Data protection complaints procedure

This procedure sets out how the University responds to complaints relating to personal data. It outlines responsibilities, the process for submitting a complaint, confidentiality and disclosure.

Submit a data protection complaint →

Please complete this form to submit a data protection complaint.

On this page

  1. Introduction & Scope 
  2. Responsibilities  
  3. Complaint Procedure 
  4. External Complaint  
  5. Confidentiality & Complaint data

Appendix 1 – Complaint Process Flowchart

Appendix 2 – Types of complaints eligible for investigation 

1. Introduction & Scope 

1.1. The procedure below sets out how the University responds to complaints relating to personal data.  

1.2. The University of Bristol (“The University”) aims to comply with its obligations under relevant data protection laws, including the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). However, where you are not satisfied with the way in which the University has processed personal data, or where you are unsatisfied with the handling of an information rights request, you have a right to submit a complaint. Examples of the type of infringement which may be considered under this procedure can be found in Appendix 2.  

1.3. Anonymous complaints will not be accepted, except at the discretion of the Data Protection Officer where there is a compelling reason to do so. Where group complaints are made and there is a need to disclose complainant personal data, these may be dealt with separately.  

1.4. If there is any doubt about the identity of the complainant, we will seek confirmation of identity. A copy of a passport, photo driving licence or similar are acceptable forms of identification. 

1.5. The University will only accept a complaint from an individual’s representative if we receive written consent from the individual authorising the representative to act on their behalf in relation to the complaint.  

1.6. In some cases, we may refuse to handle a complaint. This may be when a complaint is deemed to be manifestly unfounded, abusive, vexatious or excessive. In such cases, the University will contact the complainant/their representative and in a reasonable timeframe explain to them why their complaint is not being considered and any rights they have regarding further escalation of their concerns.  

1.7. If your complaint refers to an issue other than data protection, please refer to the following to find the most appropriate procedure to follow: 

  1. For students wishing to raise a complaint about anything related to the student experience, or to report the unacceptable behaviour of a student or staff member, please see 'Make a complaint'.  
  2. For staff wishing to raise a grievance, please see 'Staff Grievance Procedure'. 

1.8. If your complaint contains concerns that your data protection rights and freedoms have been infringed, either alongside other complaints or as part of a wider complaint (e.g. about services provided by the University, staff or student misconduct, or a health and safety concern), you should submit your complaint under the relevant procedure for students or staff in the first instance. This might entail raising a student complaint, staff grievance or whistleblowing concern.  

1.9. Where appropriate, the Data Protection Officer (or nominee) will consult with other departments as to the most appropriate procedure under which to handle your complaint. Where this is a change of procedure, you will be notified of which procedure will be followed. 

1.10. If your complaint has already been addressed through another University procedure, it will not be addressed again under this procedure. Similarly, any complaint considered and responded to under this procedure cannot later be submitted through another University process or procedure.  

1.11. Following the outcome of a complaint, the Data Protection Officer (or nominee), may refer the issue for further review under applicable disciplinary regulations, such as the University Acceptable Behaviour Policy. 

Back to top

2. Responsibilities  

2.1. The Director of Governance and University Secretary has overall responsibility for this procedure but has delegated the day-to-day handling of complaints and the implementation of this procedure to the Data Protection Officer.  

2.2. The Data Protection Officer will ensure a fair and comprehensive investigation is conducted for eligible complaints under this process.  

2.3. The Data Protection Officer may assign responsibility for investigating a complaint to a member of the Information Compliance team.  

2.4. All staff are responsible for ensuring that they are familiar with this procedure. All staff must cooperate with the complaint investigator when instructed.  

Back to top

3. Complaint Procedure  

3.1. As far as possible, we encourage you to make and resolve your concerns informally. The Data Protection Officer (or nominee) may suggest your complaint is best handled informally initially. If you are not satisfied with the outcome, then you may submit a formal complaint as set out below.  

3.2. Complaints must be submitted in writing to the Data Protection Officer by: 

  1. Submitting a complaint using the online form  
  2. Email to data-protection@bristol.ac.uk 
  3. Post to Beacon House, Queen's Ave. Bristol BS8 1PX 

3.3. Any data protection complaint received by a staff member outside of the above, must be forwarded to data-protection@bristol.ac.uk at the earliest opportunity.  

3.4. We will aim to acknowledge your complaint within 5 working days, excluding University closure days. You will be notified whether your complaint is eligible for consideration under this procedure.  

3.5. Complaints will usually be responded within 30 calendar days from the date of receipt. Should further time be required, you will be provided with a revised timescale. An extension to the initial timeframe will not normally exceed a further 30 calendar days.  

3.6. Where clarification or further information is requested from you, your complaint will be placed on hold, and the 30-calendar day deadline will be paused until such time as you provide sufficient clarification.   

3.7. Complaints should be submitted within 3 months of the incident, or 3 months from your last meaningful contact with the University about the issue you are complaining about. Complaints submitted beyond this time limit will be considered at the discretion of the Data Protection Officer. Historic issues may limit the availability of evidence for an investigation, e.g. records may have been destroyed in line with our records retention schedule, or there may have been changes in staff. 

3.8. The complaint will be investigated fairly and thoroughly, with consideration shown for legislative requirements and any evidence you provide.  

3.9. To investigate your complaint, it may be necessary for the investigator to contact you for further information. This may include discussing the issue in a meeting.  

3.10. If you fail to provide sufficient assistance for an effective investigation to be conducted, then your complaint may be closed. 

3.11. Upon completion of the investigation, you will be contacted and notified of: 

  1. Whether your complaint has been upheld, partly upheld or not upheld; 
  2. An explanation of the decision, including how it was reached;  
  3. Any recommendations and/or resolutions proposed by the University; 
  4. Information on your next steps if you dissatisfied with the outcome. 

Back to top

4. External Complaint  

4.1. If you remain dissatisfied following the outcome of the review, you have the right under data protection legislation to escalate your concerns directly to the Information Commissioner.  

4.2. The Information Commissioner can be contacted at the following address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.  

4.3. Further information is available on their website: Make a complaint | ICO 

4.4. The University may need to share information relating to you and your complaint and the investigation with the Information Commissioner to assist their review. 

Back to top

5. Confidentiality & Complaint data   

5.1. To ensure the integrity of the process all parties involved in the operation of this Procedure, including those who are the subject of the complaint, those bringing the complaint, any witnesses and those operating the Procedure must ensure that they maintain an appropriate level of confidentiality. 

5.2. In imposing an expectation of confidentiality, the University recognises that it may be necessary and therefore appropriate for those involved in this Procedure to share certain confidential information with members of staff within the University or third parties, as set out below. 

5.3. The University may disclose information: 

  1. to those who need to know to discharge their responsibilities at work; 
  2. where it considers that disclosure is necessary in the interests of health and safety at work or the welfare of other staff, students or the public interest;  
  3. where disclosure is required by law;  
  4. to witnesses and/or attendees of meetings within the Procedure.  

5.4. Students and staff members may disclose information:  

  1. with professional advisers for the purpose of obtaining advice;  
  2. with family members and support services for the purpose of obtaining guidance and support;  
  3. with relevant bodies such as the Information Commissioner.  

5.5. The University will collect data on complaint outcomes and use it in an anonymised format for reporting, evaluation and for learning and development purposes. 

5.6. Personal data processed for the purpose of investigating a complaint will be handled in line with the University’s Privacy Notices

Back to top

Appendix 1 – Complaint Process Flowchart Flowchart visualising the complaints process described in on this page.

Back to top

Appendix 2 – Types of complaints eligible for investigation 

The following are examples of the types of complaints that will be considered under this procedure:  

  • Breach of the data protection principles: 
    • Data not processed under an applicable lawful basis  
    • Data not processed fairly or transparently 
    • Data further processed with incompatible purpose 
    • Excessive data processed 
    • Inaccurate or out of date data 
    • Data retained longer than necessary 
    • Data not held securely 
  • Consent not obtained under the appropriate conditions  
  • Failure to provide adequate privacy information during data collection  
  • Failure to respond to, or unsatisfactory response to, an information rights request 
  • Complaints about the impact of a personal data breach  

The following are examples of the types of complaint that will not be considered under this procedure:  

  • Personal data breaches are investigated under our Data Breach Reporting Procedure. However, complaints from data subjects about damage or distress experienced as a consequence of a data breach may be considered under this procedure.  
  • Responses to Freedom of Information requests are considered under the University’s FOI review procedure.   
  • If your complaint contains concerns that your data protection rights and freedoms have been infringed, either alongside other complaints or as part of a wider complaint (e.g. about services provided by the University, staff or student misconduct, or a health and safety concern), you should submit your complaint under the relevant procedure for students or staff in the first instance. This might entail raising a student complaint, staff grievance or whistleblowing concern.

Back to top