Division of General Counsel, Governance and Compliance

Subject access requests

Individuals have the right to access personal data that the University holds about them. An individual can request this data by submitting a subject access request. In addition to receiving copies of the personal data they can also ask for information about:

  • the purpose of the University’s processing,
  • the categories of personal data involved,
  • who the University discloses personal data to,
  • how long the University stores personal data,
  • information about the source of the personal data,
  • any automated decision making or profiling, and
  • the safeguards in place if the University transfers personal data overseas.

Most of this information is set out in the University’s Privacy Notice.

How to make a subject access request?

Individuals, or those acting on their behalf, can make a subject access request to the University either in writing or verbally. Before submitting a request, it may help to read the guidance on requesting personal data from the Information Commissioner's Office (‘ICO’).

When you are ready to submit your request, remember to include:

  • A clear explanation of the data you require. Where possible, please include dates and names of individuals or departments who you think may hold your personal data. If you do not provide sufficient detail about the scope of your request, then we will make reasonable searches of our core records only.
  • A copy of your proof of identity such as a passport, driving licence or student ID card.
  • If you are submitting the request on behalf of someone else, we will need their signed form of authority so we can establish that you are making the request on their behalf with their consent.

Requests should be made to the Data Protection Officer and, for ease, these can be emailed to dpo@sussex.ac.uk or posted to: Data Protection Officer, University of Sussex, Sussex House, Brighton, BN1 9RH.

Once we have received all of the information we need from you to deal with your request, the University will usually respond within one calendar month.

Dealing with your request

We will liaise with the appropriate departments and individual members of staff to obtain the personal data that you have requested. Once we have gathered all of the data, we will review it to check that it is in the scope of your request. Your right of access relates to your personal data and so this means that we will usually only disclose the parts of documents that include your data.  

We will also check whether the information includes personal data of other individuals. If other individuals can be identified from the information, we will remove their data.  Where it is not possible to do so, we will consider whether we should seek the consent of the third party to release the information to you. This could mean disclosing to them that you have made a subject access request.

We will also consider whether any of the information is exempt from disclosure under Data Protection legislation. Some of the relevant exemptions include information that is subject to legal professional privilege, confidential references and exam scripts. Further information can be found in the ICO’s guidance on exemptions.

Our response can be provided in a digital or paper copy. Where we have received the request electronically, we will provide our response in the same way unless otherwise requested.

If you have any queries about how to make a subject access request or how the University deals with such requests, please contact the Data Protection Officer.


Last updated 1 December 2021