Privacy Notice

Where we get your data from

Culture Shift process data through Report + Support.The data we process is collected in the following ways:

When you give it to us directly - you may give data directly through Report + Support in order to report harassment or abuse.

When you give permission for the Client to share it with us - you may have given permission for the Client to open case using Report + Support. This report will likely contain personal/special category data relating to you.

When you have been identified in a report made by someone else – in the course of someone else making a report personal and/or special category data relating to you could be provided directly by another person directly or inputted by a caseworker. 

In the event that you are named, and/or you are identifiable in any way within a report, the Client will seek to take appropriate action.

The Client will provide further details in their privacy notice and/or reporting policy.

When you use our website - the Report + Support Website uses cookies.

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

We use functionality and Analytical cookies.

Functionality cookies

Name Purpose Expires
language Lets us know your browser language. When you close your browser
this.sid Lets us know when your session starts and ends, so we can log you out. When you close your browser
keystone.uid When logged in, this allows us to show you the right information and keep you logged in when you navigate between pages. After 15 minutes
XSRF-TOKEN To prevent XSRF/CSRF attacks when logged in When you close your browser

Analytical cookies

If enabled, Google Analytics stores information about:

  • The pages you visit on the site
  • How long you spend on each page
  • How you got to the site 
  • What you click on while you’re visiting the site

Google Analytics does not collect or store personal information and cannot identify who you are.

Name Purpose Expires
_ga Helps us count how many people have visited the site by tracking if you've visited before. After 2 years
_gid Helps us count how many people have visited the site by tracking if you've visited before. After 24 hours
_gat Used to manage the rate at which page view requests are made. After 10 minutes
_utma Lets us know if you’ve visited before, so we can count how many of our visitors are new to the site or to a certain page. After 2 years
_utmb This works with _utmc to calculate the average length of time you spend on the site. After 30 minutes
_utmc This works with _utmb to calculate when you close your browser. When you close your browser
_utmz Tells us how you reached the site (for example from another website or a search engine) After 6 months

If you want to delete or block any cookies, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

Information on deleting or controlling cookies is also available at www.aboutcookie.org

To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout

What we collect

The data we collect about depends on what you have provided and how you have provided it.We only process and store data that has been inputted directly in to Report + Support either by the data subject or a Clients case worker.

It will include some or all of the following:

Personal Data:

  • Name
  • Email address
  • Telephone number
  • Student ID number

Special Category Data:

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Union membership
  • Health
  • Sex life
  • Sexual orientation

Free text data provided at point of reporting - where the client uses a free text box at the point of reporting personal and/or special category data relating to you could be provided directly by another person directly or inputted by a caseworker. 

Free text data provided during an investigation - where the Client does not use free text box at the point of reporting, personal and/or special category data relating to you could be provided by another person and inputted by a Client case worker.

In the event that you are named, and/or you are identifiable in any way within a report, the Client will seek to take appropriate action.

The Client will provide further details in their privacy notice and/or reporting policy.

What we do with it

Data could be collected through Report + Support to report incidents of one or more of the following:

  • Bullying
  • Discrimination
  • Harassment
  • Hate crime
  • Mental health and wellbeing concerns
  • Sexual harassment
  • Sexual violence

Culture Shift process and store data on behalf of the Client. We do not routinely access the data. We are only able to view the data in exceptional circumstances for example when carrying out maintenance work or responding to a security incident.

The data collected will be used by the Client to support individuals who have reported one of more of the above. How the Client use that data will be detailed in their privacy notice along with reference to any third party other than Culture Shift who they may share that data with.

Lawful basis for processing

Under Article 6 of the General Data Protection Regulation we have a legitimate interest to process personal data on behalf of the Client to enable them to monitor assault and abuse across their campus and provide support to such victims.

Under Article 9 of the General Data Protection Regulation we process special category data on behalf of the Client for the purposes of carrying out the obligations and exercising specific rights of the Client or of the data subject in order to provide appropriate safeguards for the fundamental rights of and uphold a duty of care to the data subject.

Who we share it with

Culture Shift use Amazon Web Services to host our servers. We don’t share data with anyone other than the Client who controls it. We do not transfer data outside the EEA.

How we keep it safe and up to date

In accordance with UK and European data protection laws, we take measures to secure all personal data.

We maintain physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal and special category data.

We assign retention periods to all personal data and special category data.

AWS protect the security of your information during transmission to or from AWS websites, applications, products, or services by using encryption protocols and software.

How we uphold your rights

The General Data Protection Regulation (GDPR) provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

You can request any of the above by contacting the Client directly.They will then instruct us as their processors to enact any of these rights accordingly. We will provide confirmation that this has been carried out.

You have the right to lodge a complaint with the Information Commissioners Office(ICO) if you believe we have not adequately upheld these rights.