Data protection for alumni groups

General Data Protection Regulations come into effect on the 25th May 2018 and supersedes the current laws surrounding personal data. In the UK, this has been enacted as the Data Protection Act 2018.

The information on this page is to help official alumni groups of the University, manage the data they hold for alumni in a secure, fair and transparent manner.

Nb:  This information is primarily of concern to UK and EU groups, and will be relevant to groups who hold data for EU citizens in any location.

Further information on preparation for GDPR  can be found on the Information Commissioner’s Office website.

Find your national DPA if you are based elsewhere in the EU.

Practical steps to take:

  • Create and provide a Privacy Notice – this means looking at what data you have and how you process it.
  • You need to hold records of opt-in for certain activities, such as consent to email, so you will need to put in place how you record and obtain – and have obtained in the past - this consent.

What is personal data and data processing?

Personal data is any information that can directly or indirectly identify a living person.

Processing data covers anything from storing to deleting information.

Electronic direct marketing and GDPR

Electronic direct marketing includes any emails sent to promote the ideals of an organisation, which means event invitations, offers and benefits, sent by email, text, social media or telephone fall under this legislation.

This legislation means that you should hold consent to email the alumni on your mailing list (this comes under Privacy and Electronic Communications Regulations 2003)

Consent is an affirmative action of opting-in. Silence, pre-filled tick boxes and inactivity do not count as consent. 

If you are unsure whether you hold consent, consider a postal mailing to your members, encouraging them to email you with their consent to be contacted by the group. If you do not hold mail addresses for your group members, contact the Networks team to discuss your options.

Privacy Notice – or data protection statement, privacy policy

Your Privacy Notice should accurately reflect what personal data you store, why you hold it, how you use it and explain why and when you would share data with third parties (for example, dietary requirements with  a dinner venue). The University’s Privacy Notice for alumni and supporters etc. can be found here which may help you write your own.
You must also share your Privacy Notice with your members/mailing list, and it should also be attached to any communications sent to the mailing list whether they are by email or post.

Things to think about

The key principles of data processing under GDPR:
1. Lawful
You will need to have a basis for processing information. There are 6 bases for processing available, consent, contract, legal obligation, vital interests, public task and legitimate interest. Most of your activities would fall under:
o Consent – the individual has told you that you can process their information. For some activities, such as email communications or holding sensitive information, consent will likely be the appropriate basis for processing.
o Contract – such as event registration and processing of information for purposes of running an event or membership services.
o Legitimate interest – holding onto information that is relevant to the purposes of your organisation. This cannot be intrusive or excessive.

2. Purpose
Your purpose (what are you doing with the information) and the type information you hold will help you to define what lawful basis you have.
Joint Oxford and Cambridge groups – our Privacy Policy template is very similar to Cambridge so you can have a look at both to help you.

3. Minimal data
Only hold what is needed.

4. Accuracy
Keep your records accurate and up to date. Make any updates and amends to your data as soon as is possible – the legal requirement is one month.

5. Storage
Only keep the data for as long as is necessary. For example, when an event is over, delete the information that you have no need to retain for reuse. Don’t hold on to information as ‘just in case’.

6. Security
Who can access the data and why? Where is it stored? Make sure the data you hold is encrypted and secure (for example passwords on documents containing personal data).


  • Besides the principles, think about your documentation. If anyone asks you how you got their data, and what you do with it, what would your answer be? – and if you were at the receiving end of that answer, would you be happy with it?

As you know, the Networks Team/Alumni Relations Office cannot offer you legal advice on how you hold your data or comply with GDPR, but if you have any questions, we will endeavour to answer them as far as we can. Please email us with any questions.


Events best practise:

1. Event registration:

  • Events can be a great opportunity to add people to your mailing list and we would encourage you to always have sign-up sheets at your events. However, always ensure that you are clear what you will use this information for and don’t assume that you can use your event registration list as a ready-made mailing list.
  • Be aware of what information you are asking your guests for and only ask for the information you really need. For example, if you are not serving food there is no need to ask for dietary requirements.

2.    Attendee lists:

  • If you plan on having an attendee list at your event, make sure you’ve asked permission to include people’s data and told them exactly what you plan to share. Nb: You can only give permission to share your own data, not that of your guest.
  • If the list will go online make sure it is on a private webpage, unless you’ve specified otherwise on sign-up.
  • At an event keep paper attendee lists in a secure place where a member of the public couldn’t simply pick one up.
  • Only keep this information for a specific period of time. It would be reasonable to share an attendee list up to a few weeks after an event, but not several years later!

2.    Sharing information with suppliers:

  • It is always best practice to have a contract with your supplier (venue, caterer, etc.) that refers to data privacy.
  • Information that is required in order to run your event can usually be shared. Dietary requests are essential for caterers, as are full guest lists when venues have security responsibilities. However, if your venue only needs to know how many people are attending, only give them a number. If in doubt, share as little information as possible.


Mailing lists:

1. Creating a mailing list:

  • The Alumni Office sends regular recruitment mailings for all groups, where alumni in your area are asked to contact you directly to opt in to your lists.
  • Any groups still holding a mailing list that was given to them by the Alumni Office (pre 2017) should by now have deleted this list and only make use of their own 'opted in' list.  If you have any queries about which list you are using then we would suggest cleaning your data by removing any alumni that you do not have evidence of direct contact with (i.e. attendance at an event, or email asking to be involved in the group)

2. Storing your list:

  • All lists should be stored securely in password protected documents or on encrypted discs. 
  • Lists must not be shared outside your group leader/committee and should only be used for the purposes of communicating about your group activities.

3. Sharing data with the Alumni Office:

  • It is not permitted for groups to share any contact detail updates with the University without first informing the individual concerned and with the relevant agreement in place.

Online mail services:

Following several queries about the use of Mailchimp to manage group email communications we have consulted the University IT Security team with regards to its compliance with the new data protection regulations and other security concerns.

At this time Mailchimp still appears to be the best option for groups.

Mailchimp is a very user friendly system and we would not wish to suggest anything else that makes organising a group more difficult without due reason.  Fortunately IT security feel that while Mailchimp is not fully compliant, the risk of using it for group mailings is low.  We will continue to look for another system and will let you know once we find something that we are confident in recommending.  If you have any suggestions please let us know.
We have also listed below some ways that will help ensure data is used securely:

  • Only hold essential information on Mailchimp: In practice this is likely to be first name (for salutation) and email address.
  • Ensure your data is kept up to date and that any unsubscribes are honoured.
  • Ensure that your password is secure and you do not share your log on details.
  • If moving to another system ensure that all data is deleted from Mailchimp