Page content

Version control and Ownership

Version number 1

Procedure Owner / Author: Data Protection and Information Compliance Manager

Date of last review: March 2026

Next Review date: March 2028.

Background

The University takes its obligations under the UK GDPR (2018), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulations (PECR) very seriously.  The University is committed to protecting the data rights of individuals and recognises its legal obligation to ensure the correct and lawful treatment of Personal Data.  The University will recognise however that there may be circumstances in which our staff, students, stakeholders or members of the public raise concerns or complaints about the way the University processes their personal data.

This procedure details how the University, and specifically, how the University’s Data Protection Officer and Data Protection & Information Compliance Unit will respond to complaints from individuals relating to the use of their personal data, complaints made in relation to the University’s processing of personal data, and complaints made by third parties in relation to the University’s use of personal data.

Scope

Data Subjects may make complaints in relation to any aspect of the University’s processing of personal data.  Complaints may include:

  • Complaints about the handling of individual rights requests.
  • Complaints relating to the content of the University’s Privacy Notice.
  • Complaints relating to any data sharing with third parties.
  • Complaints in relation to the use of personal data for direct marketing and/or profiling activity.

Principles of Data Protection Complaints

The University will ensure that data subjects are aware of their right to complain. This will include outlining the right to complain in all University Privacy Notices, the University’s public-facing Data Protection webpage, and informing data subjects as part of responses to data subject access requests.

This procedure has been published on the University’s  Data Protection webpage to ensure Data Subjects are aware of how to submit a Data Protection complaint and what they can expect from our internal processes.

The University will treat all complaints seriously, and resolution will be sought at the earliest possible opportunity. It is desirable that complaints are resolved through informal conciliation between the relevant parties, such as mediation, whenever possible and appropriate.

The University will manage Data Protection complaints in a way that is timely and efficient, and which is fair and transparent to all parties.

The University endeavours to ensure that complaints are handled within a reasonable timeframe and without undue delay and prescribed timescales will be communicated to the complainant at the earliest possible opportunity.

How to Submit a Complaint

If you have concerns regarding the processing of your personal data e.g., suspected unauthorised access or disclosure, or the handling of your Right of Access request, you can raise this with the Data Protection & Information Compliance Manager (Data Protection Officer). Your complaint or concerns should be emailed to GDPR@ulster.ac.uk and marked for the attention of the Data Protection Officer.

Confidentiality

Your Data Protection complaint will be treated in confidence, your identity will only be shared when it is necessary to do so to enable the Data Protection Officer to fully investigate the complaint.

The Data Protection & Information Compliance Unit will only store records relating to a complaint securely in an access restricted location and in line with the University’s Retention & Disposal Schedule.

Acknowledgement and Identity Verification

In line with the Information Commissioner’s Office guidance, the University will acknowledge a Data Protection complaint within 30 days of receipt.

Before the complaint will be progressed, the University will require photographic proof of identity.  There may be exceptional occasions where this will not be required e.g. a signed Form of Authority from an appointed legal representative or where the complaint has been raised by a current staff member.

A complaint can be submitted via a third party, i.e. usually by a someone acting on behalf of the data subject.  In such cases the University needs to be satisfied that the third party making the complaint is entitled to act on behalf of the individual.  It is the third party’s responsibility to provide evidence of this entitlement.

Complaints Process

The Data Protection Officer may have an initial discussion with the individual. A concern may often be able to be resolved by an immediate explanation e.g., explaining that the processing is a statutory obligation.

If the report will warrant further consideration, the Data Protection & Information Compliance Unit will conduct a thorough investigation. If the allegation could amount to a potential data breach, the Data Breach Management Procedure will be followed.

Internal Review

There is an important distinction the University will be mindful of if a complaint is in relation to the handling of individual rights request.  If a complaint is made regarding the content of a Subject Access Request or the Data Protection & Information Compliance Unit’s application of exemptions, this will first be heard formally by the Data Protection Officer.  If a Data Subject is appealing the Data Protection Officer’s response, the request for internal review must be submitted to the University Secretary by emailing universitysecretary@ulster.ac.uk.

Delegation

The Data Protection Officer or nominee will assume the role of Lead Investigator and engage with all relevant parties to gather evidence, evaluate, and report the findings.

The University’s Data Protection Officer may delegate the initial investigation, depending on the nature of the complaint, to either:

  • Data Protection & Information Compliance Co-Ordinator(s); or
  • Records Co-Ordinator

The Data Protection Officer will review and issue final response to the complainant based on the investigation undertaken.

In the absence of the Data Protection Officer, one of the above delegates will manage the investigation and issuance of the response.

In respect of Right of Access responses, in the absence of the Data Protection Officer, the University Secretary will investigate and issue a final response to the complainant.

If the evidence indicates the allegation to be unfounded, the individual who made the report will be notified with an explanation of this and a short report made for record keeping purposes which will be retained.

If the evidence supports the allegation, a final report, supporting evidence and recommendations will be submitted to the appropriate Senior Leadership Team lead.

Information Commissioner's Office

If a complainant remains dissatisfied following conclusion of an investigation, the complaint can be escalated to the Information Commissioner’s Office (the “ICO”). Information about how to make a complaint to the ICO can be found here: www.ico.org.uk.  The ICO will decide whether to investigate further and will contact the University should they have questions / queries regarding any actions previously undertaken.

The University may also receive notification from the ICO that a complaint has been made under Data Protection legislation. Once a complaint has been received from the ICO, the complaint will be investigated in line with this procedure and based on the information provided by the ICO.

It is then the responsibility of the University’s Data Protection Officer to submit the University’s response to the ICO.

Manifestly Unfounded, Vexatious or Excessive Complaints

In certain scenarios the University can refuse to handle a complaint. This will be on occasions where a complaint is deemed to be manifestly unfounded, abusive, vexatious or excessive. Each complaint will be considered on a case-by-case basis. The Data Protection Officer or nominee will take the following factors into consideration:

  1. The data subject has explicitly stated that they intend to cause disruption (whether in the complaint, or in other correspondence), and/or has threatened individuals/members of University staff;
  2. The data subject has made unsubstantiated accusations against individuals/members of University staff, and is persisting in those accusations;
  3. The data subject is targeting particular individuals/members of University staff, against whom they have a personal grudge;
  4. The data subject makes frequent complaints intended to cause disruption; and
  5. The data subject continues to repeat the substance of previous complaints which have already been investigated.

Where a complaint is deemed to be manifestly unfounded, excessive, abusive or vexatious the Data Protection Officer will contact the complainant in a reasonable timeframe to explain the reasons for refusing to consider the complaint and their right to make a complaint to the ICO.

Complaint Log and Record Keeping

The Data Protection & Information Compliance Unit will maintain an internal log for all complaints under Data Protection legislation.

Each complaint will be fully documented to demonstrate accountability and to allow the annual review of requests.  In line with the ICO’s Complaints guidance for organisations this will include:

  • The date the University received the Data Protection complaint;
  • The University’s acknowledgement of the complaint;
  • Any relevant conversations and documents;
  • The complaint outcome; and
  • Any actions taken following investigation.