Planning, Governance and Compliance

Data Protection Act 1998

The Data Protection Act applies to 'personal data', i.e. data about living individuals. The University is required to comply with rules of information handling, known as the Data Protection Principles, and other requirements of the Data Protection Act (DPA), including maintaining student data in secure conditions and processing and disclosing data only within the terms of its Data Protection notification.

What is personal data?

The DPA gives the following definition:

'data which relate to a living individual who can be identified -
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.'

Certain data are classified under the Act as 'sensitive personal data', for example: racial or ethnic origin; religious or other beliefs of a similar nature; physical or mental health or condition; sexual life; offences (including alleged offences).

What are the Data Protection Principles?

The University must process all personal information in accordance with the eight Data Protection Principles. When processing personal information data must be:

1. fairly and lawfully processed;
2. processed for limited purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept for longer than is necessary;
6. processed in line with your rights;
7. secure; and,
8. not transferred to countries outside the EEA without adequate protection.

What is a data protection notification?

The Information Commissioner maintains a public register of data controllers. The University of Sussex (the 'data controller' for the purposes of the Act) has to notify the Commissioner that it is processing data and it therefore appears on the register.

Each register entry includes the name and address of the data controller and a general description of the processing of personal data by the data controller.

How do I find out more about Data Protection matters?

The links on the right provide more detailed guidance for students and staff and set out the procedures that should be followed when requesting your own personal information via a Subject Access Request (in accordance with section 7 of the DPA). If you have further questions or require specialist help on the legislation, please contact the Information Officer.

Contact details:

Information Officer
Planning, Governance & Compliance
Sussex House
University of Sussex

Phone: 01273 606755 ext 3954