Information Compliance Privacy Notice

The main University privacy notices about our use of personal data when individuals send the University requests for information under the provisions of the Freedom of Information Act 2000, the Environmental Information Regulations 2004, and the UK General Data Protection Regulation (UK GDPR), or if you write to the university’s Data Protection Officer

Who will own my data once I submit it?

The University of Liverpool.

Why do you need my information?

We collect personal data when individuals send the University requests for information under the provisions of the Freedom of Information Act 2000, the Environmental Information Regulations 2004, and the UK General Data Protection Regulation (UK GDPR), or if you write to the university’s Data Protection Officer.

Our primary purpose is to process your request under the relevant legislation. This usually means:

  • Establishing whether your request is valid, and the University is legally obliged to answer it.
  • Locating, retrieving, and collating information relevant to your request.
  • Consulting individuals (for example University staff and third parties) affected by your request.
  • Identifying whether any of the information is already available to you and whether any of the information should be withheld from disclosure.
  • Preparing and sending the response to your request.
  • Administering, and responding to, review or appeal requests.

We keep records of our correspondence with you about your request and records containing your name, contact details, a summary of your request, and your relationship with the University (if known). If you are asked to verify your identity because you are requesting access to your personal data records, we will store a copy of your identity documentation.

We use this information to ensure that the University complies with our legal obligations, demonstrate, and monitor our compliance and analyse who we are receiving requests from to monitor demand.

What allows you to use my information?

The legal basis for processing your request is Article 6(1)(c) of the UK GDPR, which relates to processing necessary to comply with a legal obligation to which we are the subject. The legal obligations are set out in:

  • Freedom of Information Act (2000).
  • Environmental Information Regulations (2004).
  • Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (known as UK GDPR)
  • Data Protection Act 2018.

If any of the information you provide to us in relation to your information request contains special category data, such as health, religious or ethnic information the legal basis we reply on to process it is:

  • Article 9(2)(g) of UK GDPR, which relates to our public task and the safeguarding of your fundamental rights.
  • Schedule 1 Part 2(6) of the Data Protection Act which relates to statutory and government purposes.

In relation to the secondary purpose listed above, the legal basis is Article 6(1)(e) which related to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Who will my information be shared with?

Your data may be shared with members of University of Liverpool staff who hold the information you have requested. These may include:

  • Staff whose role includes the co-ordination of the University’s response to information requests.
  • Staff who hold information relevant to the processing of your request.
  • Staff asked to contribute to the University’s response.
  • Members of our External Relations team for FOI/EIR requests from journalists or media organisations. The team receive a final copy of the response sent so they are aware of any news coverage to which they may need to respond. This will not affect the information that you receive.

In addition, your data may be shared with:

  • Other public authorities e.g., other universities, to obtain advice. Although we never deliberately share the identity of requesters in these circumstances, if you have submitted the same request to several public authorities, your identity might be obvious to those who have also received the request.
  • The Information Commissioner's Office, in the event of a complaint being made.

Your personal data will not be passed to any other third party without your consent, except where the University is required to do so by law.

Do I have to provide this information and what will happen if I don’t?

If you request information about yourself under data protection legislation, we can only respond to your request if you provide us with enough information to locate and identify the information you want, and to verify your identity.  This is because we must not disclose information about you to the wrong person.

If you request other information held by the University under FOIA/EIR you must provide us with your real name, the name of anyone on whose behalf you are making the request, and a correspondence address. If you do not provide this information, the University is under no obligation to provide the information you request and you will lose the right to appeal to the Information Commissioners Office (ICO) if you are dissatisfied with the way the University has handled your request. Further guidance on valid requests is provided by the ICO (Information Commissioner s Office).

How long will you keep this data for and why?

As defined in the University Record Retention Schedule, the University will take the following approach:

  • Details of your request, all associated correspondence, and the information supplied to you, will be kept for 3 years in line with ICO best practice.
  • If your request results in a formal ICO Decision Notice or Tribunal decision we will, with appropriate safeguards, archive the information in the public interest for historical research purposes.

How will my information be stored?

Information will be held securely by the Legal & Governance team. Access to this information will be restricted to designated persons within the team and relevant third parties (outlined above) who are authorised to view it as a necessary part of their work.

Will this information be used to take automated decisions about me?

No.

Will my data be transferred abroad?

No.;

What rights do I have when it comes to my data?

Under the UK General Data Protection Regulation, you may have the following rights with regards to your personal data:

  • The Right to subject access – you have the right to see a copy of the personal data that the University holds about you and find out what it is used for.
  • The Right to rectification – you have the right to ask the University to correct or remove any inaccurate data that we hold about you.
  • The Right to erasure (right to be forgotten) you have the right to ask the University to remove data that we hold about you.
  • The Right to restriction – you have the right to ask for your information to be restricted (locked down) on University systems.
  • The Right to data portability – you have the right to ask for your data to be transferred back to you or to a new provider at your request.
  • The Right to object – you have the right to ask the University to stop using your personal data or to stop sending you marketing information or complain about how your data is used.
  • The Right to prevent automated decision making – you have the right to ask the University to stop using your data to make automated decisions about you or to stop profiling your behaviour (where applicable).

Please note that not all rights apply in all situations. To find out more about your rights under the UK GDPR, please visit the Information Commissioner’s website.

To request a copy of your data or ask questions about how it is used, contact:

Dan Howarth, Data Protection Officer

  • Email: legal@liverpool.ac.uk
  • Post: Legal & Governance, University of Liverpool, Foundation Building, 765 Brownlow Hill, Liverpool L69 7ZX

Who can I complain to if I am unhappy about how my data is used?

You can complain directly to the University’s Data Protection Team by writing to Dan Howarth, Data Protection Officer:

  • Email: legal@liverpool.ac.uk
  • Post: Legal & Governance, University of Liverpool, Foundation Building, 765 Brownlow Hill, Liverpool L69 7ZX

You also have the right to complain to the Information Commissioner’s Office using the following details:

  • The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Telephone: 08456 30 60 60 or 01625 54 57 45
  • Website: ico.org.uk

Last update: 10 August 2022

Back to: Legal & Governance