The LGBTQ+ Society has a responsibility to protect the privacy of its members, whilst also ensuring that its members’ safety is protected. In the event of an emergency, it is important that members can be easily identified by authorised users, such that appropriate safeguarding procedures can be put in place. However, at all other times, and by all other people, it is extremely important that data cannot be easily accessed.
Whilst completely removing risk is never possible, the LGBTQ+ Society wishes to ensure that the risk presented to members’ personal information is as limited as possible. We do this by not only complying with but exceeding the core principles of the European Union’s General Data Protection Regulation:
Lawfulness, fairness and transparency – ensuring that members understand at a high level what data is collected, when it is collected, why we are collecting it, and how it is stored;
Purpose limitation – only using the collected data for specific purposes that members understand and expect;
Data minimisation – not collecting and storing data we do not need for a specific purpose;
Accuracy – ensuring we keep our data up to date;
Storage limitation – only storing the data for as long as we need it;
Integrity and confidentiality – keeping the data we collect secure, preventing unauthorised access; and
Accountability – ensuring that our compliance with all of the above points is demonstrable.
This policy sets out what data we collect, why we collect it, how we store it, who has access to it, and when they have access to it.
The LGBTQ+ Society is a part of the University of Southampton Students’ Union (which we’ll call SUSU, or the Students’ Union, from here). As such, we aren’t a data controller, strictly speaking: rather, the Union as a whole is, of which we are a part.
That notwithstanding, we handle our data a bit differently to many other parts of SUSU – indeed, we keep it separate from them altogether. This is because we recognise just how important it is that we keep your information safe: we might be handling data that’s very important to keep private.
If you need to get in touch with us about our data use, we’d prefer that you contacted us directly in the first instance. However, you can also contact SUSU’s Data Protection Officer, who will be able to forward your enquiry on.
As you’d expect, we’ll only process your personal information when the law allows us to. Most commonly, we’ll process your personal information in the following circumstances:
When you actively consent to us using your personal information. This means what it says on the tin – we tell you what we’re doing with your data, and you say ‘yes!’ to us using your data like that.
Where it is necessary for either our legitimate interests, or the legitimate interests of someone else, and your interests and fundamental rights do not override those interests. That means we can use your data in a way you’d reasonably expect us to, where it’s necessary to advance our goals.
Where we need to perform a contract we have entered into with you. This could be a written contract, but it doesn’t need to be – any contract that exists between you and the Society could involve some data processing.
It’ll probably be less common, but we might also process your personal information in some other situations:
Where we need to protect your vital interests (or someone else's interests). This is most likely to apply in the case of a safeguarding incident, where we need to process data to make sure people are okay.
Where we need to comply with a legal obligation. We’d hope this would be rare, but if a court requires us to produce data, we’d need to do it.
Where it’s needed in the public interest or for official purposes, set out in legislation. This is likely to be the rarest of all the reasons.
If we’re processing your data because you consented to the processing, you can withdraw that consent any time you like. Just let us know by emailing lgbt@soton.ac.uk.
Depending on when, why and how you interact with us, we might collect different types of information from you. The information we collect will often include the following:
| What the data is | Why we collect it | How we collect it |
|---|---|---|
|
University of Southampton email addresses correspondent to each student member |
|
When you sign in to our services with your University of Southampton account, we’ll save this information. |
|
A unique identifier tied to each member’s University of Southampton Microsoft 365 account |
|
|
|
An indicator of whether a member is an undergraduate, postgraduate researcher, postgraduate taught student or alumni |
To verify that members are University of Southampton students upon admission to our member-only online spaces. |
|
|
An identifier linked to the member’s Discord account, for each member who chooses to join our Discord server |
To link social media profiles to the rest of the data we store in our database, so that we can appropriately respond to safeguarding incidents if we need to. |
When you verify your Discord account with us, we’ll collect this information from Discord. |
|
An identifier linked to the member’s Facebook account, for each member who chooses to join our Facebook group(s) |
When you sign in to our services with Facebook, or join our Facebook group(s), we’ll collect this information from you or from Facebook. |
If we need to collect more data from you, we’ll let you know what data we’re collecting – either at the time if we collect it from you, or soon afterwards if we collect it from someone else, in accordance with article 14 GDPR. We won’t store more data about you than we strictly need to.
In line with the principles set out in the GDPR, and in reflection of the importance of protecting the data that we hold, which may at times be sensitive, we take many steps to protect your data. The key point of this is that even if someone got access to our database, they wouldn’t be able to find your information.
All the data mentioned above that we store about you, other than the indicator of what sort of member you are, is stored having been encrypted using a one-way hashing algorithm. This means that we can check whether a single person is registered, but we don’t keep a list of our members that could even hypothetically be compromised. We do keep a reversibly-encrypted version of your email address against your profile, too, so that we can take safeguarding action if we need to, but that requires multiple members of the committee acting together to decrypt – so it’s as safe as it can be from being exposed.
You can find an example of what your record in our databases might look like below:
|
One-way encrypted email |
Reversibly encrypted email |
One-way encrypted Microsoft 365 identifier |
One-way encrypted Discord identifier |
One-way encrypted Facebook identifier |
UG/PGR/PGT/Alumni indicator |
It’s important to note that, whilst we operate, for instance, the Discord server and Facebook group, the messages you post on any such platforms are controlled by those companies, regardless of whether or not they’re on forums we endorse. We may curate or moderate the messages, but won’t normally store them ourselves. If you’d like to learn more about how they handle your data, you should consult their privacy policies.
In certain circumstances – for instance, if a welfare issue involves you, or if it’s necessary to protect someone – we might store and process information about you in a different way. This could involve storing data that’s unencrypted and accessible to committee members, University staff, or the Students’ Union. Where this happens, any information that identifies you will be removed from unencrypted storage as soon as is practically possible given the situation, unless agreed otherwise with you.
We’ll store the data we hold about you for the duration of the September to September academic year in which you’re a member of the Society. At the end of each year, we erase our database and start fresh. Of course, if you’d like to continue being a member, and you’re still a student, you’ll be able to.
If you’re an alumnus, we’ll store your information for as long as you continue to be registered as an alumnus member. You can ask us to remove your information at any time by email to lgbt@soton.ac.uk.
Our hosting provider, Dreamhost, manages our database and some of our other infrastructure. They don’t have the keys to decrypt the information held in our database, and are responsible for processing data, but not for managing it or deciding what to do with it.
Part of our online activities may take place through social media platforms like Facebook, Discord, Snapchat or others. We won’t usually share any information about you ourselves with them, but you should be aware that the information you send using their platforms may be recorded and used by that platform, in line with their own privacy policies.
As a part of the Students’ Union, parts of our provision are coordinated with the rest of the Union. This means that other parts of the Union may occasionally process your data. For example, in case of a safeguarding concern, we might work with staff at the Union to safeguard our members. Or, when we run in-person events that involve significant risks, we might need to share the names of the members who are attending with the Union so that they can be recorded for insurance purposes.
Whenever we share this information with the rest of the Union, we’ll only share the absolute minimum amount of information which is necessary for the task we’re trying to accomplish. This means, for instance, we’ll try and avoid leaving any record of your name associated with the Society where possible. However, this may not always be operationally possible. We’ll aim to let you know whenever we have to share this information, although there might be some cases where it’s not possible to do so – for instance, if we’re dealing with an urgent safeguarding incident.
Under normal circumstances, we don’t share the data we collect with anyone apart from those we work with to deliver our services, as explained above.
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You aren’t required to pay any charge for exercising your rights, unless your request is clearly unfounded or excessive. If you make a request, we have one month to respond to you. We might need to ask you for some information to confirm your identity before we process your request – this just makes sure we don’t give your data out to someone else.
It’s worth noting that, due to the technical safeguards we have in place to protect your data, we might not be able to provide you with some data, as we don’t store it in a retrievable form. For instance, whilst we could tell you if a social media account was linked to your Society profile, we wouldn’t be able to tell you what ID we had stored for you, as it’s not technically possible for us to retrieve that information from our database.
Please contact us at lgbt@soton.ac.uk if you’d like to make a request.
If you have any concerns about our use of your personal information, you can make a complaint to us at lgbt@soton.ac.uk.
You can also complain to the Information Commissioner’s Office if you are unhappy with how we have used your data. You can write to them at the address below:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
You can also call the ICO helpline on 0303 123 1113, or visit the ICO website at https://www.ico.org.uk.
This policy was last updated on 18 September 2021.