When students use the Student’ Union’s Advice and Representation Centre (ARC) certain personal information is collected/used that is pertinent to supporting the case.
We only collect, store and use personal data that is necessary for us to provide our service. ARC has a legitimate interest to collect personal data from our service users to allow our team to plan the delivery of the service and act on cases for our service users. This information is held independently, with the exception of anonymous analysis for statistical reporting.
The General Data Protection Regulation (GDPR) under the Data Protection Policy 2018 gives data subjects (our service users) more control over their data. To comply with this legislative change The Advice Service reviewed what data we process, how we process it and why.
Where necessary, we will obtain consent from our service users to use their personal data. Personal data is defined under GDPR as any identifiable data about the student.
Legal Basis of the Advice and Representation Centre:
ARC operates under “legitimate interest” (Article 6 GDPR) in processing client data, including enquiry/case details. Therefore Consent is not required when processing client’s data as part of their enquiry/case, unless special category data is being collected (please see below for special category). This data is not imperative to your case but can provide statistical and holistic information on trends to the ARC Manager on the service.
The right to be informed - At the point of engagement with ARC, through the advice enquiry form (online and paper) the client is informed of the data use.
The right of access – A client can request to access their data by making a Subject Access Request, in writing, to the ARC Manager
The right of rectification – Having accessed their data, a client can ask for rectification of information that is incorrect, by writing to the ARC Manager.
The right of erasure – A client can ask for their personal data to be forgotten (erased) by requesting this in writing to the ARC Manager.
The right of data portability – Information can be provided electronically at the client’s request.
The right to restrict the processing of data - A client can request to restrict the processing of their data, in writing to the ARC Manager. This will mean that their personal information may be kept, but not processed (used) in any other way.
The right to object – A client has the right to object to their data being processed at any time. The data will not be processed but the client may be advised that advice may be limited, dependant on the query.
The right to not be automatically profiled – ARC clients are not subject to automatic profiling.
Special Categories of Data:
As specified under the General Data Protection Regulation (GDPR), for example, special category data includes data that reveals a data subject's: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited unless the client has given explicit consent to the processing of that personal data for one or more specified purposes or where processing is necessary to protect the vital interests of the client”.
The ARC Admin/Adviser will talk to you about this and we will require explicit consent under this category where we are collating information for Equality, Diversity and Inclusion (EDI) purposes. Please see below.
We only require consent under certain circumstances:-
- EDI Monitoring - We will ask for explicit consent to collate data from you for EDI monitoring purposes under special category as discussed above. The adviser/ARC admin will require this from you verbally when they discuss this with you at the first point of contact.
- AQS Audit – ARC is subject to regular Advice Quality Standard audits to ensure we meet standards. The case records audited are anonymised so no individual person/case can be identified. We will ask for consent in regards to AQS access to case records.
- Third party consent – where we need to share data with a third party and/or contact them on your behalf regarding your case we will ask for express consent, this will be obtained by the service user signing a form of authority.
Clients can withdraw their consent at any time by advising the Advice Service Manager.
Statistical recording & social policy:
We undertake statistical recording of users and cases for monitoring and service development purposes. This enables us to identify trends and social policy issues that impact our student body and to target information and publicity appropriately.
Any statistical data that we share outside of ARC is in aggregated form only, so no individual case/person could be identified.
Data Retention and Destruction:
ARC will only keep client records for as long as they are required in terms of administration, research or law. All information relating to a client of ARC is stored confidentially on a password protected device and database accessible only by the ARC team.
We will retain your case records for a period of 6 years after your case is closed in line with our Advice Quality Standard (AQS) accreditation at which point the case is deleted/destroyed. Case records are automatically deleted by the case management database Advice Pro 6 years after the case is closed.
Confidentiality and Data Sharing:
All data within the ARC team and offices is stored and handled confidentially. It is only shared internally with the Advice and representation team this includes Advisers, ARC Administrators and the ARC Manager unless the matter is escalated to the CEO of the students union.
All case records and client details are recorded and stored on AdvicePro our case management system in accordance with the ARC File management policy. AdvicePro is a secure, password protected web-based case management system. All enquiries are added onto this system and deleted from any other methods of access and the enquiry mailbox.
We will only share data in anonymised form with third parties for statistical purposes.
Data/subject access requests:
Any individual/service user may ask for access to their records, or ask for incorrect facts to be changed and/or request that data held is erased.
If the case is open, ARC will normally require the request to be made in writing so the amendments can take place.
Review of Policy:
Last Updated: May 2022