Report a data breach

Introduction

The University of Chester is committed to protecting the rights and freedoms of individuals as detailed in relevant Data Protection legislation including looking after any personal data that it collects, uses or hold. This Data Processing and Privacy Notice describes how and why we collect and use personal information about you. It is issued under your right to be informed about how the University collects, uses and stores your personal data.

The University of Chester is committed to providing a supportive and inclusive environment for all members of the University community. We value equality and diversity and promote respect. The on-line reporting tool allows you or someone you know who has experienced or witnessed unacceptable behaviour such as harassment, discrimination, sexual assault, abuse, bullying or hate crime to report the incident.

Reports may be made anonymously; this will inform the University that something has happened and allows us to better understand the prevalence of issues within our community and take positive action to address these.

However, in certain circumstances the University may have an obligation or legal duty to disclose information.

Data Protection Principles

We will comply with data protection legislation, which says that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  • Relevant to the purposes we have told you about and limited only to those purposes
  • Accurate and kept up to date
  • Kept only as long as necessary for the purposes we have told you about
  • Kept securely

What Personal Data does the University collect?

The following data is collected:

  • Name of the Reporting Individual.
  • Email address of the Reporting Individual.
  • Telephone number of the Reporting Individual.
  • Nature of the Reporting Individual’s relationship with the University e.g. staff, student, visitor.
  • A description of the type of unacceptable behaviour and a description of the incident.
  • A free text field is included to allow Reporting Individuals to give further information.

Reporting Individuals may choose to do so anonymously.

What Special Category Data does the University Collect?

The Reporting System does not directly request or require any special category data relating to the Reporting Individual or any other persons who the Reporting Individual may mention. However, it is recognised that information contained in the report may in certain circumstances contain special category date relating to the racial or ethnic origin, political opinions, religious or philosophical beliefs, TU membership, health, sex life or sexual orientation of the Reporting Individual or other persons.  

Why does the University need this data and how will the University use this data?

If you choose to provide your contact details, your data will be used to contact you and provide you with appropriate advice, support and signposting.

If you choose to report anonymously, the University will not be able to contact you to offer support. However, the data collected will allow us to see prevalence of unacceptable behaviours and any trends. This will help to inform our prevention work in these areas and ensure that we are allocating adequate resources to this.

Where someone reports anonymously, in certain circumstances the University may have an obligation or legal duty to disclose information

Data collected from the ‘Report a Concern’ system will be used in reporting, all data will be anonymised and reporting will look at types and prevalence of behaviours.

What is the Legal Basis for processing the data?

Art. 6.

The Reporting Individual as data subject has given their consent to the processing of their data for the purposes detailed above.

Processing may also be necessary for compliance with a legal obligation to which the University is subject; or processing is necessary to protect the vital interests of an individual.

Processing may also be necessary for the purposes of a task carried out in the public interest or in the legitimate interests pursued by the University or a legitimate third party. 

Art. 9.

The reporting individual has given their explicit consent by including such data in their submission.

For how long will the University keep this Data?

The University will keep students’ data in line with the University’s retention schedule.

Records from the ‘Report a Concern’ system will be kept for 3 years after a student has left the University.

Who has access to the data and with whom will the University share this data?

Reports made by or relating to either staff, students or other users will be kept confidential within the appropriate University departments and not shared unless necessary. An individual’s information will only be disclosed outside of the relevant department in exceptional circumstances and in accordance with statutory requirements and data protection legislation.

How will the University keep this data secure?

The University of Chester operates an Information Security Policy which recognises that with the increasing demands being placed on ICT and Information Systems there is a need to understand and control, in a coherent manner, the associated risks. The principal objective of the policy is to protect the information, including personal data, held by the University. In support of this policy the University publishes an Information Security Framework which is based on ISO 27001:2005 and uses ISO/IEC 27002:2005 Information Security Techniques – Code of Practice for Information Security Management.

The University has detailed measures implemented in the areas of Business Continuity Management; Information Handling; User Management; Acceptable Use of Computers, the Network and JANET; System Planning and Operation and Incident Reporting and Handling.

Access to all information services shall use a secure log on process and access to the University’s business systems is also be limited by the location of the initiating terminal. All access to information services is logged and monitored in order to identify potential misuse of systems or information.

Data will be kept securely on the ‘Report a Concern’ system, in line with the University’s information protection policies. Sensitive information will be encrypted to add further protection. In addition to this, only staff with administrative permissions will be able to access the ‘Report a Concern’ database.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes. 

What Rights do you have as a Data Subject?

As a data subject of the University, under the Data Protection legislation, you have a number of rights with regards to your data, dependent upon the legal basis for processing that data. As such you have the right to…

  • Withdraw consent - where the University has used consent as the legal basis for processing;
  • Be informed – about how the University, collects and uses your data;
  • Access your personal data that the University holds and process;
  • Rectify or correct any inaccuracies in your personal data that we hold;
  • Be forgotten by requesting that your details are removed from the University systems;
  • Restrict the processing of your data whilst it is being verified or corrected;
  • Port your data in a machine readable and commonly used format; 
  • Object to certain processing by the University including direct marketing, automated decision making, profiling, scientific/historical research and statistics;

The above rights are not absolute and may only apply in some circumstances such as being dependent upon which lawful process has been used or whether an exemption may apply.

You may contact the University’s Data Protection Officer as necessary regarding your rights. 

Who is the Data Controller and who is the Data Protection Officer?

The Data Controller is the University of Chester, Parkgate Road, Chester, CH1 4BJ. The Data Controller’s representative can be contacted at the University address and on 01244 511000

The University’s Data Protection Officer (DPO) can be contacted at the University’s address and telephone number and also by email at dpo@chester.ac.uk.

How to raise questions, comments, concerns, or complaints.

Should you have any questions, comments, concerns or complaints regarding the use of your personal data you should contact the University’s Data Protection Officer as detailed above. 

You may also raise any concerns or complaints with the Information Commissioner’s Office who may be contacted as follows:

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

Changes to this Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.