Division of General Counsel, Governance and Compliance

Record of Processing Activities


ICO Registration Number Z6428144
Data Controller University of Sussex, Sussex House, Falmer, Brighton, BN1 9RH
Data Protection Officer Alexandra Elliott, Head of Information Management and Compliance, 01273 678472, dpo@sussex.ac.uk


Why do we process personal data?

We process personal data to enable us to provide services, support and education to our students, staff and others, and to conduct research. This includes advertising and promoting the University and the services we offer; publication of the University magazine; alumni and donor relations and fundraising; undertaking research; managing our accounts and records; and providing commercial activities to our customers.

We also process personal data by way of collecting and monitoring visual images via the use of CCTV systems and body worn devices for the prevention and detection of crime. We use this data where necessary to support the investigation of disciplinary proceedings against staff and students, for monitoring security and for assisting in traffic management and parking enforcement.

Throughout all stages of our data processing, we will remain compliant with data protection legislation, including the UK’s General Data Protection Regulation, the Data Protection Act 2018 (‘DPA’) and the EU’s General Data Protection Regulation to the extent that it applies.

What types of personal data do we process?  

We only process personal data which is necessary for the purposes detailed above. We do not process any personal data that we do not need to. The types of personal data that we process may include the following:

  • Personal and family details
  • Lifestyle and social circumstances
  • Education details and student records
  • Employment details
  • Financial details
  • Attendance records and details of disciplinary proceedings  
  • Vetting checks and Disclosure and Barring Service details
  • Visual images (e.g. those obtained by CCTV and campus photographers)
  • Data held in order to publish university publications and promotional material
  • Data relating to criminal convictions and proceedings

Further information about what personal data we process and why can be found in the University’s Privacy notice. We also have separate Privacy notices in place where the processing of personal data is more specific, such as in our Development and Alumni Relations team or with our Access and Participation in Higher Education activities.

We also process the following special categories of personal data:

  • Racial or ethnic origin
  • Political opinion
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for the purpose of identifying a person)
  • Health data
  • Sex life or sexual orientation

Further information on our legal basis for processing special category personal data can be found in our Appropriate Policy Document.

Whose personal data will we process?  

We process personal data about the following types of person:

  • Prospective students, applicants to the University and students of the University
  • Alumni
  • Donors and friends of the University
  • Applicants, employees, contracted and temporary personnel
  • Third parties participating in research, teaching or placements
  • Complainants, enquirers and persons who may be the subject of an enquiry
  • Individuals captured by CCTV, body worn devices or photography
  • Suppliers, professional advisers and consultants
  • Visitors to the University

Who might we share this personal data with?

We sometimes need to share the personal data we hold with other parties. A description of the types of people, parties and organisations that we may be required to share personal data with is as follows:

  • Professional and regulatory bodies, including examining and accreditation bodies
  • The Students’ Union
  • Healthcare, social and welfare organisations
  • Trade unions and staff associations
  • Current, past or prospective employers
  • Internal and external auditors
  • Suppliers and service providers, including consultants and professional advisers
  • Relevant government departments such as the Office for Students, the Home Office, Her Majesty’s Revenue and Customs and local authorities
  • Courts, tribunals and legal representatives
  • Police forces, and other security and law enforcement organisations
  • Financial organisations, debt collection and tracing agencies

What happens when we need to share personal data with people or organisations who are outside the United Kingdom?

It may be necessary for us to transfer personal data outside of the UK for example as part of our research, where we are using suppliers and service providers outside of the UK or where we have a Visiting and Exchange Programme with a university in another country. We have processes in place to ensure that any transfers we make are carried out in compliance with data protection requirements and we ensure that the same safeguards and protections of personal data are in place. 

How long will we keep the personal data we process for?

The University only holds personal data for as long as is necessary for the purpose(s) for which it is collected and we have a detailed schedule of retention timeframes in place. Our Records Management Policy and Master Records Retention Schedule provide further information on the retention and destruction of data.

What steps do we take to keep personal data secure?

Data security is a priority for us and we have various measures in place to keep all personal data secure. We have a number of policies and procedures which support our overall data governance and information security. Our Information Asset Registers ensure we know what data is held and where, and our Information Security policies set out the requirements to ensure that personal data is safeguarded.

We keep our Record of Processing Activities under regular review. This document was last updated on 28 February 2024.