FAQ: how The Student Room treats your data

The Student Room and Get Revising websites are owned and run by The Student Room Group (TSRG). Data is enormously important in allowing us to run these sites in a way that’s useful for our visitors. Read on to find out how The Student Room Group works with the data we collect.

We collect and use data from a variety of sources:

• When a visitor uses one of our sites, we record the pages they view. This data enables us to provide a personalised experience. For example, if you are typically reading a lot of content about applying to university and history university courses, we can show you more relevant discussions on site or show you adverts for history university courses.
• When a visitor registers, we collect their email address and a username. These are used to manage access to the member’s account.
• Members can choose to enter data into their profile page and data preference centre. This data is also used to personalise what they see on site. It can also be used to determine what emails we may send that person, if they have opted in to receive emails from us.

As of 25 May 2018, the General Data Protection Regulation (GDPR) applies to all companies that work within the EU. GDPR and the new Data Protection Bill currently passing through UK parliament will set out how the UK will replace all existing data protection laws in the UK.

The changes to data protection laws will standardise requirements across the whole EU and for any organisation outside the EU offering goods or services to people within the EU. They also redefine an individual’s rights in relation to controlling and protecting their personal data, and requires all organisations collecting or using personal data to document their compliance.

In effect, these changes ensure data protection laws are strengthened and fit for purpose in an increasingly digital world.

GDPR aims to ensure people have more control over how companies use their data. We’re using this update in the law as an opportunity to completely revisit all we do with personal data, to ensure we continue to fully comply with all regulations and follow best practice regarding data privacy and security.

TSRG does not share or sell the data we collect on our site visitors.

However, we do work with a number of third party organisations to process our data. These are known as data processors under GDPR and they include our data management platform and our email service providers. But with all of these organisations, TSRG remains in control of the data and determines exactly how the data is used.

In addition, we are carrying out a thorough audit of all these data processors to ensure they too, are fully prepared for GDPR.

We will only continue to work with a data processor if it can be proved they are GDPR compliant and our contract with them sets out precisely how they will use our data and how they will ensure continued GDPR compliance.

Under GDPR, the definition of personal data is very broad. The definition includes the obvious examples such as email addresses and names. But it can also include unique identifiers like member account IDs, cookie IDs and sometimes IP addresses.

Much of the data we collect will be associated with one of these ID numbers, so it can be associated back to a site visitor when they are on our sites.

In theses cases, access to the data will be strictly limited only to the individuals at TSRG who need it as part of their job. Much of the work we do doesn’t actually need routine access to the data and instead most of the processing happens in automatic systems (with appropriate security measures in place).

When we do internal reporting on the data, it will be with either anonymised data or aggregated data, with no ability to link the report data back to an individual.

In addition, all TSRG staff will undergo data protection training at a level appropriate to their access to personal data, so they are fully aware of the data protection GDPR will bring and their responsibilities under it.

How long we keep data for depends on the type of data and the uses of it. For example, data collected on the topics of content you read is typically kept for 90 days in our data management platform.

Difficulties arise when considering how long it is appropriate to keep the data associated with a dormant member account, such as the email address and username. We do have members return to TSR after a number of years of inactivity. Does it become appropriate to delete an account after a period of inactivity? Or is there an expectation by the member that the account will always be active should they ever wish to return?

We are also aware that the data you give us can stop being accurate – essentially it may have an expiry data. For example, if you tell us you are a GCSE student in the data preference centre, and don’t chose to update that yourself, a time will come when that data is no longer correct.

We need to ask at what point does that happen and, when it does, do we delete the data, infer what it should change to or ask the visitor to update it?

At the moment we do not have answers on all these questions, but we will be working towards determining appropriate policies that balances the expectations of our site visitors and the requirements that GDPR imposes. We will aim to include details of this in our updated privacy policy.

TSR and Get Revising are free-to-use websites that we believe are the best-loved and most-useful UK student communities. We want to continue to nurture these communities and ensure that all our visitors have a great experience and get the help they seek.

But this does cost money, including but not limited to the staff to run and develop the site and the technical infrastructure to keep it all going.

We get the money in a number of ways, such as showing advertising on site, sending out paid-for emails to our members with messages from the institutions, recruiters and brands we work with, or through partnerships with key organisation (such as universities, Student Finance England and the National Apprenticeship Service) to offer enhanced content to our visitors.

With all of this we use your data (where relevant with your explicit permission) to ensure the most appropriate messages appear to the right people at the right time – helping the organisations we work with to get better results and aiming to enhance each visitors experience (perhaps even changing their lives by connecting them with their perfect university).

On top of this, making TSRG a healthy and profitable business is an important objective that will ensure TSR and Get Revising can continue to help students and young people for years to come.

One of the aims of GDPR is to make it easier for individuals to control their data and how it is used. We are currently in the process of reviewing how and where you can control your data in our systems.

For example, members can already control the types of emails they receive from us (and hence how we use your data in relation to sending emails) via the email preferences page.

We have already made an initial update to our on-site privacy polices outlining in detail the types of data we collect and how we use it and will aim to be as transparent as possible with our site visitors in how we use their data.

We plan to continue to make future updates to our privacy policies and processes to ensure you have clear and transparent control over your data we hold and the way we use it, as understanding of the GDPR continues to evolve.