Privacy Notice

Your Data Is Important To Us

ENSA is a membership organisation which means at our heart are our student members and helping you to make the most of your student experience at Edinburgh Napier University.

To do this we need to collect, store and process personal information about you.

The way we manage and process your data is governed by European and UK Data Protection legislation and these web pages aim to explain how we manage your information in line with these laws and what this means for you.

Data Protection legislation is there to protect your rights as an individual and make sure your data is processed lawfully, fairly and in a transparent manner.

We also process personal data about our suppliers, customers, sponsors and corporate clients, so the information on this page is for those people too.

Your Data Protection Rights

Data Protection legislation lays out a number of rights you have in relation to your data:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling

You can find out more about these rights in the ENSA Data Protection Code of Practice or on the UK Information Commissioner’s Office.
If we have asked for your consent to process your personal data, such as asking if you would like to receive direct marketing emails, you have the right to withdraw this consent at any time, in this example to stop receiving direct marketing emails. (However, this does not apply where ENSA has a legal obligation to contact you.)
If you believe that ENSA has broken the Data Protection laws, you also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

The Lawful Basis for Processing Your Data

ENSA must also set out the ‘lawful basis’ for the processing we do. ENSA mainly uses the four lawful bases below:

Legal Obligation
Where we are obliged by various laws, including the Education Act, Contracts Act and employment law, to process certain data.
Legitimate Interest
Where we think there is a legitimate interest in us processing data to support you. To use this basis we need to carefully balance our interests against your rights to make sure our processing is fair.
Contract
Where we have a contract with you, such as an ENSA staff member, a supplier or a client.
Consent
Where we ask you to consent to us processing your data, such as for marketing purposes or engaging with our platforms, or, in the case of ENSA Advice, to act on your behalf to progress your case.

How We Collect Data

ENSA collects information in the following ways:

When you become a MEMBER

Each year that you enrol on an Edinburgh Napier University accredited course, based at a UK campus, you automatically become a member of ENSA, unless you opt out by emailing dataprotection@napierstudents.com.
As part of its legal obligation under the Education Act, Edinburgh Napier shares a list of currently matriculated students with us, which is limited to names, student ID numbers, University email addresses and dates of birth. When the University transfers this data we become responsible for it and use this as our core central record of your membership.

When you become a PROGRAMME REP

Each year over 300 Programme Representatives (Reps) are chosen by their class colleagues to represent them on issues affecting their programme, such as time-tabling, missed tuition, exam schedules, assessment frequency and methods, placement standards, equipment standards and allocation.
Edinburgh Napier University tutors, lecturers and Programme Leaders conduct the elections for the Reps, on behalf of ENSA, and share the Rep's details with ENSA.
The information is used by both ENSA and the University to make sure that the Reps are able to make representations to the University on behalf of their class colleagues, attend and contribute to appropriate committees, councils and other such groups, there is open communication, collaboration and excellent staff-student body relationships.

When you give it to us DIRECTLY

You may give us your information in order to take part in an ENSA activity, such as signing up to a sports club or society, buying tickets for an events, taking part in a survey, using our advice service, purchasing our products or communicating with us. When you give us this information we take responsibility for looking after it and we will cross reference this data against our register of members.

When you give it to us INDIRECTLY

Your information may be shared with us by independent organisations, such as the University, event partners or charity partners. These independent third parties will only do so when you have indicated that you have given consent to share this data with us. You should check their Privacy Policy when you provide your information to understand fully how they will process your data.

When you give permission to OTHER ORGANISATIONS to share

We may combine information you provide to us with information available from external sources in order to gain a better understanding of our members to improve our communication methods, products and services.
The information we get from other organisations may depend on your privacy settings or the responses you give, so you should regularly check them. This information comes from the following sources:

Third party organisations
You may have provided permission for a company or other organisation to share your data with third parties such as ENSA. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.
Social Media
Depending on your settings or the privacy policies for social media and messaging services, like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.
Information available publicly
This may include information found in places such as Companies House and information that has been published in articles/ newspapers.

When we collect it as you use our WEBSITES

Like most websites, we use “cookies” to help us make our site – and the way you use it – better. Cookies mean that a website will remember you. They’re small text files that sites transfer to your computer (or phone or tablet). They make interacting with a website faster and easier – for example by automatically filling in your name and address. There are more details in our Cookies statement.
In addition, the type of device you’re using to access our website and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have and what operating system you’re using. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.

When you BUY A PRODUCT from us

To place an order with us online, registration is required. At the point of registration, we request certain information including your name, delivery address and email address. This information is required to enable us to process your order and notify you of its progress.
Once an order has been placed, we may contact you by email to confirm your order details and again once your order has been accepted and despatched. Should we need to contact you for any reason regarding your order, we will use the email address registered to your account, or the telephone number where provided.

When you APPLY FOR A JOB WITH ENSA

When you apply for a role at ENSA, you will complete an application form or be asked to provide a CV. These will contain personal information about you. ENSA has a legitimate interest in processing this data for the purposes of considering you for that role and for anonymous statistical analysis.

When you BECOME AN EMPLOYEE

When you become an employee of ENSA you form a contract with us which declares that we will process some personal and sensitive data to comply with our legal obligations and to fulfill our policies and procedures.
As ENSA's IT infrastructure is provided through Edinburgh Napier University personal data will be shared to enable your email address and network credentials to be set up.

When you REGISTER AS A SUPPLIER, CONTRACTOR, CORPORATE CLIENT OR SPONSOR

When you register as a supplier or contractor with ENSA, we will ask you provide us with certain personal data so that we can meet our legal and contractual obligations; organisation policy requirements; communicate efficiently; raise or pay invoices; and ensure you receive the services required.

What Data We Collect and How We Use It

Our Members

If you are one of our members, the University is obliged to provide us with a set of key information you provided at matriculation. This is limited to your full name, student ID number, University email address and date of birth. As one of our members, we have a legitimate interest to provide the best possible standards of administration and communication, in relation to our services and activities, and we use your personal data to do this.
In addition when you attend an event, join a student group or use one of our services we may ask for additional information such as:

Your bank details to facilitate payments
Your telephone number
Dietary requirements or allergies
Information relating to your health if you are taking part in a high risk activity
Any disabilities so that we can provide assistance where needed

We will mainly use your data to:

Provide you with the services, products or information you asked for
Administer your membership
Keep a record of your relationship with us
Ensure we know how you prefer to be contacted
Understand how we can improve our services, products or information
Register your membership with National Governing Bodies, British Universities and Colleges Sport (BUCS) and Scottish Student Sport (SSS)

Programme Reps

When you are elected as a Programme Rep, you will be asked to provide:

Name
Matriculation Number
Programme of Study
Year of Study
Mode of Study
Email Address
Telephone Numbers

You may also be asked for any dietary requirements, for catered events.

We will mainly use your data to:

Communicate with you
Provide training, support and advice
Arrange and administer Rep involvement with University Committees and meetings

ENSA Advice Client

When you use the ENSA Advice service, you will be asked to complete our 'consent form' and provide:

Name
Matriculation Number
Programme of Study
Year of Study
Funding Provider
Address
Telephone Numbers

You will also be asked to give your consent for ENSA Advice to securely maintain a record of your case, including any 'sensitive personal data', you need to provide to allow our Advisers to help you with your issue. This may included information about:

your health and any illness
your financial situation
any 'protected characteristics' relevant to your case, such as sexuality, ethnic origin or religious beliefs

To progress your case, you will also be asked to consent to allow the ENSA Advice team to act on your behalf, make enquiries, obtain further information and represent you in relation to your case. This may mean that our Advisers need share some of your information with relevant third parties, such as the University. Our ENSA Advisers will only ever share the minimum information needed to progress your case.

We will mainly use your data to:

Communicate with you
Make enquiries and obtain further information to progress your case
Represent you and act on your behalf to resolve your enquiry

Potential and Current Employees

If you are applying for one of our roles we will ask you to provide:

Name
Address
Email Address
Telephone Number
Employment and volunteering history
Details of training undertaken
Details of criminal convictions

We will mainly use your data to:

Communicate with you
Consider your application for the role

If you are a reference for an applicant the applicant will provide us with the following information for the purposes of making contact to request a reference if the candidate is successful at application:

Name
Profession
Address
Telephone number
Email address

When you commence employment with the Students’ Association we will ask you to provide:

Name
Address
Email Address
Telephone number
Gender
Date of Birth
National Insurance Number
Bank Account Details
Third Party Remuneration Sources
Emergency contact details

During the course of your employment ENSA may collect the following data:

Health Records & Physician Details
Performance Records

We will mainly use your data to:

Administrative functions relating to your employment including the payment of salaries
Managing sickness, health and workplace performance

Suppliers and Contractors

ENSA has contractual obligations to hold personal data about suppliers and contractors to allow us to ensure the best standards of communication and administration. We also have a legitimate interest to retain personal details of previous suppliers and contractors to enable future dealings.
In registering as a supplier we will ask you to provide us with the following personal information:

Name
Address
Email
Telephone number
Bank Details
Job Title

We will mainly use your data to administer our contracted duties with you.

Clients and Sponsors

ENSA has contractual obligations to hold personal data about suppliers and contractors to allow us to ensure the best standards of communication and administration. We also have a legitimate interest to retain personal details of previous suppliers and contractors to enable future dealings.
In establishing a contract with us as a client we will ask you to provide us with the following personal information:

Name
Address
Email
Telephone number
Job Title

We will mainly use your data to administer our contracted duties with you and undertake credit reference checks where appropriate.

How We Keep Your Data Safe and Who Has Access

Personal data collected and processed by us may be shared with ENSA employees and volunteers, under strictly controlled conditions, in line with the ENSA Data Protection & Information Security Policy and Data Protection Code of Practice.

ENSA retains different types of information for different lengths of time, depending on a range of factors, including legal obligations. For more information, please see the ENSA Records Retention Schedule.

To help us deliver our charitable services we also use external service providers who have limited access to your data and these are carefully managed by contracts and extremely high levels of security standards.

Below we have outlined the main partners that we work with:

Edinburgh Napier University
Membership Solutions Limited (MSL)
Blue Door Software
simplybook.me Limited
The Royal Bank of Scotland
Sage Accounting and Payroll systems
SagePay

Our online services, at www.napierstudents.com, are provided by MSL, hosted only within the EEA and conform to the highest information security standards (ISO 27001:2013, ISO 9001, ISO 27001, ISO 14001 and PCI DSS standards). All file transfers are securely encrypted.

Our welfare rights and education advice service, ENSA Advice, utilises Caseworker Connect software, provided by Blue Door Software Limited. This software is 'Cyber Essebtials PLUS' accredited providing an exceptionally high data protection standard.

Online bookings for our Advice service utilises simplybook.me which is certified by NQA, as per the requirements of ISO/IEC 27001:2013 (Certificate number is 170833).

Edinburgh Napier University datacentres are resilient and feature access controls, environmental monitoring, backup power supplies and redundant hardware. Information on these servers is backed up regularly. The University has various data protection and information security policies and procedures to ensure that appropriate organisational and technical measures are in place to protect the privacy of your personal data.

Our banking, accounting, payroll and e-commerce service providers, are well-established and provide industry standard information security and conform to all relevant Data Protection legislation.

When we allow access to your information, we will always have complete control of what our partners see, what they are allowed to do with it and how long they can see it. We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.

We do not sell or share your personal information for other organisations to use. Some of our suppliers may run their operations outside the European Economic Area (EEA). Although they may not be subject to the same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK and EU data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.

We may need to disclose your details, if required, to the police, government regulatory bodies or legal advisors. We may also need to disclose your details in an emergency, or life and death, situation where delay would cause serious risk of harm or death.

We will only ever share your data in other circumstances if we have your explicit and informed consent.

Marketing & Communications Preferences

Membership Communications

As a democratic, student-led organisation, we have an obligation to keep you informed about your democratic rights to vote in,and stand for, the student elections and we'll send you information about how to do this occasionally throughout the year. We also have an obligation to send you information about any student referendums taking place, along with information about Student Council, which all members are eligible to attend.

As a member, we'll also keep you up to date about what we’re doing to represent you, the products and services we offer, and opportunities that might be of interest to you. You may opt out of these communications at any stage by clicking the unsubscribe link contained within the email or by contacting us, either on 01312298791 or by email to dataprotection@napierstudents.com.

Direct Marketing

As a charity we need to fund raise to provide the services we offer to Edinburgh Napier University students and one way we do this through sponsorship. Our general membership communications will let you know the companies we are sponsored by, however when you register on our website we will ask for your consent to send you further information about our individual sponsors

We do not sell or share personal details to third parties for the purposes of marketing.

Controlling what you want to hear about

We make it easy for you to tell us how you want us to communicate, in a way that suits you. We include information on how to choose what you want to hear about when we send you communications. If you don’t want to hear from us, that’s fine. Just let us know when you provide your data or contact us on 01312298791 or dataprotection@napierstudents.com.

Accessing, Rectifying, Erasing or Restricting Processing Your Data

To find out what personal data holds about you, or to correct, updated or remove personal data, you can submit the appropriate form to ENSA in person, by post or to dataprotection@napierstudents.com.

Subject Access Request Form – To access your personal data
Data Rectification Form – To change, correct or update your personal data
Data Erasure Request Form – To request the deletion or removal of personal data
Processing Restriction and Objection Request Form – To limited the types of processing carried out

Please be aware that there are certain circumstances where ENSA will not be able to uphold your request, however you will receive a detailed explanation if this is the case.

Also please be aware that if you choose to restrict, or object to, certain types of processing or have your personal data erased, ENSA will not be able to provide you with certain services or activities.

ENSA is not a publicly funded body so not subject to FOI requests.

Understanding the Detail of Our Data Security Measures

When we process your data we will have already carefully assessed the lawful justification for doing so, the parameters in which the data is processed, the length of time the data is held for, the secure storage of your data and undertaken impact assessments to ensure your rights are protected.

ENSA operates a Data Protection & Information Security Policy which is supported by a practical Code of Practice for our employees and volunteers. All employees and volunteers handling data are required to undertake general data protection training and third parties handling data are required to provide a contract which meets the requirements of the Information Commissioner's Office.

ENSA does not store any credit/debit card data on our systems following online transactions. ENSA utilises the payment processor SagePay, as part of the MSL platform, to conduct online transactions.

Contact Information

Edinburgh Napier Students’ Association
B34, Merchiston Campus
10 Colinton Road
Edinburgh
EH10 5DT

For any enquires about data protection, please contact our Data Protection Officer on 0131 229 8791 or by email at dataprotection@napierstudents.com.