Member data policy


The LGBTQ+ Society has a responsibility to protect the privacy of its members, whilst also ensuring that its members’ safety is protected. In the event of an emergency, it is important that members can be easily identified by authorised users, such that appropriate safeguarding procedures can be put in place. However, at all other times, and by all other people, it is extremely important that data cannot be easily accessed.

Whilst completely removing risk is never possible, the LGBTQ+ Society wishes to ensure that the risk presented to members’ personal information is as limited as possible. We do this by not only complying with but exceeding the core principles of the European Union’s General Data Protection Regulation:

This policy sets out what data we collect, why we collect it, how we store it, who has access to it, and when they have access to it.

Who we are

The LGBTQ+ Society is a part of the University of Southampton Students’ Union (which we’ll call SUSU, or the Students’ Union, from here). As such, we aren’t a data controller, strictly speaking: rather, the Union as a whole is, of which we are a part.

That notwithstanding, we handle our data a bit differently to many other parts of SUSU – indeed, we keep it separate from them altogether. This is because we recognise just how important it is that we keep your information safe: we might be handling data that’s very important to keep private.

If you need to get in touch with us about our data use, we’d prefer that you contacted us directly in the first instance. However, you can also contact SUSU’s Data Protection Officer, who will be able to forward your enquiry on.

When do we process data?

As you’d expect, we’ll only process your personal information when the law allows us to. Most commonly, we’ll process your personal information in the following circumstances:

  1. When you actively consent to us using your personal information. This means what it says on the tin – we tell you what we’re doing with your data, and you say ‘yes!’ to us using your data like that.

  2. Where it is necessary for either our legitimate interests, or the legitimate interests of someone else, and your interests and fundamental rights do not override those interests. That means we can use your data in a way you’d reasonably expect us to, where it’s necessary to advance our goals.

  3. Where we need to perform a contract we have entered into with you. This could be a written contract, but it doesn’t need to be – any contract that exists between you and the Society could involve some data processing.

It’ll probably be less common, but we might also process your personal information in some other situations:

  1. Where we need to protect your vital interests (or someone else's interests). This is most likely to apply in the case of a safeguarding incident, where we need to process data to make sure people are okay.

  2. Where we need to comply with a legal obligation. We’d hope this would be rare, but if a court requires us to produce data, we’d need to do it.

  3. Where it’s needed in the public interest or for official purposes, set out in legislation. This is likely to be the rarest of all the reasons.

If we’re processing your data because you consented to the processing, you can withdraw that consent any time you like. Just let us know by emailing

What data are we collecting, and why? How do we collect it?

Depending on when, why and how you interact with us, we might collect different types of information from you. The information we collect will often include the following:

What the data is Why we collect it How we collect it

University of Southampton email addresses correspondent to each student member

  1. In the event of a safeguarding incident occurring, to allow for members to be identified, and appropriate referrals to be made or authorities informed if necessary.

  2. To allow the Society’s democratic processes to take place – e.g. to facilitate the sending, processing and secure management of ballots for officer elections.

When you sign in to our services with your University of Southampton account, we’ll save this information.

A unique identifier tied to each member’s University of Southampton Microsoft 365 account

  1. To facilitate signing in using University credentials, verifying an account, and securely accessing the Society’s online services.

  2. To verify that members are University of Southampton students upon admission to our member-only online spaces.

An indicator of whether a member is an undergraduate, postgraduate researcher, postgraduate taught student or alumni

To verify that members are University of Southampton students upon admission to our member-only online spaces.

An identifier linked to the member’s Discord account, for each member who chooses to join our Discord server

To link social media profiles to the rest of the data we store in our database, so that we can appropriately respond to safeguarding incidents if we need to.

When you verify your Discord account with us, we’ll collect this information from Discord.

An identifier linked to the member’s Facebook account, for each member who chooses to join our Facebook group(s)

When you sign in to our services with Facebook, or join our Facebook group(s), we’ll collect this information from you or from Facebook.

If we need to collect more data from you, we’ll let you know what data we’re collecting – either at the time if we collect it from you, or soon afterwards if we collect it from someone else, in accordance with article 14 GDPR. We won’t store more data about you than we strictly need to.

How do we store the data we collect?

In line with the principles set out in the GDPR, and in reflection of the importance of protecting the data that we hold, which may at times be sensitive, we take many steps to protect your data. The key point of this is that even if someone got access to our database, they wouldn’t be able to find your information.

All the data mentioned above that we store about you, other than the indicator of what sort of member you are, is stored having been encrypted using a one-way hashing algorithm. This means that we can check whether a single person is registered, but we don’t keep a list of our members that could even hypothetically be compromised. We do keep a reversibly-encrypted version of your email address against your profile, too, so that we can take safeguarding action if we need to, but that requires multiple members of the committee acting together to decrypt – so it’s as safe as it can be from being exposed.

You can find an example of what your record in our databases might look like below:

One-way encrypted email

Reversibly encrypted email

One-way encrypted Microsoft 365 identifier

One-way encrypted Discord identifier

One-way encrypted Facebook identifier

UG/PGR/PGT/Alumni indicator

It’s important to note that, whilst we operate, for instance, the Discord server and Facebook group, the messages you post on any such platforms are controlled by those companies, regardless of whether or not they’re on forums we endorse. We may curate or moderate the messages, but won’t normally store them ourselves. If you’d like to learn more about how they handle your data, you should consult their privacy policies.

In certain circumstances – for instance, if a welfare issue involves you, or if it’s necessary to protect someone – we might store and process information about you in a different way. This could involve storing data that’s unencrypted and accessible to committee members, University staff, or the Students’ Union. Where this happens, any information that identifies you will be removed from unencrypted storage as soon as is practically possible given the situation, unless agreed otherwise with you.

How long do we store the data we collect?

We’ll store the data we hold about you for the duration of the September to September academic year in which you’re a member of the Society. At the end of each year, we erase our database and start fresh. Of course, if you’d like to continue being a member, and you’re still a student, you’ll be able to.

If you’re an alumnus, we’ll store your information for as long as you continue to be registered as an alumnus member. You can ask us to remove your information at any time by email to

Who else do we work with to deliver our services?


Our hosting provider, Dreamhost, manages our database and some of our other infrastructure. They don’t have the keys to decrypt the information held in our database, and are responsible for processing data, but not for managing it or deciding what to do with it.

Social media providers

Part of our online activities may take place through social media platforms like Facebook, Discord, Snapchat or others. We won’t usually share any information about you ourselves with them, but you should be aware that the information you send using their platforms may be recorded and used by that platform, in line with their own privacy policies.


As a part of the Students’ Union, parts of our provision are coordinated with the rest of the Union. This means that other parts of the Union may occasionally process your data. For example, in case of a safeguarding concern, we might work with staff at the Union to safeguard our members. Or, when we run in-person events that involve significant risks, we might need to share the names of the members who are attending with the Union so that they can be recorded for insurance purposes.

Whenever we share this information with the rest of the Union, we’ll only share the absolute minimum amount of information which is necessary for the task we’re trying to accomplish. This means, for instance, we’ll try and avoid leaving any record of your name associated with the Society where possible. However, this may not always be operationally possible. We’ll aim to let you know whenever we have to share this information, although there might be some cases where it’s not possible to do so – for instance, if we’re dealing with an urgent safeguarding incident.

Who do we share the data we collect with?

Under normal circumstances, we don’t share the data we collect with anyone apart from those we work with to deliver our services, as explained above.

What data protection rights do members have?

Under data protection law, you have rights including:

You aren’t required to pay any charge for exercising your rights, unless your request is clearly unfounded or excessive. If you make a request, we have one month to respond to you. We might need to ask you for some information to confirm your identity before we process your request – this just makes sure we don’t give your data out to someone else.

It’s worth noting that, due to the technical safeguards we have in place to protect your data, we might not be able to provide you with some data, as we don’t store it in a retrievable form. For instance, whilst we could tell you if a social media account was linked to your Society profile, we wouldn’t be able to tell you what ID we had stored for you, as it’s not technically possible for us to retrieve that information from our database.

Please contact us at if you’d like to make a request.

How can I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at

You can also complain to the Information Commissioner’s Office if you are unhappy with how we have used your data. You can write to them at the address below:

Information Commissioner’s Office
Wycliffe House
Water Lane

You can also call the ICO helpline on 0303 123 1113, or visit the ICO website at

This policy was last updated on 18 September 2021.

Exit quickly