This privacy notice tells you how your personal data within the Report and Support tool.
Cardiff University is the Data Controller and is committed to protecting the rights of individuals in line with Data Protection legislation. We are registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.
Depending on your relationship with the University, this notice will apply in addition to and does not replace the University’s general data protection notices for students and applicants and staff.
Anonymous reporting The Specialist Practitioner will start by reviewing the report and identifying any risks related to duty of care. If the information provided falls under Cardiff University's safeguarding policy and a vulnerable individual is at risk of harm, the administrator will remove any identifiable information about the individual or those they are reporting. If no immediate risk is identified, no further direct action can be taken. This is the nature of anonymous reporting, in which no identifiable information should be included. However, the information is crucial for the University to monitor trends and develop responses. The Dashboard Administrator will add anonymous reports to a database, enabling the University to identify trends over time. This can help create a proactive approach to address identity-based harassment. For instance, anonymous reports could prompt the University to initiate anti-harassment or anti-bullying campaigns or training sessions across schools, colleges, or the entire University. In many cases, the University may not be able to take direct action on a particular anonymous report. These anonymous reports can be the sole source of information for the University to understand what types of sexual misconduct, harassment, bullying, and hate crimes are occurring on campus. Therefore, they are essential to our efforts to end these forms of abuse.
What personal information we collect and why When you report to us, we will collect some information from you so that we can provide you with the right information and support. We will assess what you tell us and where necessary take action to protect the University community, taking consideration of our duties for health & safety and safeguarding and the University’s expected standards of conduct. We will also collect some demographic information so that we can monitor who uses the tool – this is a tool for everyone, so it is important to ensure inclusivity. People may report about you, for example about your perceived behaviour, an incident or event you have witnessed or where you have been subjected to unwanted behaviour. The nature of the report will therefore determine the personal data we hold about you. The following types of personal data are the core fields we will be collecting but this should not prevent you from including any additional relevant personal data as part of your report:
- Name
- Contact information (email address, telephone number)
- Student/Staff ID number
- School/College/PS Dept
- Age group
- Racial or Ethnic origin
- Health/disability
- Religious belief
- Sex life or sexual orientation
- Gender reassignment
- Criminal Offence data
Our legal basis for processing your personal data?
UK GDPR Article 6(1)(b) – performance of a contract Conduct standards form part of contracts for both staff and students. Where unacceptable behaviours are reported, the university may process the personal data for the purposes of investigation under the relevant Student Conduct and Staff Disciplinary processes.
UK GDPR Article 6(1)(c) – legal obligations as an employer and as public authority As a public authority, the university is subject to the Public Sector Equality Duty. These activities will support the university’s discharge of said Duty in a) supporting individuals and b) identifying future initiatives to eliminate discrimination and harassment.
UK GDPR Article 6(1)(d) – Vital interests There may, on rare occasions, be a need to process personal data where it is necessary to protect the life of any individual.
UK GDPR Article 6(1)(e) - Public task It is considered the task falls within the University’s objects as set out in its Charter (the exercise of official authority vested in the controller). In addressing discriminatory and harassing behaviours and working to eliminate these the University will be advancing the objects to promoting health and welfare, and contributing to the social, cultural and economic development of Wales and the UK.
UK GDPR Article 9(b) and DPA 2018 Schedule 1 para 1 - Employment, social security and social protection
UK GDPR Article 9(g) AND DPA 2018 Schedule 18 paras 8, 10 and 18 - Reasons of substantial public interest See the University’s Appropriate Policy Document (students/staff) for justification on special category data and criminal offence data.
How long we will hold the personal information
Cardiff University will retain your personal information in line with the university Records Management Policy and Records Retention Schedules.
Data protection rights Under data protection legislation you have certain rights, such as the right to request a copy of your personal data held by the University and the legal basis on which we process your data. To find out more about your rights and how you can exercise them, please see our web page on your data protection rights. For further information please see the following guidance published by the Information Commissioner’s Office.
Who accesses and receives the personal data Only members of staff who need access to relevant personal data within the Report and Support tool will be authorised to do so. These staff have received relevant information security training and follow clear protocols and procedures around disclosure.
These protocols and procedures set out:
- how identifiable information will be shared with other areas of the University to address directly the matters raised in the report; and
- how non-identifiable management information will be extracted from the system for reporting through University governance channels.
Security of your information
Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Information about you in electronic form will be subject to password and other security restrictions. You can find out more by referring to the University Information Security Policies. Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. These organisations are contractually bound to keep your data safe and only use it as Cardiff University tell them to. Generally, information you provide to us is stored on our secure servers, or on our cloud-based systems. These are located within the UK or in countries/areas which are considered to have adequate privacy and information security provisions, such as the EEA. However, there are times when we will need to store information outside these locations and where we do we will carry out transfer risk assessments where required to ensure that appropriate security measures are taken to protect your privacy rights. This may mean imposing contractual obligations on the recipient of your personal information where no other relevant safeguards exist. Technical measures such as encryption will also be considered.
How to raise a query, concern or complaint If you have a query, concern or complaint, please contact the relevant team the first instance.
- Students – Student Health and Wellbeing Team
- Staff – Dealing with Complaints
- Members of the public - Complaints
If this does not resolve your concerns, you can contact the University’s Data Protection Officer: The Data Protection Officer
Compliance and Risk, University Secretary’s Office Cardiff University
McKenzie House, 30-36 Newport Road Cardiff
CF24 0DE
Email: Inforequest@cardiff.ac.uk
If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF www.ico.org.uk