Information Governance Privacy Notice

Introduction

This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects personal data in relation to the processing of information requests such as subject access requests, Freedom of Information (FOI) requests, Environmental Information Regulations (EIR) requests and complaints relating to data protection matters including FOI and EIR complaints. It applies to any individuals who make an information request, or complaint related to data protection matters to the Information Governance team.

We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.

You can access our Data Protection Policy here.

What personal information do we collect about you?

When you engage with the University in relation to requests for information or complaints relating to data protection, we collect and retain relevant personal data. This information is used for the purposes set out in Section 3 of this Privacy Notice.

We may process the following categories of personal data about you:

• Name
• Date of birth
• Student ID number
• Staff ID number
• Telephone number
• Email address
• Address
• Company/organisation name
• Job title
• Course name
• Documents to verify your identity
• Information relating to the nature of your complaint or request

We may also process special category data that you provide us in order to locate the information you are requesting or to appropriately investigate your complaint.

If you choose not to submit any personal information when requested, we may not be able to process your request for information or complaint.

For example, if you make a subject access request for copies of your own information, we will request proof of identification to assure ourselves of your identity. If you refuse to provide this documentation, we will not be able to process your request.

How do we collect your information?

The University may collect your personal data through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect your personal information:

Directly from you – when you fill in forms or correspond with us relating to your request or complaint.

From third parties – when people make requests or complaints on your behalf or if you make a request or a complaint through one of our partner colleges or Universities.

How do we use your personal data?

The University may process your personal data for the following purposes:

• To process and respond to your information request or complaint
• To comply with our legal obligations under the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR), the Freedom of Information Act 2000 and the Environmental Information Regulations Act 2004.

The lawful basis we use to process your data

Data protection law sets out reasons for collecting and processing your personal data. In this section, we outline the legal bases the University uses.

We will be processing your data under:

• Article 6(1)(c) Legal obligation "processing is necessary for compliance with a legal obligation to which the controller is subject"

We process your personal data under this legal basis so we can fulfil your information request or complaint. This is a legal obligation under the following legislation that we are subject to:

• UK General Data Protection Regulations
• Data Protection Act (2018)
• Freedom of Information Act (2000)
• Environmental Information Regulations (2004)

Where we process Special Category Data, we will do so under the following legal basis:

• Article 9(2)(g) Reasons of substantial public interest (with a basis in law)

We have an Appropriate Policy Document in place which records our processing in relation to Special Category Data and Criminal Offence Data. If you are a student, you may access the document here. If you are a member of staff, you may access the document here.

Who do we share your personal data with

We may share your personal data with trusted third-party service providers who act as data processors or controllers on our behalf. These partners are other organisations that support with the delivery and operation of courses or other University activities, such as courses provided by our partner colleges and Universities. We may share your personal data with these third parties to fully comply with your information request or to ensure your complaint is investigated.

We may also disclose your personal data where necessary to comply with our legal or statutory obligations under the Data Protection Act 2018 and UK GDPR. This may include sharing information with government departments, regulatory bodies, funding agencies or law enforcement authorities where disclosure is legally required. All third parties are required to handle your data securely and in accordance with data protection legislation.

Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.

How long do we keep your personal data

We retain personal data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018, UK GDPR, Freedom of Information Act 2000, Environmental Information Regulations Act 2004.

In relation to information processed for the purposes laid out above, we retain personal data in line with the Governance and Legal Services Retention Schedule as detailed below.

Type of Documentation	Retention Period	Reason for Retention Period
Freedom of Information and Environmental Information requests	6 years after the last interaction	Limitation Act 1980, ss 2 and 5
Subject Access Requests	Case file: 6 years from the initial request and response Related correspondence: 2 years from our response for data released as part of the request	Limitation Act 1980, ss 2 and 5
Third Party Requests	6 years from the initial request and response	Limitation Act 1980, ss 2 and 5
Other Rights Requests	6 years from the initial request and response	Limitation Act 1980, ss 2 and 5
Data Protection Complaints	6 years after the last interaction	Limitation Act 1980, ss 2 and 5

When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.

How do we protect and store your personal information

We are committed to safeguarding the personal data we process and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with data protection complaints and requests for information.

We are Cyber Essentials accredited, demonstrating our commitment to implementing industry-recognised cybersecurity practices to protect against common online threats and ensure a secure IT environment.

Where personal data is shared with third-party processors, such parties are contractually required to act solely on our instructions, implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act 2018 and UK GDPR.

The data controller and further information

Canterbury Christ Church University is the Data Controller for this personal data.

Please click the link below to access further information regarding:

• The Data Controller
• The name and contact details of the University Data Protection Officer
• Where to make a complaint
• Your Rights as a Data Subject
• How to contact the Regulator