Data protection for alumni groups

This section of the website is intended to help clarify some of the rules around current and upcoming data protection legislation and any actions that need to be taken. We plan to update this information each month as we move closer to the new regulations arriving in May 2018. 

Nb:  This information is primarily of concern to UK and EU groups, but may also be of interest to international groups.

Events:

1. Event registration:

  • Events can be a great opportunity to add people to your mailing list and we would encourage you to always have sign-up sheets at your events. However, always ensure that you are clear what you will use this information for and don’t assume that you can use your event registration list as a ready-made mailing list.
  • Be aware of what information you are asking your guests for and only ask for the information you really need. For example, if you are not serving food there is no need to ask for dietary requirements.

2.    Attendee lists:

  • If you plan on having an attendee list at your event, make sure you’ve asked permission to include people’s data and told them exactly what you plan to share. Nb: You can only give permission to share your own data, not that of your guest.
  • If the list will go online make sure it is on a private webpage, unless you’ve specified otherwise on sign-up.
  • At an event keep paper attendee lists in a secure place where a member of the public couldn’t simply pick one up.
  • Only keep this information for a specific period of time. It would be reasonable to share an attendee list up to a few weeks after an event, but not several years later!

2.    Sharing information with suppliers:

  • It is always best practice to have a contract with your supplier (venue, caterer, etc.) that includes a privacy policy, but even if you don’t you can still share certain information with suppliers.
  • Any information that is required in order to run your event can be shared. Dietary requests are essential for caterers, as are full guest lists when venues have security responsibilities. However, if your venue only needs to know how many people are attending, only give them a number. If in doubt, share as little information as possible.

 

Mailing lists:

1. Creating a mailing list:

  • The Alumni Office sends regular recruitment mailings for all groups, where alumni in your area are asked to contact you directly to opt in to your lists.
  • Any groups still holding a mailing list that was given to them by the Alumni Office (pre 2017) should delete this list and only make use of their own 'opted in' list.  If you have any queries about which list you are using then we would suggest cleaning your data by deleting any alumni that you do not have evidence of direct contact with (i.e. attendance at an event, or email asking to be involved in the group)

2. Storing your list:

  • All lists should be stored securely in password protected documents or on encrypted discs. 
  • Lists must not be shared outside your group leader/committee and should only be used for the purposes of communicating about your group activities.
  • From May 2018 you must keep a record of when and how someone has opted in to your mailing list. We will provide further guidance on this in future.

3. Sharing data with the Alumni Office:

  • It is not permitted for groups to share any contact detail updates with the University without first informing alumni that they are doing so. This issue has been raised by several groups and so we have drafted the text below that groups can use on emails and websites, which would allow groups to share this data:
  • The personal data you provide to <Group Name> will be shared with the University of Oxford Alumni Office and stored in the Development and Alumni Relations System (DARS). Please see the ‘Your data’ web page for information on the ways in which your personal data are held and used in DARS. If you do not wish for your data to be shared with the University please email <email address>

Online mail services:

Following several queries about the use of Mailchimp to manage group email communications we have consulted the University IT Security team with regards to its compliance with the new data protection regulations and other security concerns.

At this time Mailchimp still appears to be the best option for groups.

Mailchimp is a very user friendly system and we would not wish to suggest anything else that makes organising a group more difficult without due reason.  Fortunately IT security feel that while Mailchimp is not fully compliant, the risk of using it for group mailings is low.  We will continue to look for another system and will let you know once we find something that we are confident in recommending.  If you have any suggestions please let us know.
We have also listed below some ways that will help ensure data is used securely:

  • Only hold essential information on Mailchimp: In practice this is likely to be first name (for salutation) and email address.
  • Ensure your data is kept up to date and that any unsubscribes are honoured.
  • Ensure that your password is secure and you do not share your log on details.
  • If moving to another system ensure that all data is deleted from Mailchimp