This is the privacy statement of Queen Margaret University relating to Report and Support. This privacy statement explains how we collect and use personal information about you. 
Queen Margaret University (QMU) adheres fully to the terms of the Data Protection Act 2018 and the UK General Data Protection Regulations. The University is registered with the Information Commissioner’s Office. Our Registration Number is Z6013920. We are a public authority under the Freedom of Information Act 2000 and a Scottish public authority under the Freedom of Information (Scotland) Act 2002. 
1.         Purpose 
This privacy notice explains how the University will: 
•        Maintain the confidentiality of details disclosed; 
•        Use the details provided; and 
•        Set out the circumstances when details with be shared with others, while maintaining confidentiality. 
This privacy notice is specific to the University’s Report and Support Web based function/tool, and summarises the key elements of how details provided will be used and protected. Please refer to the University privacy page for further general information on how we treat your data: 
2.         Confidentiality 
The University will keep the details individuals provide confidential – however, confidentiality does not always mean that the University is obliged to keep a secret. The University has a duty of care, which extends to all students, staff and our community. This duty of care provides that personal details may be shared if the information you share with us indicates that someone may be at risk. For the avoidance of doubt, that includes a risk to their physical and/or mental wellbeing. The sharing of details may be within and/or outside the University to protect the individual who made a report and/or others. 
When details are shared, the University will, if possible, inform the individual who made the disclosure first, however, that may not always be possible. Any details shared will be the minimum necessary to meet the University’s duty of care. 
Where an individual makes a disclosure, and includes their contact details, and asks that the University takes action, elements of that disclosure and the identity of the person making that disclosure may be shared with identified role holders within the University Secretary’s group, or within Human Resources, who are responsible for instigating proceedings. Where formal proceedings progress, details may be shared further, within the confidentiality of those proceedings e.g. with an investigating officer. The identity of the discloser and elements of their disclosure will also be shared with relevant Student Services and/or Human Resources staff, including the Wellbeing and Counselling Service, in order to facilitate support. Data Protection legislation provides individuals with a right of access to their personal data. Where an individual makes a disclosure, which identifies them and others, elements of those details can be the personal data of both the individual who made the disclosure and any other parties referred to therein. As a disclosure is made in confidence the personal data of the individual making the disclosure will normally be protected. However, there are circumstances where that may not always be possible e.g. when a formal process is engaged and another party is informed of the disclosure, its details and who made that disclosure. 
If you have any questions or concerns about confidentiality, privacy and/or data protection, please contact the Report and Support team, who can liaise with the University Data Protection Officer on a no names basis. 
If you make an anonymous report, the details of your disclosure will not ordinarily be your personal data; for data to qualify as personal data it must be linked to an individual who can be identified from those data. 
 3       How do we collect your personal data, and how will that be used? 
 3.1    Report and support 
Where a disclosure is made, those details pass into the University’s report and support service – this is a secure website, managed on the University’s behalf by Culture Shift ( 
The University has a contract in place with Culture Shift, who is obligated to only use those details to provide the Report and Support Service, to protect the details provided and to maintain the confidentiality of those reporting. That contract contains all of the clauses required of the Data Protection Laws to protect the privacy of those who opt to make a disclosure. 
3.2     Anonymous disclosure 
Where an anonymous disclosure is made, the University will not be able to identify the person who made the disclosure. The University will use data gathered via anonymous disclosures to produce statistics and management reports – those will be used by the University to identify where actions are necessary to improve and/or strengthen the safety and wellbeing of our students, staff and wider community. 
The University will not normally act upon anonymous reports, notably where there is insufficient information to advance a fair and thorough investigation. However, there may be circumstances where it will be necessary for the University to assess whether further action can be taken, as part of the University’s obligations to provide a duty of care to all parties who may be affected. Further action may include one or more of the following: risk assessment, advising staff where concerns about their behaviour have been raised, and/or assessing the matters raised under formal procedures. 
3.3     Named disclosures 
The University will use information from named disclosures to reach out to the person who made the disclosure and/or the person on who’s behalf the disclosure was made. The University may provide support, request more information, discuss possible options including pursuing disciplinary investigation, or disclosure to the Police 
Where an alleged perpetrator is named in a disclosure, and that person is either an employee or a student of the University, the University will use those details to make contact with that person, which may lead to further action including disciplinary investigation or disclosure to the Police.
Where a disclosure leads to an investigation information about the reporter (the person reporting the incident) and the responder (the person accused of perpetrating the incident) is shared with the investigating team. The information shared is based on the principles that what is shared is only what is appropriate, proportionate and necessary for the investigating team to know in order to undertake their investigation and make a decision. 
Where an investigation is taking place information will also be shared with the responder. What is shared will be only what is necessary, appropriate and proportionate in order for the responder to respond to the allegation. Similarly, where there are witnesses only necessary, appropriate and proportionate information is shared with witnesses in order to gain information about the incident. 
After the investigation the outcomes of the investigation is shared with the responder in order for them to be able to comply with any decision taken by the investigating team. Information is also shared with the reporter. What is shared with the reporter will be based on what is necessary and proportionate in order for the reporter to be safeguarded. Each case is treated individually and decisions about sharing information taken on each case’s merit. 
4        Using your personal data lawfully: the lawful bases for processing personal data, personal data with special characteristics, and criminal offence data 
The University can only make use of personal data with reference to one of the stated lawful basis for processing, as listed in the UK General Data Protection Regulations and the Data Protection Act 2018. We will collect personal and special category data supplied by you through our online form, including name, student ID, telephone number, email address, level of study (UG or PG), sex life, gender, age, disability, race, religion or belief, sexual orientation, health data and any other data that you consider relevant to the matter. 
5        How long will the University make use of your personal data? 
Personal data will be retained in Report and Support for no longer than is necessary. Your data is treated in line with our records retention schedule. 
6        How will the University protect and secure your personal data? 
The University puts in place a series of technical and organisational measures to protect and safeguard all data it holds. Culture Shift has provided evidence to the University that it has and maintains the relevant information security measures to the standard required by the University and in law, to protect and maintain the confidentiality of all data managed by them for the University. 
 7       The right to lodge a complaint with a supervisory authority 
If you believe that the University has not made use of your personal data in line with the requirements of data protection law, you have the right to raise this first with the University, and if you remain dissatisfied, then you may raise this with the UK Information Commissioner Office’s (“the ICO”). 
Details on how to contact the ICO are available online, at: 
8        Revision of the Privacy Notice 
The details as to how personal data are used with Report and Support will be reviewed annually. The University may make changes to this Privacy Notice from time to time. Any significant change to relevant legislation, University policy or procedures primarily concerned with the protection of personal data may trigger an earlier review. 
9        Availability 
Should a copy of this Privacy Notice be required in another form, including orally i.e. an audio recording, please contact or Data Protection Officer at the University. 
September 2022 

There are two ways you can tell us what happened