Lawful basis for processing harassment, misconduct, and bullying complaints

All students, staff and university visitors have the right to study, work and live in an environment which promotes dignity and respectful behaviour and is free from harassment and bullying (in person or online).

The university has an established framework for managing complaints of harassment or bullying made by students and staff against students. This document sets out the lawful basis for processing personal data (including special category data) as part of that framework.

Lawful basis

As part of the framework for managing harassment and bullying, the university processes personal data on the following overlapping grounds, to:

  • Facilitate the reporting of cases of harassment, bullying, or sexual harassment,
  • Monitor complaints of bullying and harassment,
  • Provide well-being and support services to staff and students who have either been subjected to, or perpetuator of, harassment and bullying,
  • Ensure individuals have access to safe working environments at the university (both online and physical environments),
  • Take appropriate disciplinary action in response to complaints of harassment or bulling, and breach of contractual obligations (for both staff and students),
  • Disclose the outcome of disciplinary action those subjected to bullying and harassment, to resolve the impact of harassment or bullying on their work/studies; and
  • To assist the police in the prevention and detection of crime associated with harassment
Lawful basis (UK GPPR, article 6(1)(b)(c)(f) 
Condition of processing (UK GDPR, article 9(2)(b)(g) 
 
Special category data associated conditions (DPA 2018, Schedule 1, part 1(1), part 2(6)(10)(11)(12) 
Processing is necessary for the purpose of the legitimate interests pursued by the controller of by a third party,  

except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. 
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment. 

 

processing is necessary for reasons of substantial public interest, on the basis of domestic law 
 
 Legal obligation [application of health and safety and employment law] 

This condition is met if –  

  • The processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, and 

  • When the processing is carried out, the controller has an appropriate policy document in place. 

 

Substantial public interest 

meets substantial public interest condition in – 

  • the exercise of a function conferred on a person by an enactment or rule of law. 

  • preventing or detecting unlawful acts 

  • Regulatory requirements relating to unlawful acts and dishonesty 

 
processing is necessary for compliance with a legal obligation to which the controller is subject. 

[including performance of the employment contract] 
 
 
 
 

Article 6(1)(b) processing is necessary for a contract to which the data subject is party. 
 
 

Plus ‘Appropriate Policy document’ 

Appropriate policy document (Appendix 5) 

Disclosing outcomes of disciplinary action to the complainant

The 1752 report references technical guidance issued by the Human Rights Commission, on reporting disciplinary outcomes that address concerns about breaching UK GDPR, when disclosing the outcome of sexual harassment or harassment disciplinary procedures.   

The technical guidance reasons that while we have a legal obligation to comply with the UK GDPR, in particular the principle that personal data shall be processed ‘lawfully, fairly, and in a transparent manner’, disclosing the outcome of a case to the complainant does not necessarily breach data protection law provided we: 

  • Are clear the outcomes may be disclosed in policy, contracts, privacy notices etc. 
  • Have considered what grounds we have for disclosure 
  • Are proportionate in what is discloses 
  • The university is pursuing the legitimate interest of the complainant and its own legitimate interest by disclosing the outcome of disciplinary action for harassment/bullying to the complainant: 
  • To support the complainant to cope and recover from the impact of harassment/bullying on their well-being and work/studies; furthermore 
  • Disclosure of disciplinary outcomes to complainants fosters a culture in which victims of harassment feel encouraged to report incidents, knowing action will be taken.  

It is fair and reasonable* to disclose the outcome to the complainant on the provision it is proportionate, relating only to the outcome and the actions taken by the university to remedy the incident for the complainant.  The outcome of the complaint is derived from processing inextricably linked personal data belonging to both the defendant and the complainant.  The decisions to disclose the outcome of disciplinary action to the complainant is considered on a case-by-case basis. 

*Reasonable to disclose, based on Schedule 2, part 3(16) of the DPA 2018. 

Last Updated: 5th March 2024