Privacy notice
Read about how we process information about you (known as personal data) and find out about your rights.
This notice outlines the University’s processing activities relating to personal data and covers the following:
- overview
- the basis for processing your personal data
- personal data we collect about you and how we use it
- retention of personal data
- disclosure and transfer of personal data
- your rights including access to information and correction
- cookies
- other websites
- changes to our privacy notice
- how to contact us.
Overview
The University of Sussex is registered as a data controller with the Information Commissioner’s Office (ICO). Our registration reference is Z6428144.
You can refer to the University’s Data Protection Policy for more information about our commitment to processing personal data in a way that is compliant with relevant data protection legislation. This includes the Data Protection Act 2018, the UK General Data Protection Regulation (‘UK GDPR’) (as implemented by the Data Protection Act 2018), and the EU General Data Protection Regulation 2016/679.
The Data Protection Officer for the University of Sussex is Alexandra Elliott, Head of Information Management and Compliance. If you have any queries concerning your personal data and how it is processed, you can contact the Data Protection Officer at dpo@sussex.ac.uk.
The basis for processing your personal data
Under the University’s Royal Charter, the University’s purpose is ‘to advance learning and knowledge by teaching and research to the benefit of the wider community’.
The University processes personal data largely on the basis that it is necessary for the performance of our tasks carried out in the public interest (‘public task’), in connection with our teaching and research activities.
We also process personal data to provide administrative and support services to our students and staff; to support alumni relations and fundraising; to promote the University and recruit students; to maintain our records, accounts, and commercial activities; and to manage the overall running of the University and maintenance of its campus, including monitoring and evaluating its performance and effectiveness.
Additionally, we process personal data because it is necessary for the performance of a contract, or in order to take steps at an individual’s request prior to entering a contract. For example, this may include interacting with individuals before they are enrolled as a student, as part of the admissions process, or the recruitment and hiring of staff.
We may also need to process personal data to comply with our legal obligations. This can include compliance and regulatory obligations, immigration obligations and safeguarding requirements, or to assist with investigations carried out by the police or other authorities. We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or when necessary for the purposes of establishing, exercising or defending legal rights.
In some cases, we process personal data because it is necessary for our or a third party’s legitimate interests, or in circumstances where we have specific consent to do so. Finally, in limited circumstances, we may also process personal data where it is necessary to protect a person’s vital interests (i.e. in matters of life or death).
Special category data
Personal data may include ‘special categories of data’ as described in data protection legislation, such as information about an individual’s racial or ethnic origin, religious beliefs, sexual orientation, and physical or mental health.
When we process special category data, we must meet one of the conditions in the data protection legislation (Article 9 of the UK GDPR). Usually, this will be with the explicit consent of the individual but other examples of situations where we process special category data include:
- To meet our employment obligations, such as health and safety requirements;
- For health or social care purposes such as occupational health;
- For reasons of public interest in the area of public health e.g. Covid-19 reporting;
- For reasons of substantial public interest such as ensuring equality of opportunity or treatment, or protecting the public against dishonesty;
- For research purposes, where such research is in the public interest; and
- To manage legal claims and proceedings.
Information about how and why the University processes special category data, as well as criminal convictions data, and how we safeguard this data can be found on our Data Protection pages and in our Appropriate Policy Document.
Further information about the processing of this type of personal data is published on the ICO’s website.
Personal data we collect about you and how we use it
Information is collected in different ways depending on your interaction with the University and personal data is processed for the purposes outlined below.
Website visitors and enquiries
We collect personal data from visitors to the University’s website through the use of online forms as well as when you email us with an enquiry. We collect information about the transactions you undertake through the website including details of payment cards used. In addition, we collect information automatically about your visit to our website. Further information about ‘Cookies’ is set out below.
We may process personal data collected through this website or other electronic networks used by the University, for the purposes of advertising, marketing, public relations and general advice services, such as:
- the identification of recipients for University services and administration of promotional campaigns;
- the advertising and promotion of the University and its services including by direct marketing means;
- the advertisement and provision of general advice to members of the public about University services;
- the advertisement and promotion of the University through third party products and services, e.g. financial sponsorship;
- fundraising for the University and other organisations (excluding fundraising through alumni).
Prospective applicants, applicants, students and alumni
We collect personal data from individuals who are enquiring about the admissions process and/or considering submitting an application to study at the University. We collect personal data via student applications through the UCAS system and our own application systems. Should you subsequently enroll as a student at the University, a student record will be created for you.
The data collected from prospective students, students, and/or alumni of the University is used for the following purposes:
Accounts and records
- the administration of student accounts and payments;
- the collection of student fees;
- to maintain a central student record;
- to enable us to fulfill statutory reporting obligations.
Education
- administration relating to the application process, e.g. receipt and processing of application forms, liaison with UCAS and agents, assessment of grades and applications in order to determine offers of admission, and to produce statistics relating to admissions;
- administration required for provision of education and training (such as registration and timetabling);
- provision of education and training such as the planning and control of curricula and exams, and commissioning, validating and producing educational materials;
- to contact individuals who have provided disability details at the point of application or registration to signpost to our Disability Advice service to register for arrangement of reasonable adjustments;
- to consider exceptional circumstances claims and implement reasonable adjustments;
- to deal with student awards and scholarships;
- calculation and publication of assessment and exam results;
- to carry out student discipline, student complaints and academic misconduct processes;
- to administer the academic appeals process;
- administration relating to visiting and exchange students and the Study Abroad programme;
- video capture of lectures, seminars and other teaching activities, and to support the online delivery of teaching, in line with the University’s Policy on the Recording of Teaching Activities;
- provision of references and transcripts;
- administration related to student visas and UKVI obligations;
- attendance and engagement monitoring, in line with our published policies.
Student experiential services
- to allocate housing and to provide campus and residential support for students living in University-managed accommodation;
- administration of grants and loans, e.g. student loans and access loans;
- administration and provision of library services including membership records, loan/hire records, information and databank administration;
- ticket issue/reservation services and the running of events;
- administration and provision of a student card;
- administration and provision of welfare and support services*;
- administration and provision of careers guidance;
- activities undertaken as part of our commitment to widening participation and access;
- administration and provision of computing and IT facilities;
- administration and provision of Student Union services;
- to request testimonials from current students for the purpose of assisting prospective students through the application and Clearing processes.
* The provision of welfare and support services may sometimes involve special category data and where necessary, your consent will be sought and we will provide additional information.
Alumni relations
- the promotion of the relationship between the University and its alumni;
- University-related fundraising initiatives involving alumni;
- advertising and promotion of alumni events and reunions;
- distribution of University mailings, e.g. alumni magazines, newsletters, annual reports, and message forwarding (without disclosure of data);
- the promotion of benefits and services available to alumni from third parties;
- eliciting non-financial support, such as careers advice, to students and help with student recruitment;
- advertising, marketing and public relations for others.
For more detailed information about how we use personal data as part of our alumni relations, see our alumni services privacy notice.
Your personal data may be used to send you details of products or services that we offer that we have identified as likely to be of interest to you, but you will only be contacted according to the preferences you submit when providing your personal data. If you would like to change these preferences (e.g. opt out of receiving some communications or change channels used for contact) at any point, you can:
- use the link on the bottom of the last email you received from our Alumni team;
- use Study/Sussex Direct to update your preferences if you are a current student;
- email alumni@sussex.ac.uk.
Employment applicants and staff
We collect personal data via the employment application and recruitment process, and when you enter into a contract as an employee of the University. The way your data is used is outlined below:
Employment applications
- selection processes, including short-listing candidates and interviews;
- equality and diversity monitoring;
- processing expenses related to interview processes;
- pre-employment health screening.
Staff members
- payroll administration and HMRC compliance;
- administration of employee pension schemes;
- provision of occupational health services, including for pension purposes;
- management of absence records;
- verification of eligibility/right to work;
- administration of flexible working arrangements and remote working;
- providing access to secured buildings and to parking facilities;
- ensuring compliance with the University’s Equality and Diversity Policy;
- reviewing performance and facilitating promotion and reward;
- to carry out staff grievance and disciplinary processes;
- processing expenses and administrating corporate spending accounts;
- to enable us to fulfill statutory reporting obligations.
Basic personal details can be maintained via Sussex Direct and MyView, and/or by contacting your Human Resources representative.
Research
Research is part of the University’s public task and our research activities will often involve the processing of personal data, including special category data. Further information can be found below and within our Research policies.
A range of personal data is collected through our research activities. This may include details about a person such as their name, family information and work details, a person’s thoughts or feelings, or their views or opinions on specific research areas. Data is collected in a variety of ways, such as through questionnaires, interviews and focus groups, and from individuals themselves or others.
We may collect data from third parties or by extracting data from websites (known as data scraping). Third parties may include commercial or private organisations, or public and government bodies such as the NHS, HMRC or the Department for Education. For instance, we may request personal data from the Department for Education relating to pupil, learner and workforce datasets such as the National Pupil Database and the School Workforce Census. This can include data such as name and address, school details, learner records, special educational needs of pupils, salary information of teaching staff and special category data such as ethnicity and disability.
We only collect personal data that is needed for the research purposes and only keep the information in a way that enables individuals to be identified, for as long as is necessary.
Research participants
Where our research involves human participants, the research is subject to an ethical review process. This ensures that all ethical matters have been considered and the processing of personal data is appropriate. Research participants are provided with an information sheet relating to the specific piece of research they are participating in, which includes information on the collection, use, and retention of their personal data.
Special category data in research and health research
Our research may include special category data such as ethnicity, political or religious views, genetic data and health data. When we process special category data, we must meet one of the conditions in the data protection legislation (Article 9 of the UK GDPR).
The use of special category data in our research activities is on the basis that ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’ (Article 9(2)(j) of the UK GDPR).
As a University we use personal data to conduct research to improve health, care and services, and we ensure that it is in the public interest when we use personal data from people who have agreed to take part in research. This means that when you agree to take part in a research study, we will use your data in the ways needed to conduct and analyse the research study. Some of your rights, such as deletion of your data from the research project, may be limited, as we need to manage your data in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum amount of personal data possible.
Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.
Photography, video and video conferencing
The University’s photographer and colleagues in the Communications, Marketing and Advancement division routinely capture images and videos on campus for our communications and for promotional use on the University’s website, social media channels, and/or print materials, some of which may include individuals. In cases where individuals are clearly identifiable, consent will be obtained.
The University also records video footage of some events, such as our graduation ceremonies, for the purpose of making these available via its website to those who are unable to attend. Notices will be posted at events and information made available for those who prefer not appear in any footage.
To enable video conferences and meetings to take place in the context of increased flexible and remote working, the University recommends the use of a number of approved technology solutions (e.g. Microsoft Teams, Skype and Zoom), which have recording capabilities. Where recording of meetings or conferences is required, personal data is processed with the consent of those involved where necessary.
CCTV and Body Worn Video devices
The University processes personal data through the use of surveillance systems, such as CCTV and Body Worn Video devices, to monitor and collect visual and audio recordings to provide a safe environment for students, staff and visitors to the campus and for the purposes of security.
Such personal data may be used for the prevention and detection of crime; for evidential purposes to support criminal, civil and internal proceedings, including disciplinary investigations against staff and students; for assisting in traffic management and parking enforcement; and to assist in Health and Safety requirements and other legal or regulatory compliance obligations.
Retention of personal data
The University will only keep your personal data for as long as is necessary for the purpose for which it is processed.
Personal data is processed and stored in line with the University’s Records Management Policy and the associated Master Records Retention Schedule, which sets out how long different categories of personal data should be held by the University.
Disclosure and transfer of personal data
We will only disclose your personal data to a third party when we are required to by law, where we have your specific consent, or where it is necessary and appropriate arrangements are in place with regard to data sharing. For instance, we may disclose personal data to:
- companies or suppliers who we work with;
- relevant government departments and agencies such as the Office for Students, UKVI/the Home Office (in connection with visas and immigration), HMRC, and local authorities (for council tax and electoral registration purposes) or police (e.g. for the purposes of prevention and detection of crime and/or prosecution and apprehension of offenders);
- funding bodies such as Student Loans Company or sponsors;
- professional and regulatory bodies in relation to confirmation of qualifications, professional conduct and the accreditation of courses;
- legal representatives;
- internal and external auditors;
- the University’s insurers (e.g. when dealing with personal claims).
We are also required to send personal data to the Higher Education Statistics Agency (HESA). HESA collects personal data relating to staff, students and leavers from Higher Education. Details of how HESA will process your personal data can be found in the relevant HESA notices.
From time to time, the University will transfer personal data outside the United Kingdom. Personal data will only be sent to countries that have equivalent data protection safeguards or where we have arrangements in place to ensure the appropriate safeguarding of data. The University ensures that appropriate agreements with regard to data sharing are in place with contracted service providers and international partner institutions outside the United Kingdom.
Your rights including access to information and correction
You have a number of rights under data protection legislation:
- Information - where personal data is collected from you, you have the right to be various information about the collection and use of your personal data. This includes details about the purpose(s) for processing and retention periods for that personal data, and who it will be shared with;
- Information - where your data is not obtained from you, you have the same right to the information above, as well as details about what personal data is collected and by who;
- Access - you have the right to confirmation of whether or not we are processing your personal data and to obtain a copy of your data. This is known as a subject access request;
- Rectification - you have the right to rectify any inaccuracies in personal data concerning you;
- Erasure - you have the right to be forgotten in some circumstances, i.e. to have your data erased;
- Restriction - you have the right to restrict the processing of your personal data in certain ways;
- Where there is a request to rectify, erase or restrict the processing of data, we will let any recipients of that data know, where possible. You have the right to know who those recipients are;
- Data portability - you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transfer your data to another controller;
- Objection – you have the right to object to certain processing of your personal data by us, such as direct marketing;
- Decision making – you have the right not to be subject to a decision based solely on automated processing, including profiling; and
- Withdrawal of consent - Where your consent is the legal basis for our processing, you have the right to withdraw your consent.
Not all the rights apply in all circumstances. For more information, refer to our Data Protection pages for guidance, including on how to submit a subject access request, or contact the Data Protection Officer. Further information about your rights can also be found on the ICO’s website.
You have a right to complain to the ICO about the way your personal data is processed if you have concerns. Information on how to report concerns to the ICO is provided on their website.
Cookies are files placed on your computer to collect standard internet log information and visitor behaviour information. This helps us to understand visitor behaviour, to remember your preferences and improve user experience.
For further information about cookies you can visit knowcookies.com and to find out more about how the University uses cookies, please refer to cookie information web page.
Other websites
Our website may contain links to other websites that are outside our control and are not covered by this privacy notice. Our notice only applies to the University of Sussex’s website so when you link to other websites, you should read their own privacy policies.
Changes to our privacy notice
We keep our privacy notice under regular review and the notice was last updated on 16 July 2021.
How to contact us
If you have any questions about our privacy notice or the personal data we hold about you, you can contact the University’s Data Protection Officer by email at dpo@sussex.ac.uk or you can write to Alexandra Elliott, Data Protection Officer, University of Sussex, Sussex House, Falmer, Brighton, BN1 9RH.