Information you need to know
Report and Support is a harassment reporting tool operated by Liverpool John Moores University. Further information on the institution can be found here: https://www.ljmu.ac.uk/
Liverpool John Moores University is the Data Controller.
Our Data Protection Officer can be contacted at DPO@ljmu.ac.uk
Liverpool John Moores University (LJMU) is committed to ensuring the safety and wellbeing of all members of the university community, and to responding appropriately to any incidents of harassment affecting our students and staff or any visitors to the University. The University’s Report and Support harassment reporting tool enables students, members of staff and visitors to notify the university of bullying, harassment, sexual misconduct, hate crime or discrimination. This privacy notice explains how we use personal information that you disclose using the Report and Support harassment reporting tool. We are committed to being transparent about how we collect and use your data and to meeting our data protection obligations under the principles of the General Data Protection Regulation (GDPR).
For information about how the wider University uses personal data please see the Privacy Notice section of our website.
The type of information are we collecting
Where an anonymous report is made, the university will not be able to identify the person who made the report. The university will use data gathered via anonymous disclosures to produce statistics and management reports. Reports will be used by the university to identify where actions are necessary to improve and/or strengthen the safety, wellbeing of our students, staff or wider community.
When a report is anonymous, the university will not be able to contact you to offer you advice and support. Because of this, we do encourage reporting parties to make named reports.
If a named rather than an anonymous report is made, we may collect, use, store and transfer different kinds of personal data about the person making the report. This may include:
· Your name, contact details and other information about you such as your department (where applicable) and your age;
· ‘Special category’ personal data about you (this may include details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health etc.); and
· Detail regarding your experience of bullying, harassment and/or sexual misconduct.
The university will use information from named disclosures to reach out to the person who made the disclosure to request more information, provide support and/or to discuss possible options.
The Report and Support tool has a free-text box in which a reporting party is able to leave their contact details so that relevant staff can contact them to offer support. If a free-text box is used to identify any third-party, this information will be permanently redacted and cannot be recovered after this redaction.
Why we are collecting your data and the legal basis for this
LJMU will collect personal data from you for several reasons and will at all times do so in compliance with the principles of the GDPR, and for one of the legal basis set out in Article 6 of the Regulation.
There are two main reasons why the university may need to collect this data:
· To be aware of any difficulties staff and students may be experiencing at the university and to log these incidents on a central system.
· To support staff and students on a one-to-one basis, who have experienced any unacceptable behaviour from others – only if the reporting party wishes to be identified.
We process your personal information based on one or more of the following legal grounds:
Your consent: By using the "Report and Support" tool, you provide your voluntary consent for us to process your personal information.
Performance of a contract: where you are a member of staff
Public Task: where LJMU must use data to undertake its functions to deliver educational services under its legislative powers.
The source of this personal data
All personal data within the system is provided by the reporter.
Who has access to this data
Your personal data will be used only by relevant LJMU staff where the data is necessary for them to undertake their designated role.
Report and Support is a secure website, managed on the university’s behalf by Culture Shift (www.culture-shift.co.uk). The University has a contract in place with Culture Shift, who are obligated to only use those details to provide the Report and Support service, to protect the details provided and to maintain confidentiality.
Named Reports will generally be accessed and processed by different teams depending on the type of reporter.
· For reports made by students, the University’s Student Advise and Wellbeing Team
· For reports made by members of staff, the University’s Human Resources Team.
We will not share your report with any external third parties, except where required to be do so by legislation or where this is in someone’s vital interests to protect life.
Please see Culture Shift’s Knowledge Base for further information on the security measures adopted by Culture Shift, which are designed to help keep personal data secure.
No individual at Culture Shift has access to report information. If access was needed, this would be coordinated by the university on a case-by-case basis. Culture Shift staff receive training on data protection and privacy compliance and have access to independent experts when required.
Protection of your data
The University takes Data Protection very seriously and at all times your personal data will be handled in line with the University’s Information Security Policy.
Culture Shift, the provider of the Report and Support tool, are accredited with Cyber Essentials, and have completely isolated their office network from the reporting site network to minimise the risk to any customer data.
The Report and Support application uses a Serverless architecture combined with AWS CloudFormation, meaning that developers need no direct access to the infrastructure running the application. This makes management completely automated and auditable, and in the most part, directly managed by Amazon Web Services. Developers have no direct access to the database, all direct changes made must be made through deploying code, which is audited and reviewed before being permitted to run.
By using the Serverless architecture, and making use of Amazon Virtual Private Cloud networking, we eliminate the risk of vulnerabilities and out-of-date software in the OS and networking level. You can find out more about Amazon’s security policies on their website.
The length of time your data will be stored for
All relevant information relating to a case is stored, retained, and destroyed in line with the University Retention Schedule https://www.ljmu.ac.uk/about-us/data-protection
As a data subject, you have a number of rights. You can:
· Access and obtain a copy of your data on request, this could be in a portable electronic format;
· Require the University to change incorrect or incomplete data if you think that it is inaccurate or out of date
· Require the University to delete or stop processing your data, for example where the data is no longer necessary or legally required for the purposes of processing
· If your personal data has been provided by consent, you have a right to withdraw that consent at any time.
If you would like to exercise any of these rights, please contact the Data Protection Officer DPO@ljmu.ac.uk
What if you do not provide data
Where an anonymous disclosure is made, the university will not be able to identify the person who made the disclosure, therefore the report will not contain your personal data.
Transfers of data outside the UK
Generally, we do not send your personal data outside the UK. However, in some specific cases we may transfer the personal data we collect to countries outside the UK in order to perform our contract with you/or a contract with another organisation that requires your personal data i.e. a collaboration agreement with a university based outside of the UK. Where we do this, we will ensure that your personal information is protected by way of an ‘adequacy regulation’ with the UK or by putting alternative appropriate measures in place to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the UK laws on data protection. For example, model contractual clauses, data sharing/data processing agreement and binding corporate rules (where applicable).
Culture Shift use 3 sub-processors to provide its service to the university: Amazon Web Services, Mixpanel, and Sentry (Functional Software Inc). In all of these cases these companies act as sub-processors and do not have any direct access to personal data, and the reports themselves are only stored within an Amazon Web Services database, with Mixpanel and Sentry only handling the names and email addresses of administrators and caseworkers. All of these sub-processors are either based in the EU, or we have standard contractual clauses in place to ensure compliance with the GDPR.
Automated decision making
We will not make any decisions about you automatically using a computer, based on your personal data. All decisions affecting you will be taken by a human.
The Information Commissioner’s Office
You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations. The Information Commissioner can be contacted:
By post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF.
By phone: 0303 123 1113.
By email: contact can be made by accessing www.ico.org.uk