Data Protection Complaints Procedure

The University takes its obligations under UK data protection legislation very seriously. This procedure details how the University will respond to complaints from individuals relating to the use of their personal data, complaints made in relation to the University’s processing of personal data, and complaints made by third parties in relation to the University’s use of personal data.

If, for any reason, you are dissatisfied with the way in which your personal information has been handled, you may invoke the following complaints procedure.

How to make a data protection complaint

If you are unhappy with how your personal data has been processed, you are encouraged to raise your concerns with the colleagues involved in the processing in the first instance. If your concerns are not resolved, you may submit a complaint to us.

  1. Submit a complaint using our Data Protection Complaints MS Form or email dp@lboro.ac.uk.
  2. An appropriate reviewing officer will investigate and respond to your complaint without undue delay, and within a reasonable period from receipt of your complaint. Where further clarification is required, or additional time is necessary to complete the review, you will be kept informed of progress.
  3. The outcome of your complaint will be communicated in writing, normally by email.

To protect your personal data, we will seek to confirm your identity if there is any doubt about the identity of the person making a complaint. A copy of a passport or photo driving licence are acceptable forms of identification.

The University will only accept a complaint from an individual’s representative, if the representative provides written consent from the individual authorising the representative to act on their behalf in relation to the complaint.

Complaints from third parties will be dealt with on a case-by-case basis.

The Academic Registrar has overall responsibility for this procedure but has delegated day-to-day responsibility for overseeing its implementation to the Information Governance Manager. The policy will be periodically reviewed in line with our governance framework to ensure it continues to meet the University’s legal obligations and reflects good practice.

All staff are responsible for ensuring that any complaints made in relation to this procedure are reported to the Data Protection Team (dp@lboro.ac.uk) and for co-operating in the investigation of a complaint.

In some scenarios we may refuse to handle a complaint. This could be where a complaint is deemed to be manifestly unfounded, abusive, vexatious or excessive. Where a complaint is deemed to be manifestly unfounded, excessive, abusive or vexatious, the University will contact the individual and in a reasonable timeframe explain to them:

  1. the reasons for refusing to consider the complaint;
  2. their right to make a complaint to the ICO; and
  3. their right to pursue their data subject rights through a judicial remedy.

The University will collect data on complaint outcomes and use it in an anonymised format for reporting and evaluation purposes and learning and development. We may disclose your personal data to University staff or regulators for the purpose of dealing with your complaint or to implement any outcomes from it. We will not share your personal data with any other third parties without your consent, a statutory obligation, or a permitted purpose under data protection law.

Independent External Review

If, after exhausting the University’s data protection complaints procedure, you are still dissatisfied with the outcome, you may refer the matter to the Information Commissioner (ICO).

Information Commissioner's Office,
Wycliffe House,
Water Lane,
Wilmslow, 
Cheshire SK9 5AF

There is information on the ICO site about how to make a complaint.

We will respond to the complaint based on the information provided by the ICO.  This may necessitate access to personal data and other information held across the University.  The cooperation of any staff members able to assist in the investigation will be required and it may be necessary to disclose to relevant staff the reason for the investigation.

Do you need to report a possible data breach?

If you have become aware that your personal information/data may have been compromised e.g., lost, unintentionally disclosed to the wrong person, or stolen by a hacker, it is very important that you report it to the University as soon as possible:

If you are external to the University you should email us If you are internal to the University (ie staff or student), complete the data breach reporting form ⇲