When a data breach report form has been submitted, the following personal information is provided to us: name(s), the relationship to BCU (e.g. staff, student, external), staff and student IDs (if applicable) and the email address(es) of the reporting party, the person that identified the breach and the person that caused the potential or actual breach. We may also process the personal information that has been potentially or actually breached in order to assess the risk and severity.
When a data protection complaint has been submitted, the following personal information is provided to us: name, the relationship to BCU (e.g. staff, student, external), the email address, phone number, staff or student ID (if applicable) and information relating to the complaint.
The legal basis for BCU processing personal information in relation to these two topics is ‘legal obligation’ as we have a legal obligation to process potential and actual data breaches and data protection complaints. Special category data is information about your health (physical or mental), race, ethnic origin, religious or political beliefs, membership of a trade union and sexual orientation.
The special condition permitting the processing of the special category personal data depends on the context. The most likely to apply are Article 9(2)(b) ‘Employment, social security and social protection law’, which would include the Equality Act 2010, or Article 9(2)(g) Substantial Public Interests – Statutory and government purposes. Only if no other conditions of processing apply, we will rely on your explicit consent.