Planning, Governance and Compliance

Rights of Individuals

The General Data Protection Regulation (‘GDPR’) gives individuals a number of rights in relation to their personal data. Information about each of the rights is provided below.

1. Right to information

One of the important principles in the GDPR is transparency and individuals have the right to be informed about the collection and use of their personal data. The University provides this information in its Privacy Notice.

2. Right to access

Individuals have a right to access their personal data held by the University, which is often known as a subject access request. This enables individuals to check how and why the University is using their personal data. More detailed information about how to make a subject access request is set out at the end of this section.

3. Right to rectification

Individuals have a right to ask the University to rectify any inaccuracies in the personal data held about them or, if the personal data is incomplete, to ensure that the data is completed. Any such request can be made in writing or verbally and the University has one calendar month to respond to the request.

4. Right to erasure

The GDPR introduces a new right for individuals to have personal data erased, also known as the right to be forgotten. The right is not an absolute one and only applies in certain circumstances. For example, an individual can ask for personal data to be erased where it is no longer necessary for the purpose it was originally provided, or processing was on the basis of consent which is then withdrawn.

A request to erase data can be made in writing or verbally and the University has one calendar month to respond to the request.

5. Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data, either in writing or verbally. This means that you can ask the University to limit the way that it uses your personal data, but only in certain circumstances. For example, if you think that the data held is inaccurate or you object to the basis for processing, you can ask that any processing is restricted whilst the data is verified or the matter is considered. The University has one calendar month to respond to the request.

6. Right to data portability

The right to data portability allows individuals to receive their personal data in a structured, commonly used and machine readable format and they can request that one controller transmits the data directly to another controller. It only relates to personal data that the individual has provided to the controller and which is processed by automated means (i.e. excluding paper files). Also the right only applies when the lawful basis for processing is consent or performance of a contract.

7. Right to object

Individuals have a right to object to the processing of their personal data in certain circumstances. Where personal data is used for direct marketing, this is an absolute right. But in other cases, it depends on the purpose for processing and the lawful basis that the University is relying on.

Further information about the individual’s rights under the GDPR can be found on the ICO’s website and the University’s Data Protection Officer can also be contacted at dpo@sussex.ac.uk for further information.

Accessing your personal information

Individuals have the right to access personal data that the University holds about them, known as a subject access request. They can also ask for information about:

  • the purpose of the University’s processing,
  • the categories of personal data involved,
  • who the University discloses personal data to,
  • how long the University stores personal data,
  • information about the source of the personal data,
  • any automated decision making or profiling, and
  • the safeguards in place if the University transfers personal data to a country outside of the European Economic Area or an international organisation.

Most of the above information is set out in the University’s Privacy Notice.

How to make a subject access request?

Individuals, or those acting on their behalf, can make a subject access request to the University either in writing or verbally. Before submitting a request, it may help to read the guidance on requesting personal data from the Information Commissioner's Office.

When you are ready to submit your request, remember to include:

  • A clear explanation of the data you require. Where possible, please include dates and names of individuals or departments who you think may hold your personal data.
  • A copy of your proof of identity such as a passport, driving licence or student ID card.
  • If you are submitting the request on behalf of someone else, we will need a signed form of authority so we can establish that you are making the request on their behalf.

Requests should be made to the Data Protection Officer and, for ease, these can be emailed to dpo@sussex.ac.uk or posted to: Data Protection Officer, University of Sussex, Sussex House, Brighton, BN1 9RH.

Once we have received all of the information we need from you to deal with your request, the University will respond within one calendar month. In most cases, we will not charge a fee to deal with your request.

Dealing with your request

We will liaise with the appropriate departments and individual members of staff to obtain the personal data that you have requested. Once we have gathered all of the data, we will review it to check that it is in the scope of your request and whether it includes personal data of other individuals.

If other individuals can be identified from the information, we may remove their data where possible and, if not, we may seek the consent of the third party to release the information to you. This could mean disclosing to them that you have made a subject access request. Where consent cannot be obtained or is refused, we will consider whether it is reasonable to release the information to you.

Our response can be provided in a digital or paper copy. Where we have received the request electronically, we will provide our response in the same way unless otherwise requested.