Making an Information and Personal Data Request Privacy Notice

What is our lawful basis for processing your personal data?

Our purpose for processing your personal data is so we can fulfil your information request to us.

The legal basis for this is article 6(1)(C) of the GDPR, which relates to processing necessary to comply with a legal obligation to which we are subject.

If any of the information you provide us in relation to an information request contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights, together with Schedule 1 part 2(6) of the DPA2018 which relates to a statutory purpose.

What do we need and why do we need it?

We need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations under the legislation we are subject to:

• General Data Protection Regulations (2016)

• Data Protection Act (2018)

• Freedom of Information Act (2000)

• Environmental Information Regulations (2004)

What we do with it?

When we receive a request from you, we’ll set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We’ll also store on this case file a copy of the information that falls within the scope of your request.

If you are making a request about your personal data, or are acting on behalf of someone making such a request, then we’ll ask for information to satisfy us of your identity. If it’s relevant, we’ll also ask for information to show you have authority to act on someone else’s behalf.

We’ll use the information supplied to us to process your information request and check on the level of service we provide.

If the request is about information we have received from another organisation – regarding a contract for example – we’ll routinely consult the organisation/s concerned to seek their view on disclosure of the material.

We compile statistics showing information such as the number of requests we receive, but not in a form that identifies anyone.

How long will we hold your data?

We keep the case file related to requests made under the Freedom of Information Act (2000) and the Environmental Information Regulations (2004) for three years after the last interaction to deal with any follow up actions.

Subject Access Requests (SAR)

The standard case record retention period for each SAR is two years after the last action relating to the SAR. In exceptional cases the University may retain lengthy, complex or multiple requests for a longer period of time . This is where (a) the applicant made a complaint about the handling of the SAR or (b) the case resulted in an investigation by the UK Information Commissioner.

Withdrawn Subject Access Requests (SAR)

The standard case record retention period for a SAR withdrawn the applicant, will be one month after the last action related to the SAR. The University may retain the case record for a withdrawn SAR for a longer period where the applicant made a SARs previously.

Do we use any data processors?

We do not use data processors for the above.

The Data Controller and further information

Canterbury Christ Church University is the Data Controller for this personal data.

Please click the link below to access further information regarding:

• The Data Controller
• The name and contact details of the University Data Protection Officer
• Where to make a complaint
• Your rights as a Data Subject
• How to contact the Regulator

Find out more

Version Control

Title:	Privacy Notice - Making an Information and Personal Data Request
Applicable to:	Students, Employees, General Public
Process Owner:	Governance and Legal Services
Date approved:	25 May 2018
Date of review:	25 May 2020
Date last amended:	30 March 2020