Privacy Policy


Introduction

This document covers data collection and usage for the 3rd Symposium on Space Educational Activities (‘SSEA’) which is organised jointly by UKSEDS, the University of Leicester, the National Space Academy, and the European Space Agency (‘ESA’).

UKSEDS

In this document ‘UKSEDS’, ‘we’, and ‘us’ refers to UK Students for the Exploration and Development of Space, registered charity number 1158580, represented by its Executive Committee, Staff, and Board of Charitable Trustees.

The Executive Committee is elected by the membership of UKSEDS at our Annual General Meeting at the National Student Space Conference. A list of current Executive Committee members can be found on our website, and the names of our Staff and Charitable Trustees are available on request. The names of our Charitable Trustees are also available from the Charity Commission for England and Wales.

We are one of the organisers of SSEA, and maintain the conference website.

Event Partners

Any and all of the data we collect regarding this event will be shared with the other event organisers, namely the University of Leicester, the National Space Academy, the European Space Agency (ESA) and the members of the SSEA Local Organising Committee.

Contacting Us

If you would like to see this policy include something else, or have any questions, please email us at [email protected]. You can also raise data privacy concerns directly with the Information Commissioner’s Office.

Definitions

We use a number of technical terms in this document that you may be unfamiliar with. These are explained below.

Anonymised Aggregate Data

We share anonymised aggregate information with a number of third party organisations and the general public.

This means data that has been stripped of any identifiable information (such as your name, email address, postal address, or phone number) and combined with other data to give a picture of a group of people as a whole. Your information is always grouped with others and never traceable back to you personally.

  • Typical examples of anonymised aggregate data includes:
  • We get X visitors to our website per day
  • We have X email subscribers studying Physics
  • We have X% conference delegates from Russell Group universities
  • X% of newsletter subscribers open our emails
  • We sell X% of tickets in the week before an event

This data is used in our advertising materials and publications, to help people understand what we do, as well as for internal purposes, to help us understand the people we are working for.

Google Drive

Google Drive is a cloud storage service provided by Google. We use it to store the majority of our organisational documents, as well as some of the personal data we collect. Google Drive keeps track of all revisions to documents, which means that it is very difficult to permanently delete information once it has been stored on Google Drive.

Hashing

Hashing some information irreversibly transforms it into something unintelligible but unique. Hashing information is a way of protecting it whilst still making it possible to compare it against other information. You can find a full explanation of hashing in this article.

Lawful Basis

A lawful basis is a legal reason why we store and processes personal data. There are six available lawful basis as outlined in the General Data Protection Regulation (GDPR).

Legitimate Interest

Legitimate interest means using data in ways you would reasonably expect, and which have a minimal privacy impact. It is the basis for most of our processing. For example, we use email addresses to send emails, and names to make name badges.

Whenever we don’t have a compelling reason to need personal data, we ask for consent and/or make the fields optional.

Consent

Consent means asking for permission to store and process personal data. We usually ask for consent even when it is not legally required, to make it explicitly clear that we will be processing your information.

Legal Obligation

Some data we are required to retain by law. This primarily applies to transaction data, which the Charities Act requires we keep for 6 years following the end of the financial year.

Contract

Some data we require in order to fulfil our contractual obligations. For example, if you represent a company that sponsors us, we need your details in order to contact you and provide the services we have offered.

Websites

Our websites are various webpages found at the ukseds.org and ssasymposium.org domains.

Web Servers and Databases

When we refer to our web servers, we are talking about computers owned and operated on our behalf by Tsohost, our hosting provider. These servers store the files and database for our websites and provide them to website visitors and our team.

Data We Collect

This section covers all the interactions you can have with us in which we collect personal data. For each interaction, we have detailed:

  • What data is collected
  • Where is it stored, and for how long
  • What is it used for
  • Whether it is shared with any third parties

If you do not provide information marked in a data collection form as mandatory, we will not be able to provide the services you have requested. Most of our collection forms will not allow you to proceed if you do not provide the required information.

Accessing our Websites

We store up to three distinct kinds of records when you access one of our websites. The data is processed to compile statistical reports on website activity. We use these reports to evaluate aggregate visitor usage so that we can optimise the content and identify what is performing well and why.

Server Logs

Our web server automatically logs all requests for webpages. This is standard procedure for most websites.

This means that whenever anyone or anything loads one of our webpages or submits data, the action will be logged. Each log entry contains the requester’s IP address, some details about the browser they are using, and the name of the page that has been requested (more information can be found here). All such logs are anonymous.

Server logs are stored by our web host on their servers. We can request access to the last 30 days of logs. We rarely use full server logs. From time to time they are analysed by our Systems team to troubleshoot problems, particularly spam attacks.

Internal Logs

Additionally we run our own logging system that operates in a similar way but only logs the visitor’s IP address and the details of the page they are visiting. All such logs are anonymous, and are stored in our database indefinitely.

Google Analytics

On top of this we run Google Analytics, which  uses “cookies” (small text files placed on your computer) to collect standard internet log information and visitor behaviour information in an anonymous form. Typical examples of the information that’s recorded are:

  • Which links you clicked
  • Whether you’ve ever visited our website before
  • How long you spent on a page

Google Analytics data is stored on Google’s servers. Data associated with cookies, user identifiers or advertising identifiers is retained for 26 months after last user access. Anonymous aggregated data is stored forever. You can disable this tracking by altering your browser settings or installing software which blocks third party tracking.

Buying from Us

Event Tickets

When you purchase a ticket, we ask for various personal details, which we store in our database, and additionally in PayPal’s systems. Your financial information is processed directly by PayPal, and we cannot see your card or bank details. If you provide explicit consent, then we will add your email address to our mailing list.

DataReasonDurationShared?
Name, billing addressLegally required as part of the transaction recordMax 7 years, then destroyedYes, with PayPal
Email addressLegally required as part of the transaction recordMax 7 years, then hashedYes, with PayPal
All other fieldsAggregate analysisIndefiniteYes, in anonymous aggregated form

We are required under the Charities Act to keep transaction data for a period of 6 years after the financial year in which the transaction was made.

We hash your email address rather than destroying it so that we can see trends in how many events people attend, without compromising your anonymity.

Attending SSEA

If you attend SSEA we ask for your name and email address, which we store in our database, as well as some other optional information.

If someone else bought your ticket, then they will have provided this information on your behalf.

DataReasonDurationShared?
NameFor contact1 year, then destroyedYes, with event partners
Email addressFor contact1 year, then hashed.Yes, with event partners
All other fieldsAggregate analysisIndefiniteYes, in anonymous aggregated form

We hash your email address rather than destroying it so that we can see trends in how many events people attend, without compromising your anonymity.

Presenting at SSEA

When we invite you to present we ask for your name, email, and phone number so that we can communicate with you. The data is stored in Google Drive indefinitely. We will share your name with the venue as they are often required to vet any external speakers. We will not share your contact details.

Sponsoring SSEA

When your company agrees to sponsor us, we ask for your name, email, and phone number so that we can communicate with you. The data is stored in Google Drive indefinitely.

Emailing Us

When you email any @ukseds.org or @ssasympsosium.org address, copies of your email are stored on Google’s Gmail servers. Some addresses, including [email protected], are managed using service desk software, which means a separate copy of your email will be stored in our own databases. We use this data to communicate with you.

Third Parties

We share and sell information only in the ways explained below. When sharing identifiable personal information, we only share what is necessary.

Data Processors

We share certain identifiable personal data with third parties who do processing on our behalf.

Party NamePurposeData We Share
PayPal

 
To process financial transactions on our behalf.Name, 
Email address, 
Billing address
TsohostTo provide data storage for our data and a platform on which we build our websitesAll data
GoogleTo provide cloud-based email services, hosting, storage and processing services to assist and/or enable us to manage personal data, and deliver, analyse and improve our services.All data
Amazon Web ServicesTo provide bulk mailing services for our emails.Email address

Organisational Partners and the Public

We share and publish anonymised aggregate data in a variety of formats.

The Public

We share anonymised aggregate data in reports we publish publicly. We do this as part of our advocacy work to promote student involvement in the space sector.

Space Organisations

We share anonymised aggregate data with organisations in the space industry who sponsor us or advertise with us, or might do so in the future. We do this so that we can get money and support to fulfil our charitable objectives.

Partner Organisations

We have information sharing agreements with SEDS-USA, EUROAVIA, and some other organisations. These are organisations very much like UKSEDS in the United States and Europe. We swap aggregate information with them to learn from their experiences of running similar events.

Government and Statutory Bodies

If we are legally compelled to hand over information we will comply. This could include to law enforcement, or as part of audits.

How we Protect Data

We take data security very seriously and do everything in our power to keep your personal information secure.

  • We carefully limit what can be accessed publicly, and protect the rest with passwords
  • We use protocols such as HTTPS, Single Sign On, and Two Factor Authentication to minimise the chances of someone intercepting data or one of our passwords
  • We audit our data to ensure we are keeping only information we need
  • We set monitor our servers and databases for suspicious activity

Data Breaches

We have a comprehensive action plan and checklist for data breach incidents. If we identify that personal data has been exposed, we will make this news public and notify any affected individuals. We will also act to identify the cause of the breach and take steps to prevent it from happening again.

Your Rights

Your rights relating to your data are written into law under the Data Protection Act, and the General Data Protection Regulation. These are:

  • The right to be informed – You have a right to be informed about how we collect, process, and store your personal data. This information is provided in this document.
  • The right of access – You have a right to access the personal data we store about you.
  • The right to rectification – You have a right to have inaccurate details corrected.
  • The right to erasure – You have a right to have personal data erased.
  • The right to restrict processing – You have a right to restrict the way in which we process your personal data.
  • The right to data portability – You have the right to obtain the personal data we store about you in a structured machine readable format.
  • The right to object – You have the right to object to  the way in which we process your personal data.
  • Rights in relation to automated decision making and profiling – This right does not apply to UKSEDS as we do not engage in automated decision making or profiling.

To exercise any of the rights listed above, please email us including your name and outlining the ways in which you have interacted with us. You must also provide proof of identity, which can include sending the email from an address we have on record.