Data Protection Policy

What is all this about? Simply, this page contains information on how we gather, process and store personal information both for our day to day operations such as administering clubs and societies, Union elections and meetings through to your use of our website

Here you'll find information relevant to your status (for example, if a student or a consumer). We aim to provide clear information on our legal basis for collecting, processing and storing information. Further details on your rights relating to your data and how to ensure this is accurate can be found in the Data Protection Policy. The Union also has a Data retention Schedule.

Privacy notices

As outlined above, we deal with a number of bodies of individuals ranging from student members to staff, suppliers, contractors and consumers. In each case we have set out an appropriate Privacy statement which outlines the key aspects of how we gather and process relevant information. In addition, we have also outlined a brief snapshot document which gives an illustration of the kind of information we gather and the purposes for doing so.

In presenting the Privacy statements below, please note that we rely upon a number of lawful reasons for processing including by contract, through legal obligation and where we have assessed there is legitimate interest.

Student Data Privacy Statement
Consumer Data Privacy Statement
Supplier, Contractor & Client Data Privacy Statement 

For staff, please refer to the Union's Employee Data Protection Policy.

Communicating with you

We will only ever contact you to either fulfil a legal obligation (information on the Union’s activities related to this legal obligation) fulfil a contract (for example staff) or where we believe you have a legitimate interest in us communicating with you (for example to confirm an online shop order or matter relating to your participation in clubs and societies having bought a membership). The Union undertakes any communication in line with the Privacy and Electronic Communications (PECR) guidance. For any communication sent via our MSL system, you will be provided with an unsubscribe option to select your options for any future communication.

Advice service

Further information on how we process personal information in relation to your interaction with our advocacy service are outlined within the Student Student Data Privacy statement (linked above).

Guidance for Clubs/Sports on sign-ups

Keeping Data Safe

What is Data Protection? Data is anything personal like your name, contact details and even student number. Recently, you may have heard of GDPR (General Data Protection Regulation) which reinforces how your personal data is secured.

Being Practical – Data protection can be simple and common sense. You don’t have to stop collecting data because of GDPR, just take some simple steps to make sure it is safe. Here are some tips for doing this, without impacting your club.

Welcome Week – It is really common to collect details from students interested in your club. You can still do this, just be clear about the purpose and what a student can expect when they do sign up (for example, information about training times). Don’t break this trust by giving out their data, or using your mailing list to promote other activities or buisnesses.

Keeping Data – We suggest using post-it notes, so that students can sign up at your stalls, but don’t see other people’s information when they do so. These can then be added to a spreadsheet, before the post-its are destroyed.  Remember, only take the minimum data required. It is easier to have a nominated committee member to sort all this out.

Follow Up – Once you have students’ data, we suggest you only contact them for the first two weeks of the semester. By this time, if they are interested they will have joined the club. If not, they have probably moved on to something else! Always include an option for students to unsubscribe from your club e-mails – this is done automatically if you message your paid members through the Students Union website.

Regular Contact – We know you do this in all sorts of ways, keep doing what is best for you. There is no problem using Facebook groups, just remember that even if a group is set to private, nothing you ever post online is truly private.

Just follow these guidelines, and use common sense, to help keep your data secure.

With these guidelines followed, you can continue to run your fun and exciting clubs and societies. Please don't forget to shout about your achievements, we love to hear from you!

Cookies - what are they?

“A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device.” – Text taken from ICO document ‘Guidance on the rules on use cookies and similar technologies’, dated 13 December 2011.

Broadly speaking, cookies are either ‘session-based’ or ‘persistent’.  The former is deleted when you close your browser.  The latter is more likely to collect a greater amount of personal information, such as browsing behaviour if so-configured, and is deleted manually or on its expiration date. Cookies are used to provide a better online experience for you and provide us with helpful insight into the content which is of most interest to you.

Which cookies does the MSL system include?

The MSL system includes two cookies:


Stores a temporary unique identifier for your session – no other information is stored. This cookie is removed when you close your browser.

Expires on exit of browser


When you are logged in, this cookie stores a value which identifies you to your site. This value is encrypted and can only be read by the server. If you use the Remember Me function this cookie remains on your computer for 3 months, otherwise it is removed when you log out of the site.

Expires on exit of browser or 3 months (optional)


Implements a preventative mechanism against Cross-Site Request Forgery attacks (see for further details)

Expires on exit of browser


Used by New Relic (performance monitoring) as a work around for browsers that do not support the Navigation Timing API.

Expires on exit of browser

The session cookie and aspxauth are strictly necessary for the functioning of the logged in site. Users should not disable these if they want a logged-in browsing experience.

As we use Google Analytics to ensure we’re providing the right browsing experience for you, your site will also drop the following cookies:


Used by Google Analytics to capture and determine unique visitors and the frequency of views. __utma is written to the browser on your first visit to a site (from the browser being used).

2 year expiry


Used by Google Analytics to establish and continue your session on the site. Each time you visit a page it is updated to expire in 30 minutes. It expires if you spend more than 30 minutes on a single page.

30 minute expiry


Previously used by Google Analytics javascript to define a session status.

6 month expiry


Used by Google Analytics to store the type of referral used to reach the site; e.g. direct, link, web search, etc.

Expires on exit of browser

By using our site, you acknowledge that we will use the cookies outlined above. Further information about cookies can be found on

If you have questions regarding Data Protection, please e-mail the Union on