Schedule of Processing Activities

1. Identity and Contact Details

RoleDetails
Data ProcessorJMG Campus Resolve (Jenny Gradwell)
jenny@campusresolve.co.uk
Data ControllerThe University/Higher Education Institution (as defined in the Agreement)
Data Protection Officer (Controller)As nominated by the Client

2. Purpose of Processing

The personal data is processed solely to support the Client in conducting investigations, disciplinary proceedings, appeals, and safeguarding inquiries within the higher education sector. Specific purposes include:

  • Gathering evidence and conducting interviews with reporting parties, respondents, and witnesses.
  • Producing investigation reports and findings.
  • Supporting the Client’s decision-making processes regarding disciplinary outcomes or regulatory compliance.
  • Providing training or consultancy advice related to the investigation or disciplinary process (where applicable).

3. Categories of Data Subjects

  • Reporting parties (students, staff, or third parties).
  • Respondents (students, staff, or third parties).
  • Witnesses.
  • Relevant University staff involved in the process.

4. Categories of Personal Data Processed

CategoryDescriptionSpecial category data?
Identity & contactNames, job titles, student/staff IDs, email addresses, phone numbers, home addresses.No
Employment/student recordsEmployment history, grades, attendance records, previous disciplinary records.No
CorrespondenceEmails, letters, internal communications relevant to the case.No
Meeting recordsTranscripts of interviews (via ms Teams), written witness statements, investigator notes.No
Financial dataBank details, expense claims, salary information (only where fraud is investigated).No
Health informationMedical certificates, mental health disclosures, disability adjustments.Yes (Article 9 UK GDPR)
Criminal convictionsDisclosure of criminal records, DBS checks, police involvement.Yes (Article 10 UK GDPR)
Safeguarding concernsAllegations of abuse, neglect, or harm to vulnerable individuals.Yes (Article 9 UK GDPR)

Biometric data and data relating to individuals under 18 years of age are not routinely collected.

5. Sources of Data

Data is obtained from:

  • Directly from data subjects (via interviews, witness statements, and correspondence initiated during the investigation).
  • From the data controller (via secure transfer of HR/student files, student records, and initial case documentation provided by the University).

6. Recipients of Data (Internal and External)

  • Internal:
    • Authorised investigators and administrative staff of JMG Campus Resolve. Access is restricted via role-based permissions and Multi-Factor Authentication (Duo).
  • External (Sub-processors):
    • Microsoft Corporation (UK/EU): For hosting data (OneDrive, SharePoint, Exchange Online) and processing (MS Teams auto-transcription).
    • No other sub-processors are currently engaged.

7. International Transfers

  • No international transfers occur.
  • All data processing, storage, and investigator operations are conducted exclusively within the United Kingdom.
  • Microsoft 365 data residency is configured for the UK/EU region.

8. Retention and Disposal

Retention Period:

Data is retained until:

  • The investigation and all associated disciplinary/appeal processes are fully concluded, unless UK law requires retention.

Disposal Method:

  • Digital Files: Permanent deletion from active systems, archives, recycle bins, and backup tapes.
  • Recordings: Interview audio/video recordings are deleted immediately once the written transcript/notes are agreed upon by the parties, unless required as evidence for a specific legal proceeding.
  • Physical Copies: Shredded by certified destruction methods (if any physical copies exist).

9. Security measures

JMG Campus Resolve implements the following technical and organisational measures:

  • Encryption: Data is encrypted in transit and at rest using Microsoft 365 Business Standard encryption standards (AES-256 for data at rest, TLS 1.2/1.3 for data in transit), supplemented by Duo Security for Multi-Factor Authentication.
  • Access Control: Strict role-based access control (RBAC) limits data access to authorised investigators only.
  • Device Security: All devices used for processing are password-protected, encrypted (BitLocker/FileVault), and managed via Intune or equivalent MDM.
  • Confidentiality: All staff are bound by written confidentiality agreements and undergo regular data protection training.

10. Data Subjects Rights and Assistance

  • Contact Point:
    • Requests from data subjects (access, rectification, erasure, etc.) must be directed to the Client (Controller) who will notify JMG Campus Resolve at jenny@campusresolve.co.uk
  • Response Time:
    • JMG Campus Resolve will assist the Client in fulfilling these requests within 7 calendar days of notification.
  • Restrictions:
    • Erasure: Requests for erasure will be declined if the data is necessary for the establishment, exercise, or defence of legal claims (e.g., ongoing investigations) or for compliance with a legal obligation.
    • Recording Deletion: As noted in Section 8, raw interview recordings are deleted after transcription to minimise data retention, but the content (transcript/notes) is retained as part of the investigation record.

11. Data Breach Notification

  • Notification Window:
    • JMG Campus Resolve will notify the Client without undue delay, and in any event within 24 hours of becoming aware of a personal data breach.
  • Content of Notice:
    • The notice will include the nature of the breach, categories of data/subjects affected, likely consequences, and measures taken/proposed to address the breach.

If a signed SPA is required please let me know and I will send a copy as a Word document.