Privacy statement to members of the SRCF

Last changed: 26 May 2018

Edited 13 June 2020 without material change, to reflect renaming of CamCERT to UIS CSIRT.

Edited 26 July 2020 without material change, to replace references to 'societies' with 'groups'.

Introduction

This statement explains how the Student-Run Computing Facility ("the SRCF", "the Society", "we", "our" or "us") collects and handles personal data about you as a member of the Society, and our reasons for doing so.

The latest version of this statement can be found on our website at https://www.srcf.net/privacy. The SRCF is the data controller for data held under this privacy statement. The SRCF Executive is the designated data protection contact, and are in charge of data protection matters. They can be contacted at data-protection@srcf.net.

Please note: this statement only applies to data held by the SRCF for which it is the data controller. The SRCF also hosts, on its systems, users and groups who may hold personal data; however it is not the data controller in these cases, as such users/groups act as their own data controllers. You should refer to the privacy statements of those users/groups where this applies to you as a data subject.

Definitions

"Personal data" or "personal information" means information relating to you that can be used in some way to identify you, either on its own or in combination with other such information available to its holder.

"Processing" of personal data is any action taken on that data, such as storage, retrieval, organisation, transmission or erasure, and/or as defined by relevant legislation.

"University" means the University of Cambridge.

A "CRSid" is a unique identifier issued to a person by the University. According to the University, CRSids are never reissued, so we assume that a CRSid will uniquely identify the same person forever. Usernames on our computer systems are also assigned to match a person’s CRSid.

The bases on which we process personal data

The SRCF usually processes members’ personal data on the basis that it is a legitimate interest of the Society. Where we process your personal information for a purpose falling outside those listed in this statement or our other privacy statements (if applicable to you), we will seek your explicit consent before doing so.

How members' personal data is used by the SRCF

The SRCF collects and processes members’ personal data for a number of purposes, including:

• Maintaining accurate membership records (comprising full name, CRSid, registered contact email address and join date);
• Ensuring effective communications with members;
• Keeping records of communications made to or from the SRCF Executive;
• Maintaining financial records (e.g. details of donations made to the Society);
• Maintaining a formal record of your activities within the Society (e.g. attending AGMs, standing for Committee);
• Organising social events for members, sometimes involving pre-sale ticketing or keeping a record of attendance;
• Maintaining historical records to enable the Society to research and analyse its own activities over time;
• Keeping logs relating to security incidents.

All of the above activities are carried out as a legitimate interest of the Society.

Please get in touch with the designated data protection contact if you have concerns or queries about any of these stated purposes.

How we obtain and share your personal data

We primarily obtain your personal data through you providing it to us, for example when you sign up as a member. However, this initial signup process also involves automatic retrieval of information available to any computer on the University network. Our systems look up this information using your CRSid, which is provided to us by the University's Raven service, which itself is used to authenticate to our Control Panel. When signing up, you will have a chance to correct and amend any or all of this automatically-obtained information.

Your personal data is not usually shared outside the SRCF and its members. The following information on an SRCF member may be made available to any SRCF member, to facilitate communication between members and also as a technical consequence of our computer systems:

• Full name
• CRSid
• A list of group accounts administered (if any)
• Internal system identifiers, e.g. sequentially-allocated numeric user/group IDs

The following additional information on an SRCF member is made available to the member in question and also to the System Administrators:

• Registered email address
• Join date
• "Last-modified" date of the membership record

We share some of your personal data outside the SRCF and its members in the following cases:

• We run mailing lists on the lists.cam.ac.uk system, which is operated by the University. We share your full name and registered contact address with this system to add you to some or all of these mailing lists. More information on this is available at https://www.srcf.net/faq/memberlists.
• Minutes of all meetings are made public at https://www.srcf.net/minutes, and include the names and CRSids of those who attend.
• Under our obligations as a Registered Society of the University, we must share a current list of Committee members with the Proctors. In addition, a list of all Executive members since the Society’s foundation is made public at https://www.srcf.net/committee.
• We may share relevant personal data with Cambridge University Information Services Computer Security Incident Response Team (UIS CSIRT) in some situations, for example:
  • whilst investigating security incidents on the SRCF where UIS CSIRT may be able to help;
  • where UIS CSIRT has a legitimate interest in the data for a University-wide response to a security incident;
  • to report abuse of computing facilities on the University data network.
• The SRCF may otherwise be required to share (with or without your consent) your personal data with the University, or become subject to a legal requirement to share it with a third party. Where possible in either situation, we will notify you in advance of our intention to do so, but this may sometimes be prohibited, for example by law or an injunction.

Your rights

You have the right to ask for:

• access to your personal information;
• the correction of any errors in your personal information;
• the erasure of your personal information;
• restriction on processing of your personal information pending correction or erasure; and
• the transfer of your personal information to a third party by electronic means.

Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

If you have any questions or concerns about your personal information, please get in touch with the designated data protection contact listed at the top of this document. Please note that in dealing with your request, we may also need to share details of your request with entities with whom we have shared your personal data.

If you remain unhappy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF or online at https://ico.org.uk/.