Governance and Compliance

Record of Processing Activities

ICO Registration Number - Z6428144

Data Controller - University of Sussex, Sussex House, Falmer, Brighton, BN1 9RH

Data Protection Officer - Alexandra Elliott, Head of Information Management and Compliance, 01273 678472, dpo@sussex.ac.uk

Why do we process personal data?

We process personal data to enable us to provide education and support services to our students, staff and others, and to conduct research. This will include advertising and promoting the University and the services we offer; publication of the University magazine and alumni relations; undertaking research and fundraising; managing our accounts and records; and providing commercial activities to our customers. We also process personal data by way of collecting and monitoring visual images via the use of CCTV systems for the prevention and detection of crime. We will also use this data where necessary to support the investigation of disciplinary proceedings against staff and students, for monitoring security and for assisting in traffic management and parking enforcement.

Throughout all stages of our data processing we will remain compliant with data protection legislation, namely the General Data Protection Regulation 2016/679 (‘GDPR’) and the Data Protection Act 2018 (‘DPA’).

What types of personal data do we process?

We will only process personal data which is necessary for the purposes detailed above. We will not process any personal data that we do not need to. The types of personal data that we process may include the following:

  • Personal and family details
  • Lifestyle and social circumstances
  • Education details and student records
  • Employment details
  • Financial details
  • Attendance records and details of disciplinary proceedings  
  • Vetting checks
  • Visual images (obtained by CCTV and campus photographers)
  • Data held in order to publish university publications and promotional material  

We also process the following special categories of personal data:

  • Racial or ethnic origin
  • Political opinion
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for the purpose of identifying a person)
  • Health data
  • Sex life or sexual orientation

Whose personal data will we process?

We process personal data about the following types of person:

  • Prospective students, applicants to the University and students of the University
  • Alumni
  • Donors and friends of the University
  • Applicants, employees, contracted and temporary personnel
  • Third parties participating in research, teaching or placements
  • Complainants, enquirers and persons who may be the subject of an enquiry
  • Individuals captured by CCTV or photography
  • Suppliers, professional advisers and consultants 

Who might we share this personal data with?

We will sometimes need to share the personal data we hold with other parties. A description of the types of people, parties and organisations that we may be required to share personal data with is as follows:

  • Professional and regulatory bodies, including examining and accreditation bodies
  • The Students’ Union
  • Healthcare, social and welfare organisations
  • Trade unions and staff associations
  • Current, past or prospective employers
  • Internal and external auditors
  • Suppliers and service providers, including consultants and professional advisers
  • Relevant government departments such as the Office for Students, the Home Office, Her Majesty’s Revenue and Customs and local authorities
  • Courts, tribunals and legal representatives
  • Police forces, and other security and law enforcement organisations
  • Financial organisations, debt collection and tracing agencies

What happens when we need to share personal data with people or organisations who are outside the European Economic Area?

It may be necessary for us to transfer personal data outside of the European Economic Area (‘EEA’), for example as part of our research, or where we are using suppliers and service providers outside of the EEA. We have processes in place to ensure that any transfers we make are carried out in compliance with the DPA and the GDPR and ensure the same safeguards and protections of personal data. 

The countries with which we share data will include (but are not limited to) the following: America, Australia, Canada, Chile, China, Colombia, India, Japan, Malaysia, Mexico, Morocco, New Zealand, Qatar and Singapore.

How long will we keep the personal data we process for?

The University only holds personal data for as long as is necessary for the purpose(s) for which it is collected and we have a detailed schedule of retention timeframes in place. Our Master Records Retention Schedule and records management policy can be found on our website at the following address: http://www.sussex.ac.uk/ogs/policies/information/recordsmanagementguidance.

What steps do we take to keep personal data secure?

Data security is a priority for us and we have various measures in place to keep all personal data secure. We have policies and procedures which support our overall data governance and information security and these can be found on our website at the following address: https://www.sussex.ac.uk/infosec/policies.