Privacy Policy

Data Security Policy

Latest Update: 11th June 2025

This policy applies to all employees, workers, consultants and volunteers who have access to the Guild of Students’ IT services. If you breach this policy you may be suspended from access to the system and if you are an employee you may be subject to disciplinary action. We may update this policy at any time and if you are an employee it does not form part of your contract of employment. 

1. IT Security - Overview

We safeguard the personal information you send to us, and all the personal information which we process in the Guild, with certain physical, electronic, and managerial procedures within the Guild and within our systems. The Guild’s  IT infrastructure is managed by the University of Birmingham, and subject to related policies and procedures.

We also store your and others’ personal information behind the University firewalls and utilise appropriate security measures in their physical facilities to prevent loss or unauthorised use of personal and special information. As part of providing our services to you, we may also store personal and special information with third party service providers such as Microsoft. We limit access to personal information in electronic databases to those persons, including Guild of Students employees, who have a need for such access.

If you are issued with a Guild of Students’ IT account and email address, the Guild’s IT & Communications policy also applies to you and you must regularly update your password. We have measures in place which ensure that you change your password often, use ‘strong’ passwords that include a combination of letters and numbers, and use a secure, supported browser. Where your data is stored with third party cloud vendors, such as Microsoft, we will also enforce the use of Multi-Factor Authentication. This requires the use of a smartphone app or functioning telephone number to approve authentication requests.

While we do not anticipate breaches in security, if one occurs, we will use all reasonable efforts to correct the problems that led to the breach and we will report it to the Information Commissioner and those directly affected as required under data protection law.

The Guild of Students internal IT network and infrastructure is supported and delivered by the University of Birmingham’s IT Services. Therefore, you must comply with the following:

  • Information Security Policy of the University of Birmingham – the Guild adopts and complies with this policy of the University of Birmingham
  • General Conditions of Use – University Computer & Network Facilities’ – these apply to all members of the University of Birmingham.

2. IT Security - Principles

Please comply with the following, in conjunction with the Data Protection Policy for Employees, Workers and Consultants or the Volunteer Handbook (depending on whether you are an employee, worker, consultant or a volunteer).

  1. You must comply with the following Data Protection principles and ensure that all records held are:
    • processed fairly, lawfully and transparently;
    • collected and processed only for specified, explicit and legitimate purposes;
    • adequate, relevant and limited to what is necessary for the purposes for which it is processed;
    • accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
    • not kept for longer than is necessary for the purposes for which it is processed; and
    • processed securely.
  2. You are responsible for keeping the data which you hold safe.
  3. You must make sure that paper and manual records are destroyed securely using confidential waste bags and that electronic data is stored and disposed of securely.
  4. You must comply with the Data Protection Policy for Employees, Workers and Consultants or the Volunteer Handbook as appropriate: Data should not be disclosed, under any circumstances, without express consent from the Data Protection Officer or CEO or in line with Guild Policy as set out in the Guild of Students Privacy Statement or the Guild Data Protection Policy for Employees, Workers and Consultants. Unauthorised disclosure of personal data or information in most cases will constitute a disciplinary matter. Please refer to the Staff Code of Conduct for further information.
  5. If you process personal data as part of your role, you should inform the Data Protection Officer or Data Protection Working Group before beginning any new data processing. The Guild of Students may be required to update or amend its Information Commissioner Registration as a result. Questions in relation to this can be directed to the Data Protection Officer or Data Protection Working Group.
  6. All data collected in the course of your work at the Guild remains the property of the Guild of Students and cannot be used for personal or any other purposes.  Failure to comply with this requirement could lead to disciplinary proceedings.
  7. You must comply with this policy and the Data Protection Act 2018 and the UK General Data Protection Regulation (‘GDPR’) including when using data outside of the Guild premises.  This includes ‘taking work home’.

Before any data is processed you should consult the following checklist:

Guild of Students’ checklist for processing data Yes/No
Do you really need to obtain, record and store the information?  
Is the information ‘special data’?
Do you have express consent to process the data from the individual to whom it relates? If not, is one of the other statutory conditions for processing data met? If this is special data you will also need a statutory condition for processing special personal data. (If in doubt then you must seek the advice of the Data Protection Officer (Director of Operations))  
Has the individual or data subject been informed that the type of data you are collecting will be processed?  
Are you authorized to collect/store/process data?  
If yes, have you checked with the data subject that the data is accurate and up-to-date?  
Is the data you are holding secure?  
Have you notified the Data Protection Working Group/Data Protection Officer that you plan to hold data?  
How long do you need to retain the data, has the data subject been informed, is the privacy notice up to date and do you have a disposal method in place?  

3. IT Security - Rules

A. Disposal of Data

You must dispose of personal data in a confidential way.   The Facilities Department provide ‘Confidential Waste Bags’ and arrange for collection and suitable disposal (through incineration) of paper records. This service can be arranged by contacting the Facilities Department. You must make sure that ‘Confidential Waste Bags’ are kept secure. If they are open, then they should be kept in a locked cupboard or locked room.

The Guild of Students also has an ‘Archive & Retention Policy’ for the management of records and data which you should also comply with.

B. Data Security

You are responsible for ensuring that any personal data, which you hold, is kept securely, for example:

  • In a locked drawer or cabinet.
  • If electronic is password protected.
  • Kept only on an IT Services issued disk or device which is secured/encrypted.

C. Subject Access Requests

You are responsible for recognising a subject access request (made by an individual with regards to personal data) and treating it appropriately. A subject access request is still valid even if it is not sent to those staff responsible for processing it. It may be made in writing, verbally or via social media. Within the Guild, subject access requests are facilitated by the People & Administration Manager and Data Protection Officer (Director of Operations). If you recognise a Subject Access Request, please inform one of these roles immediately.

D. PC Security

Your IT account is provided for your use only, for the purpose of carrying out your job or voluntary role. You must not in any circumstances disclose your password to anyone or allow anyone to access your account or Guild systems using your password/s. If you suspect someone knows your password, you must change it immediately. Disclosing your password is a disciplinary offence under the Guild Disciplinary Procedure. It is important to keep your password confidential to ensure data security. This helps ensure data you have access to is secure. If you believe your password has been compromised, you must change it immediately or contact the IT department. Similarly, you must lock your computer when you are away from your desk to prevent unauthorised access.

E. Storing IT Data

On the Guild Network

It is important that all files relating to your department are stored in an appropriate place. Usually, this will be the departmental folder on the N or O drive accessible through ‘My Computer’ or on the relevant Microsoft Teams or SharePoint site. Personal files should be stored in your ‘My Documents’ folder, to which only you have access. You are responsible for ensuring appropriate permissions are in place for your files, or departmental files if you are a manager, and that personal data is kept secure, with restricted access and password protected as required.

On public cloud networks

The Guild of Students uses Microsoft M365 services for provision of cloud data storage. Under no circumstances should you use or store Guild of Students’ data on other external or third-party software platforms. Typically, if it is not a software platform provided to you by the Guild or University, it should not be used in your capacity as an employee, worker, volunteer or consultant at the Guild or for Guild work.

You should not sign up to or create accounts on third party systems which are not managed by the Guild or IT Services or without approval – this is for your and the Guild’s safety and to ensure the integrity of its information and personal data is upheld at all times.

Queries in relation to this should be directed to the Data Protection Officer in the first instance.

F. Data Handling

When handling data it is important to follow the Guild’s data protection policies and privacy notices. If you are unsure of how you should store data contact the Data Protection Officer, and/or IT department (for electronic data).

G. Mobile/removable devices & removal of data from Guild premises

If you are a user of a Guild/IT Services issued mobile device such as but not limited to a Guild phone or laptop (a Guild Mobile Device) that holds data, it is important to respect the following rules:

  • Report any loss of a Guild Mobile Device immediately to IT Services.
  • Do not use a Guild Mobile Device as a form of backup. These devices are vulnerable to theft, accidental damage or component failure and as such are unreliable.
  • Take care at all times to ensure that the Guild Mobile Device is secure. Where appropriate locking devices or other security measures should be employed.
  • The Guild Mobile Device should never be left unattended in a public place or outside your own home. In particular, it should not be left unattended in a vehicle, even when locked. 
  • Ensure that no personal, confidential or special data is kept on a Guild Mobile Device for longer than is necessary and no longer than stated in the Data Retention Policy. Data should only be stored and removed from the Guild on an officially issued Guild Mobile Device or encrypted memory stick. Failure to comply with these guidelines or unauthorised removal of Guild data from Guild premises may result in disciplinary action.
  • Personal data belonging to the Guild should not be stored or removed or processed in any way on any personal devices.

H. Use of Generative AI

The use of generative AI tools within the Guild is restricted exclusively to Microsoft Copilot, which you can use via your Guild credentials. Copilot offers enterprise-grade security, privacy, and compliance features that are integrated with Microsoft 365 services. Copilot operates within the Guild’s secure cloud environment, ensuring that sensitive data is not transmitted to external servers or used to train public models.

Your Officer Team 2024-2025

View Officer Hub

Latest Student Deals