivacy Guardian’s contact details

OperationsManager

Universityof Exeter Students’ Guild

DevonshireHouse

StockerRoad

Exeter

EX44PZ

data-protection@exeterguild.com

DataProtection Officer

The Data Protection Officer (DPO) role is provided by anexternal consultancy. The DPO is delegated authority by the Chief Executive tocarry out the role with the resources required to be effective in theprotection and security of the personal data the organisation handles.

The role of DPO is responsible for:

· Informingand advising the organisation and its employees about their obligations tocomply with the UK GDPR and other data protection laws

· Monitoringcompliance with the UK GDPR and other data protection laws, including managinginternal data protection activities, advise on data protection impactassessments, train staff and conduct internal audits

· Tobe the first point of contact for supervisory authorities

· TheDPO will oversee the DPG when handling data subject requests to ensurecompliance at all times.

DataProtection Officer’s contact details

DataProtection Officer

DataPrivacy Advisory Service

Unit14,

DunchideockBarton,

Dunchideock,

Exeter,

Devon.

EX29UA

dpo@dataprivacyadvisory.com

UK AND EU GDPR CONTEXT AND DEFINITIONS

The UK General Data Protection Regulation (UK GDPR) is theretained EU law version of the General Data Protection Regulation ((EU)2016/679) (EU GDPR). The UK GDPR is the UK’s privacy law that governs theprocessing of personal data within the UK.

TRAINING

All Guild staff, whether they are student or career staff,are required to complete Data Protection training. Our data protection trainingcovers all aspects of Data Protection and Cyber Security from UK GDPR, the DataProtection Act 2018 and Cyber Security good practice including how to spot,deal with and report cyber threats of varying types. Staff must complete thistraining before commencing in their role at the Guild. The Guild also runfrequent Cyber Attack Simulations to test the organisations posture when facingthreats of that nature.

COMPLIANCE

Respecting Individuals Rights

The General Data ProtectionRegulations sets out a series of rights for individuals. Guild employeesplanning data processing activities must record how these rights are addressed.The data protection and informationsecurity handbook detail the rights and the organisation’s standardisedprocesses to meet these individual rights.

Processing Special Categories ofData

The Students’ Guild processesspecial categories of data. The Guild ensured this data is collected lawfully.This data may be analysed in broad terms where no direct link to an individualcan be made.

Subject Access Requests

The Subject Access Request policydetails the procedures on how subject access requests must be handled. Anyindividual or department receiving a Subject Access Request must share thiswith the Data Protection Guardian immediately. The DPG shall respond to therequest promptly and aim to fulfil the request without delay and at the latestwithin one calendar month of receipt.

Lawful Data Processing

The Students’ Guild shall onlyprocess data within the law. Where a lawful process has been identified; theData Protection Guardian must make a record of the lawful justification withinthe privacy notice.

Children

The Guild ensures it appliesstronger safeguards to data belonging to those under the age of 18. Thisincludes:

· Onlycollecting data necessary and minimising its retention period.

· ConductingDPIAs where necessary

· Ensuringadditional technical measures are in place to ensure the tighter security of thisdata.

· Limitingany marketing

Any student volunteer working withchildren will be subject to undertaking and passing a DBS check.

DBS Checks

The Students’ Guild handles personaldata when facilitating the Disclosure and Barring Service applications process.This is done securely and in line with the DBS’s code of practice. TheStudents’ Guild will keep a record of applications, name and applicationreference number, for compliance purposes and only retain in accordance withthe Guilds’ data retention policy.

Data Breaches

The Students’ Guild shall adoptprocesses to detect data breaches including audits and other appropriateprocesses. Career and student staff shall report data breaches as outlined inData Protection Training and via the Operations page of the Guild Hub

Where an employee, casual staff member, supplier orcontractor discovers a data breach, they must report this to the DataProtection Guardian within 24 hours. The Information Commissioner’s Officeshall be notified within 72 hours of the breach where it is likely there is arisk to the rights and freedoms of individuals. Where there is a high risk tothe rights and freedoms of individuals they shall be notified directly also.The reporting procedures are detailed in the data protection training and in theOperations page of the Guild Hub

Data Protection by Design

Employees are required to adopt aprivacy by design approach to everyday activities. However, when planningprojects that involve the collection and processing of personal data, a DataPrivacy Impact Assessments (DPIAs) must be completed. This will be reviewed bythe DPG in the first instance and escalated to the DPO if necessary. Details ofhow to conduct DPIA’s are within the Operations page of the Guild Hub.

USING AI

ArtificialIntelligence (AI), especially Generative AI, is becoming a valuable tool in howwe work, communicate, and create. As part of our commitment to transparency andresponsible data use, this section explains how we use AI in ways that protectpersonal information and respect individual rights.

Whether it's helpingsummarise information or generate content, we ensure that any data used with AItools is handled carefully, with privacy and fairness in mind. We avoid usingsensitive or special category data (e.g., health, ethnicity, political views),only use tools that have undergone a Data Privacy Impact Assessment (DPIA), andalways include human oversight in decisions that affect people. This helps usstay open, inclusive, and aligned with our values while keeping data safe.

We do not use AI tomake fully automated decisions that have legal or significant effects onindividuals without meaningful human involvement.

Responsible Use of AI

Guild staff are encouraged to explore and use AI tools to enhance their work. When doing so, please avoid including personal or sensitive company data. This helps maintain strong data security and ensures compliance with our policies.
Special category data relating to individuals must not be inputted into Generative AI tools. Identifiers should be removed before use.
Guidance around responsible AI use will be provided as part of Cyber Security training.
Generative AI tools must have undergone a DPIA before business use.
If AI tools are used to process personal data (e.g., summarising interviews or analysing feedback), informed consent must be obtained.
Where third-party data is involved, ownership and usage rights must be clarified and documented in the DPIA.
We regularly review the AI tools we use to ensure they remain compliant, secure, and aligned with our values.

Types of AI Tools inthe Workplace

Integrated AI Assistants (e.g., Microsoft Copilot)
- Embedded in tools like Word, Excel, Outlook, and Teams
- Designed for productivity, summarising content, drafting emails, analysing data
- Comes with enterprise-grade privacy and security controls
Other Generative AI Chatbots (e.g., ChatGPT, Gemini)
- Used for brainstorming, drafting, summarising, and answering questions
- May be web-based and vary in terms of data privacy and retention
- Requires careful consideration before inputting data to ensure it is not sensitive
AI-Powered Search and Knowledge Tools
- Combine search engine capabilities with generative responses
- Useful for research, quick answers, and summarising web content
- Often connected to the internet, so data input should be non-sensitive
Specialised AI Tools
- Focused on specific tasks like writing enhancement, transcription, video creation, or image manipulation
- The Guild may use other AI models behind the scenes but are task-specific

SECURITY

All employees are responsible for ensuring that any personaldata that the Guild holds, is kept securely and is not disclosed to third partyunless that third party has been specifically authorised by the Guild toreceive that information and has entered into a confidentiality agreement byway of a contractual Data Processing Agreement.

All personal data should be treated with the highestsecurity and must be kept in accordance with all policies relating to thesecurity of personal data

Final approval of any policies relating to the security ofpersonal data is made by the Finance & Risk Committee.

Communication of this policy to those affected is theresponsibility of DPO.

Compliance and oversight is managedby the DPG, in consultation with the Finance & Risk committee and the DPO.

Data must be secured:

· Ina lockable room with controlled access.

· Ina locked drawer or filing cabinet.

· Ifcomputerised, password protected or protected with access control in line withthe cyber security policy.

· Storedon (removable) computer media which are encrypted in line with the CyberSecurity Policy.

All staff are required have undertaken an in-person ICTinduction and signed the corresponding documentation. This induction coversaspects of the Computer Misuse Act 1990, acceptable use of hardware andguidance around what to do when faced with cyber security and data protectionincidents / breaches. This must have been completed before they are givenaccess to organisational information of any sort.

Manual records may not be left where they can be accessed byunauthorised personnel and may not be removed from business premises withoutexplicit written authorisation.

Personal data may only be deleted or disposed of in linewith secure destruction and deletion policies and procedures. For example,manual records that have reached their retention date are to be shredded anddisposed of as ‘confidential waste’. Hard drives of redundant PCs are to beremoved and immediately and securely destroyed before disposal.

RETENTION AND DISPOSAL OF DATA

The Guild shallkeep personal data in a form that permits identification of data subjects forno longer than is necessary, for the purpose(s) for which the data areprocessed.

The Guild maystore data for longer periods if the personal data will be processed solely forarchiving purposes in the public interest, scientific or historical researchpurposes or statistical purposes, subject to the implementation of appropriatetechnical and organisational measures to safeguard the rights and freedoms ofthe data subject.

The retention period for each category of personal data willbe set out in the Retention Schedule within the Data Retention Policy alongwith the criteria used to determine this period including any statutoryobligations the Guild has to retain the data.

DISCLOSURE OF DATA

All personal data should be accessible only to those whoneed to use it.

The Students’ Guild must ensure that personal data is notdisclosed to unauthorised third parties which includes family members, friends,government bodies, and in certain circumstances, the Police. All staff shouldexercise caution when asked to disclose personal data held on anotherindividual to a third party. It is important to bear in mind whether or notdisclosure of the information is relevant to, and necessary for, the conduct ofthe Guild business.

POLICY REVIEW

This policy will be reviewedevery two years or when a significant change to the policy occurs. This istracked via the Guild’s Policy review Framework. All Policies will be approvedby Trustees and the Senior Leadership Team.

DOCUMENT HISTORY

Date

Version

Created by

Pre 2015

1.0

Edmund Philips

25/05/2018

2.0

Mark Johnson

12/05/2021

2.1

Mark Johnson

22/10/2025

3.0

Mark Johnson

‍