- Introduction
- What personal information do we collect about you and what do we use it for?
- The legal bases for processing your data
- What happens if you refuse to provide your personal information?
- Recipients of your personal data
- How does the University protect data?
- How long will we hold your data?
Introduction
When you make an information or subject access request to the University we will need to process your personal data in order to provide you with the information requested.
This privacy notice applies to you if you have ever made a request for information to CCCU. It explains the types of personal data we may collect whilst processing a request and how we use it. It also explains how we store and manage that data and keep it safe.
What personal information do we collect about you and what do we use it for?
When you make a request for information, CCCU may need to process the following personal information about you:
- Name
- Date of birth
- Student ID number (if applicable)
- Email address
- Documents to verify your identity (if necessary)
We may also process special category data that you provide us in order to locate the information you are requesting. When we receive a request from you, we’ll set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We’ll also store on this case file a copy of the information that falls within the scope of your request.
The legal bases for processing your data
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
Legal Obligation
The purpose for processing your personal data is so we can fulfil your information request to us. This is a legal obligation under the following legislation that we are subject to:
- UK General Data Protection Regulations
- Data Protection Act (2018)
- Freedom of Information Act (2000)
- Environmental Information Regulations (2004)
The legislation relating to processing data under this lawful basis can be found in UK GDPR, Article 6(1)(c):
(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
If any of the information you provide us in relation to an information request contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of UK GDPR, which also relates to our public task and the safeguarding of your fundamental rights, together with Schedule 1 part 2(6) of the DPA 2018 which relates to a statutory purpose.
What happens if you refuse to provide your personal information?
If you choose not to submit any personal information when requested, we may not be able to process your request for information.
For example, if you make a subject access request for copies of your own information, we will request proof of identification to ensure ourselves of your identity. If you refuse to provide this documentation, we will not be able to process your request.
Recipients of your personal data
We do not use data processors when processing your request for information. Your information will not be shared outside of the University for the purpose of processing your request.
How does the University protect data?
The University takes the security of your data seriously. Your personal information will be stored on our secure systems and only accessed by employees in the performance of their duties.
The University has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed.
|
Type of request |
Retention period |
|
|
Subject Access Request |
· Request and response · Case file |
· 6 years from the initial request · 2 years from the initial response |
|
Other Rights request |
· Request and response · Case file |
· 6 years from the initial request · 2 years from the initial response |
|
Freedom of Information request |
· Request and response · Data set |
· 3 years after last interaction · Anonymised and published on our website. |
|
Environment Information Regulations |
· Request and response |
· 3 years after last interaction
|
The Data Controller and further information
Canterbury Christ Church University is the Data Controller for this personal data.