We understand that the current UK Data Protection Legislation, the new General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR), are the main legislation we must ensure we keep to. See below for all policies, notices and resources surrounding our use of data.

Privacy Notices

Imperial College Union is committed to protecting the privacy and security of your personal information. Our Privacy Notice is available below:

We also have a separate Privacy Notices for our Newsletters and our Events:

Data Protection Policy 

We have a wider data protection policy that can be read in addition to our privacy notices. To read it, visit our Data Protection Policy page: Data Protection Policy

Data Breach

We have an obligation to promptly investigate all data breaches brought to our attention.

You can learn more about our process for handling data breaches and report suspected breaches on our data breach page: Data Breach

Subject Access Requests

You have the right to access information that we hold about you. You may submit a Subject access request to ask for this. Please use our SAR form so we are able to more effectively meet your requests. This can be found on our Subject Access Request page: Subject Access Request

Once we have confirmed your identity we will respond within one month. There may be some cases where requests take up to two months if they are difficult or large - in this case we would inform you of the new timeframe.

Statement of Rights 

Data subjects have the following rights in relation to their personal data: 

  • To be informed about how, why and on what basis that data is processed (at ICU, we customarily do this via our privacy notices) 
  • To obtain confirmation that their data is being processed and to obtain access to it and certain other information, by making a subject access request 
  • To have data corrected if it is inaccurate or incomplete 
  • To have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as ‘the right to be forgotten’) 
  • To restrict the processing of personal data where the accuracy of the information is contested, or the processing is unlawful (but the data subject does not want the data to be erased), or where ICU no longer needs the personal data but the data subject requires the data to establish, exercise or defend a legal claim 
  • To restrict the processing of personal data temporarily where the data subject does not think it is accurate, or where the data subject has objected to the processing 

Our privacy notices provide details of how these individual rights can be exercised.