The following statement explains how personal data is managed for the purposes of students or staff reporting instances of Gender Based Violence to the University. The University is committed to being transparent about how it collects and uses data and to meeting its data protection obligations.
Data Controller: Robert Gordon University
Garthdee House
Garthdee Road
ABERDEEN
AB10 7QB
Data Protection Officer: Mr Ian Croft
Information Governance Officer
Garthdee House
ABERDEEN
AB10 7QB
What information does the university collect and why?
The following information is collected from students or staff making a named report seeking further support from the University via Report and Support online or through a First Responder:
• Name, and preferred contact details (email address, telephone number) are collected so that we can communicate with you (with your consent) to follow-up with support options.
• Demographic information can be optionally provided to help the University to highlight reporting trends, provide reporting data and identify any future campaign targets.
• Incident details are collected to allow the University to identify the best support options for any reporter. The level of incident information provided is up to the Reporter to disclose.
Legal Basis for using your information
The University will only store and process your personal information where you have provided explicit consent.
You will be asked to confirm your explicit consent when you provide your personal information to the University.
Who has access to data?
1. Access to your data is restricted to a small group of University staff that need to know the information to allow a follow-up on any named incident report disclosure.
2. In serious circumstances, your information may be shared with external parties, for example external support services or the Police, if the University believes there is a risk to yourself or others as a result of details shared within a disclosure. If the University believes there is danger then data can be shared without your consent.
3. Your information may be shared with additional University Representatives in your School or Department if cases are taken forward to disciplinary procedures or criminal cases. Information will only be shared with additional University staff in this way with your prior consent.
How does the university protect data?
The university takes the security of your data seriously. The university has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Where the university engages third parties to process personal data on its behalf, they do so on the basis of contractual agreements, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
The site holding the data is hosted on Amazon Web Services, one of the most secure hosting platforms available, is annually penetration tested by an independent CREST-approved technician, is fully GDPR-compliant in data handling and is Cyber Essentials certified.
The University continues to be the data controller and any third parties act upon the instructions of the University.
For how long does the university keep data?
The University will retain reports received relating to Gender Based Violence for five Academic Years. Reports will then be deleted.
If you wish to withdraw your consent for us to hold this personal data please contact report@rgu.ac.uk who will then arrange for any Report to be deleted.
Your rights?
As a data subject you have a number of rights, further details of these rights can be found on our data protection webpage or https://ico.org.uk/for-organisations/guide-to-thegeneral-data-protection-regulation-gdpr
If you would like to exercise any of these rights, please contact Mr Ian Croft, Information Governance Officer, Garthdee House, Aberdeen, AB10 7QB or at dp@rgu.ac.uk.
If you believe that the university has not complied with your data protection rights, you can complain to the Information Commissioner.
For Further Information please view our Privacy Policy