Data Protection Complaints Procedure - UK General Data Protection Act (GDPR) 2018

The University takes its obligations under the UK GDPR (2018), the Data Protection Act (2018), and the Privacy and Electronic Communications Regulations (PECR) very seriously. This procedure details how the University will respond to complaints from individuals relating to the use of their personal data, complaints made in relation to the University’s processing of personal data, and complaints made by third parties in relation to the University’s use of personal data.

Making a complaint

If, for any reason, you are dissatisfied with the way in which your personal information has been handled, you may invoke the following complaints procedure, split into two parts: informal and formal complaints. The University hopes to resolve most complaints on an informal basis. We request that you pursue the informal complaints procedure before invoking the formal complaints procedure.

1. Informal Complaints Procedure

  1. Contact (written or otherwise) the individual or school/service that handled your initial enquiry and they will try to resolve the complaint informally.
  2. The individual or school/service will acknowledge your complaint within five working days and should reply within 30 calendar days of the complaint being raised with them.  If we require further clarification or more time is required for the response to be completed, the University will inform you prior to the original deadline.
  3. The outcome of the complaint will be communicated in writing, normally by email.
  4. If you are dissatisfied with the outcome, or do not receive a response within 30 calendar days, please invoke the formal complaints procedure (see tab 2. Formal Complaints Procedure).

2. Formal Complaints Procedure

If you are dissatisfied with the outcome of an informal complaint, you can request a review of the decision.  You must make a formal complaint in writing and provide the necessary and supporting evidence/ paperwork.

  1. Address your written complaint to the Data Protection Officer, Rutland Building, Loughborough University, Loughborough, LE11 3TU or email dp@lboro.ac.uk.
  2. An appropriate reviewing officer will investigate and either the Academic Registrar or Data Protection Officer will respond to your complaint normally within 30 calendar days from the receipt of the formal complaint.
  3. The outcome of the formal complaint will be communicated in writing, normally by email.

We may ask you to verify your identity

To protect your personal data, we will seek to confirm your identity if there is any doubt about the identity of the person making a complaint. A copy of a passport or photo driving licence are acceptable forms of identification.

The University will only accept a complaint from an individual’s representative, if the representative provides written consent from the individual authorising the representative to act on their behalf in relation to the complaint.

Complaints from third parties will be dealt with on a case-by-case basis.

Our Responsibilities

The Information Governance Sub-Committee (IGSC) and the Academic Registrar has overall responsibility for this procedure but has delegated day-to-day responsibility for overseeing its implementation to the Information Governance Manager.  The IGSC will review this procedure every two years to ensure it continues to meet the University’s legal obligations and reflects good practice.

All staff are responsible for ensuring that any complaints made in relation to this procedure are reported to the to the Data Protection Team (dp@lboro.ac.uk), and for cooperating in the investigation of a complaint.

Instances where we may refuse to handle a data protection complaint

In some scenarios we can refuse to handle the complaint. This will be when a complaint is deemed to be manifestly unfounded, abusive, vexatious or excessive. Where a complaint is deemed to be manifestly unfounded, excessive, abusive or vexatious, the University will contact the individual and in a reasonable timeframe explain to them: a. the reasons for refusing to consider the complaint; b. their right to make a complaint to the ICO; and c. their right to pursue their data subject rights through a judicial remedy.

Our use of complaints data

The University will collect data on complaint outcomes and use it in an anonymised format for reporting and evaluation purposes and learning and development. We may disclose your personal data to University staff or regulators for the purpose of dealing with your complaint, a complaint arising from it, or to implement any outcomes from it. We will not share your personal data with any other third parties without your express consent, a statutory obligation, or a permitted purpose under data protection law.

Independent External Review

If, after exhausting the University’s complaints procedure, you are still dissatisfied with the outcome, you may refer the matter to the Information Commissioner (ICO).

Information Commissioner's Office,
Wycliffe House,
Water Lane,
Wilmslow, 
Cheshire SK9 5AF

There is information on the ICO site about how to make a complaint.

The Data Protection Officer will respond to the complaint based on the information provided by the ICO.  This may necessitate access to personal data and other information held across the University.  The cooperation of any staff members able to assist in the investigation will be required and it may be necessary to disclose to relevant staff the reason for the investigation.

The Data Protection Officer will draft and submit a response to the ICO. This may be in consultation with the Academic Registrar and the Information Governance Manager.

Do you need to report a possible data breach?

If you have become aware that your personal information/data may have been compromised e.g., lost, unintentionally disclosed to the wrong person, or stolen by a hacker, it is very important that you report it to the University as soon as possible:

If you are external to the University you should email us If you are internal to the University (ie staff or student), complete the data breach reporting form »