skip to primary navigationskip to content

Data Protection Policy

Graduate Union

Data Protection Policy

The Graduate Union uses information to achieve its aims and objectives. It therefore will retain data as long as necessary, and will delete when no longer needed. This Policy sets out how the Union will fulfil its legal and ethical duties.


Data will only be used for the purpose it is provided for. The data will be treated as confidentially and securely and only retained as long as needed.

It is noted that both members and anyone else has certain rights over their data. They can ask for copies of it, ask for inaccuracies to be corrected, or ask for data to be deleted.

Any data requests should be directed to the General Manager, though other members can be contacted, they must forward the request so it can be processed.


If you need to share personal data with another organisation, even if that organisation just stores personal data for you, you first need to be sure that all of the risks have been considered. A written agreement in the correct form may be required. This is particularly important if the organisation is outside of the European Economic Area.

The Graduate Union will be transparent any time it asks for data, and will explain specifically what the data will be used for, and will ask expressly for permission to use the data.

Breaches will need to be reported to the Information Commissioner, but we will seek to minimise risks.

Information storage

The Union will provide employee and volunteers with secure platforms. Training will be given so that all volunteers and employees know their responsibilities.

  • It is your responsibility to maintain the security of information you have access to, such as by using and regularly updating a strong password.


  • You should not share access to confidential or sensitive information with others.


  • This includes, for instance, leaving an e-mail account permanently signed in on devices that accessible to others.


 Much of the business considered by the Board of Trustees is confidential in nature, and sabbatical officers are highly likely to also hold confidential information in the form of University committee papers or service data from the Students’ Unions’ Advice Service.

Some employees may prefer to work on their own laptop. This is acceptable, however, confidentiality and information security requirements remain and further steps should therefore be taken to ensure these when a personal device is the primary computer an employee uses for work.

 It is important that all files generated by employees within their work are saved to the GU’s file server space so that future staff and officers are able to draw on them, and that your work is preserved. Employees who use a personal device must regularly transfer such files to the GU’s file server, and delete them from their own device.

This should be repeated prior to an employee leaving the organisation, at which point all data held on behalf of the GU should be returned to the GU and no ability to access content that is not public should be retained without explicit permission from your line manager (this includes access to e-mail or other accounts required only for work)