UCL ‘Report + Support’ PRIVACY NOTICE
- About this privacy notice
- What is 'personal data'?
- UCL's data protection obligations
- About the Report and Support tool at UCL
- Personal data we collect about you
- Purposes for which we process your personal data and the legal bases for processing
- Third parties with whom we may share your personal data
- Transfers outside the European Economic Area
- Information security
- Retention periods
- Your rights
- Automated processing
- Who regulates the use of my personal information?
- Who do I contact with questions?
1. About this privacy notice
UCL (“we” “us”, or “our”) respects your privacy and is committed to protecting your personal data.
Please read this privacy notice carefully – it describes why and how we collect and use personal data in the context of the Report and Support tool and provides information about your rights.
This privacy notice applies to personal data provided to us both by individuals themselves or by third parties and supplements the following wider UCL privacy notice(s):
We keep this privacy notice under regular review. We may withdraw or modify this notice at any time and we may supplement or amend this notice by additional policies and guidelines from time to time. Any changes we make to this privacy notice in the future will be posted on UCL Report + Support website and communicated through The Week @ UCL and My UCL.
This privacy notice was last updated on 13 October 2020.
2. What is 'personal data'?
This privacy notice was last updated on 13 October 2020.
2. What is 'personal data'?
'Personal data' means any information which identifies you as an individual. It may include your name but it may also be other information such as your date of birth, nationality and gender which when combined identify you.
It does not include information which does not relate to an identified or identifiable individual, or to personal data rendered anonymous in such a manner that the individual is not or no longer identifiable.
‘Sensitive personal data’ or 'special categories of personal data' such as information about racial or ethnic origin, political opinions, religious beliefs or other similar beliefs, trade union membership, physical or mental health and sexual life, are given a high level of protection under data protection law.
Personal data relating to criminal convictions and offences are also treated as requiring additional protections.
3. UCL's data protection obligations
Under current data protection laws UCL is a controller, as we determine the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. This means that we are legally responsible for the personal data we collect and hold about you.
One of our responsibilities is to tell you about the different ways in which we use your personal data – what information we collect (and our legal basis for doing so), why we collect it, where we collect it from and whether (and with whom) we will share it. We also need to tell you about your rights in relation to the information. This notice provides further details about all of these issues in respect of the Report and Support tool.
4. About the Report and Support tool at UCL
The Report and Support tool at UCL provides staff and students with a portal to report and also seek support in respect of issues of bullying, harassment and sexual misconduct.
Reports may be made by UCL staff and students and may be either:
(a) anonymous, whereby no names or other information that could be used to identify the individual making the report are provided. UCL encourages individuals making an anonymous report not to include names or other information that could be used to identify a third party. Nevertheless, we acknowledge that there may be circumstances in which it is appropriate to make an anonymous report containing such information; or
(b) named, whereby the names and contact details of the individual making the report are included, in addition to names or other information which could be used to identify third parties.
Further detail on the data collected and how we will use that data in each of the above circumstances is set out below.
Please note that where you make a report through the Report and Support tool, UCL will usually disclose information to its staff members on a need to know basis only. We will not generally take steps such as investigating the complaint, initiating disciplinary or other formal proceedings (including litigation) or passing information on to third parties in order to take the report further unless: (a) you have made a named report; and (b) you agree to this action.
However, there are certain circumstances in which UCL may take steps such as those listed above even where: (a) an anonymous report is received (in which case action will be taken on a 'no names' basis); or (b) you have made a named report but you do not wish to take your report further. This is usually where there are concerns for your safety or another person’s safety. Please see section 7 below and our separate guidance notes on duty of care and confidentiality for further information on this point.
Please also note that information relating to an individual's criminal convictions or offences must not be included in a report. We also strongly discourage the inclusion of speculation on an individual's potential criminal convictions and offences in a report.
In particular, the Report and Support tool is not designed to be used when reporting potential safeguarding or other issues to UCL which may relate to an individual's criminal convictions and offences. If you become aware of a safeguarding issue, please follow the procedures set out in UCL's safeguarding policies here, including the UCL Safeguarding Children and Adults at Risk Policy and Procedure (Staff and Students) which is available here. Any criminal convictions information included in a report will be removed before the report is processed.
If an individual's criminal convictions data is included in a report and, due to the nature of the information, UCL has a duty to act – for example, because a safeguarding issue arises – that information will be removed from the report and passed on to the appropriate department within UCL.
5. Personal data that we collect about you
Anonymous reports
If an anonymous report is made, the Report and Support tool is set up so that we do not know who has made the report. UCL discourages the provision in anonymous reports of names or other information that could be used to identify a third party. However, if any such information is shared, UCL will use that information in order to review and process the report.
Named reports
If a named rather than an anonymous report is made, we may collect, use, store and transfer different kinds of personal data about the person making the report. This may include:
- Your name, contact details and other information about you such as your department (where applicable) and your age;
- ‘Special category’ personal data about you (this may include details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health etc.); and
- Detail regarding your experience of bullying, harassment and sexual misconduct.
We will also process the names and other details about third parties who are involved in the issues reported.
6. Purposes for which we process your personal data and the legal bases for processing
6. Purposes for which we process your personal data and the legal bases for processing
The main purposes for which we process your personal data in respect of both named and anonymous reports are set out in further detail in the table below.
Data protection laws require us to meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "legal basis" for the processing. Where we process special category personal data, we are required to establish an additional legal basis for processing that data.
We take our responsibilities under data protection laws extremely seriously, including meeting these conditions. The main legal bases on which your personal data are generally processed in relation to the Report and Support tool are also explained in the table below:
|Purpose | Legal Basis
| Reviewing and processing a report and, where appropriate, sharing your personal data with third party controllers (such as passing your data on to a Dignity Advisor or the police, where relevant) or passing it on to the appropriate department within UCL. | For all information Performance of a task in the public interest UCL will be processing personal data in its capacity as a public authority in connection with its core purposes of education, research and innovation, and its responsibility to its staff and students in relation to its core purposes. Please see our Statement of Tasks in the Public Interest for further information. Performance of a contract Where a report is made by or about a UCL member of staff or student, UCL may process personal data in order to fulfil its obligations under our contract with that staff member or student. For special category data Equality of opportunity or treatment We process certain types of special category data in order to monitor equality of opportunity/treatment. Employment law obligations We may also process certain special category data where this is necessary so that we can meet our obligations in the field of employment law. Statutory and government purposes We may process special category data in order to fulfil our duties under the Equality Act 2010. Safeguarding of children and of individuals at risk We may process special category data in order to safeguard children or individuals at risk. Preventing or detecting unlawful acts We may process special category data in order to prevent or detect an unlawful act. Establishment, exercise or defence of legal claims It may be necessary to process your special category personal data in relation to establishing, exercising or defending legal claims. Consent Where you have made a report and we cannot rely upon any other appropriate legal basis, we will generally seek to obtain your consent to the processing of your special category personal data when reviewing and processing that report and sharing your special category data with a Dignity Advisor. Where we are relying on a legal basis to process your special category personal data that is not listed in this table, we will inform you of the legal basis before we start processing your special category personal data based on that legal ground. For criminal convictions data This guidance makes it clear criminal convictions data should not be included in reports. Nevertheless, if this guidance is not followed, there are circumstances in which criminal convictions data included in a report would be passed to the relevant department within UCL. We may then rely on the legal bases set out below when reviewing and passing on such information. Regulatory requirements relating to unlawful acts and dishonesty We may process your criminal convictions data in order to assist a third party to comply with a regulatory requirement that requires the taking of steps to establish whether another person has: (i) committed an unlawful act, or (ii) been involved in dishonesty, malpractice or other seriously improper conduct do so. Safeguarding of children and of individuals at risk We may process your criminal convictions data in order to safeguard children or individuals at risk. Protecting the public against dishonesty We may process your criminal convictions data in order to protect the public against dishonesty, malpractice or other seriously improper conduct; and unfitness or incompetence. Employment law obligations We will only process criminal convictions information where this is necessary so that we can meet our obligations in the field of employment law. Where we are relying on a legal basis other than those set out above in processing your criminal convictions data, we will inform you of the legal basis before we start processing your criminal convictions data based on that legal ground.
7. Third parties with whom we may share your personal data
Third party service providers
In the context of the Report and Support tool, we will share your data with third party service providers that help us provide the tool, such as Culture Shift. This enables us to make the Report and Support tool available to you. Please see Culture Shift’s Knowledge Base for further information on the security measures adopted by Culture Shift, which are designed to help keep personal data secure.
The police/social care services/local authorities/other similar bodies
There are certain circumstances in which UCL may provide information about the matters raised in a report, including personal data, to third parties such as the police and social care services. This may include providing personal data about you without your consent. Our duty of care guidance sets out how personal data may be shared in the following circumstances:
- An allegation about behaviour by a staff member or student towards a student who is under the age of 18;
- An allegation about behaviour by a staff member or student towards an adult at risk; or
- An allegation about behaviour by a staff member or student towards another staff member or student over the age of 18.
UCL's consultants and professional advisors
Depending on the circumstances, UCL may need to share details of reports made with its consultants and other professional advisors, such as solicitors.
Courts and tribunals
In the event that a report results in legal proceedings being issued, UCL may share personal data with the relevant courts and tribunals.
Data subject access requests
As outlined in the confidentiality note, personal data included in a report, including an anonymous report – and any subsequent documentation and correspondence – may be disclosed by UCL in response to a 'data subject access request' ("DSAR"). This is where the individual to whom the personal data relates exercises their right under data protection law to request a copy of their personal data, in addition to information about how and why that personal data is being used. A DSAR may be made by the person who submitted the report, the individual to whom the complaint relates, or by a third party who is referred to in the report.
UCL has policies and procedures in place which govern how DSARs are dealt with (see here for further information). Please note that when responding to a DSAR relating to a report – whether named or anonymous – UCL will uphold its confidentiality obligations in respect of the report, subject to certain limitations as set out in the confidentiality note.
Under data protection law, UCL is not obliged to comply with a DSAR if this would mean disclosing information about another individual who can be identified from that information, unless either: (i) the other individual has consented to the disclosure; or (ii) it is reasonable to comply with the request without that individual's consent. When determining whether it is reasonable to disclose the information, UCL will take into account factors including: (i) the type of information that would be disclosed; (ii) any duty of confidentiality owed to the other individual; and (iii) any express refusal of consent by the other individual.
Given the nature of a report made using the Report + Support tool and the confidentiality obligations owed to individuals in this context – including where an anonymous report has been made – UCL will endeavour to avoid disclosing personal information other than that of the individual who submitted the DSAR, unless explicit consent to the disclosure is given by other relevant individuals. Nevertheless, as outlined in the confidentiality note, even in the case of anonymous reports, there may be circumstances in which the disclosure of personal data from a report and/or associated documentation or correspondence in response to a DSAR may enable the requester to determine the identity of the person who made the report, e.g. if a specific event or incident has been referred to. In such circumstances, UCL will consider its response carefully and will endeavour to balance the requester's right under data protection law to receive their information against its confidentiality obligations.
Further information
Note that the list of third parties in this section is not exhaustive – data may also be shared in accordance with the privacy policies listed at section 1 above, as applicable.
Please see our separate guidance note on duty of care for further information on the third parties with whom information may be shared in the above circumstances, including the police and/or social care services (as appropriate).
Please also see the confidentiality note for further information on the circumstances in which UCL may be required to share your information with third parties.
8. Transfers outside the European Economic Area
Depending on the circumstances, UCL may need to share details of reports made with its consultants and other professional advisors, such as solicitors.
Courts and tribunals
In the event that a report results in legal proceedings being issued, UCL may share personal data with the relevant courts and tribunals.
Data subject access requests
As outlined in the confidentiality note, personal data included in a report, including an anonymous report – and any subsequent documentation and correspondence – may be disclosed by UCL in response to a 'data subject access request' ("DSAR"). This is where the individual to whom the personal data relates exercises their right under data protection law to request a copy of their personal data, in addition to information about how and why that personal data is being used. A DSAR may be made by the person who submitted the report, the individual to whom the complaint relates, or by a third party who is referred to in the report.
UCL has policies and procedures in place which govern how DSARs are dealt with (see here for further information). Please note that when responding to a DSAR relating to a report – whether named or anonymous – UCL will uphold its confidentiality obligations in respect of the report, subject to certain limitations as set out in the confidentiality note.
Under data protection law, UCL is not obliged to comply with a DSAR if this would mean disclosing information about another individual who can be identified from that information, unless either: (i) the other individual has consented to the disclosure; or (ii) it is reasonable to comply with the request without that individual's consent. When determining whether it is reasonable to disclose the information, UCL will take into account factors including: (i) the type of information that would be disclosed; (ii) any duty of confidentiality owed to the other individual; and (iii) any express refusal of consent by the other individual.
Given the nature of a report made using the Report + Support tool and the confidentiality obligations owed to individuals in this context – including where an anonymous report has been made – UCL will endeavour to avoid disclosing personal information other than that of the individual who submitted the DSAR, unless explicit consent to the disclosure is given by other relevant individuals. Nevertheless, as outlined in the confidentiality note, even in the case of anonymous reports, there may be circumstances in which the disclosure of personal data from a report and/or associated documentation or correspondence in response to a DSAR may enable the requester to determine the identity of the person who made the report, e.g. if a specific event or incident has been referred to. In such circumstances, UCL will consider its response carefully and will endeavour to balance the requester's right under data protection law to receive their information against its confidentiality obligations.
Further information
Note that the list of third parties in this section is not exhaustive – data may also be shared in accordance with the privacy policies listed at section 1 above, as applicable.
Please see our separate guidance note on duty of care for further information on the third parties with whom information may be shared in the above circumstances, including the police and/or social care services (as appropriate).
Please also see the confidentiality note for further information on the circumstances in which UCL may be required to share your information with third parties.
8. Transfers outside the European Economic Area
We do not transfer your personal data outside the European Economic Area (EEA) in relation to the Report and Support tool.
9. Information security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. Retention periods
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will keep records of all reports, both anonymous and named, for one year from case closure on the ‘Report + Support’ system. All personal data will be kept according to the Records Retention Schedule.
We may retain some anonymised information in order to monitor our work in this area but you will not be identifiable from this information.
11. Your rights
Subject to certain conditions, you have the following rights in relation to your personal data:
- Right 1: A right to access personal data held by us about you.
- Right 2: A right to require us to rectify any inaccurate personal data held by us about you.
- Right 3: A right to require us to erase personal data held by us about you. This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below).
- Right 4: A right to restrict our processing of personal data held by us about you. This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims.
- Right 5: A right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.
- Right 6: A right to object to our processing of personal data held by us about you.
- Right 7: A right to withdraw your consent, where we are relying on it to use your personal data. Note that a withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. However, a withdrawal of consent may prevent us from reviewing and processing a report, and/or from taking further action based upon that report.
- Right 8: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.
In certain circumstances, we may need to restrict your rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).
If you wish to exercise any of the above rights, please contact us using the details set out at section 14 below.
12. Automated processing
If you wish to exercise any of the above rights, please contact us using the details set out at section 14 below.
12. Automated processing
UCL does not use automated processing and decision making without manual intervention. This includes in relation to data received in the context of the Report and Support tool.
13. Who regulates the use of my personal information?
UCL maintains a data protection registration with the Information Commissioner's Office, the independent authority which oversees compliance with the data protection laws. Our registration number is Z6364106 and this registration sets out, in very general terms, the full range of purposes for which we use student, staff and all other personal information. Please see the Information Commissioner's Office website for details.
14. Who do I contact with questions?
If you have any questions about your personal data and UCL that are not answered by this privacy notice then please consult UCL's data protection web pages here, where further guidance and relevant UCL policy documentation can be found.
If you need further assistance, please contact UCL's Data Protection Officer: data-protection@ucl.ac.uk or Data Protection Officer, UCL Gower Street, London WC1E 6BT.
If we are unable to adequately address any concerns you may have about the way in which we use your personal data, you have the right to lodge a formal complaint with the UK Information Commissioner's Office. Full details may be accessed on the complaints section of the Information Commissioner's Office website.