Division of General Counsel, Governance and Compliance

Data Protection

Data protection is about the fair and appropriate use of information relating to identifiable individuals. 

The University has a duty to comply with the principles and requirements of the Data Protection Act 2018, the UK's General Data Protection Regulation, and any codes of practice issued by the Information Commissioner's Office when processing personal data. Failure to do so could have significant financial, regulatory and reputational impacts for the University.   

The purpose of the University’s Data Protection Policy is to: 

  • Outline the data protection principles and define key terms; 
  • Detail the rights of data subjects;   
  • Lay out the University’s obligations under data protection legislation; and   
  • Make clear the specific responsibilities for compliance within the University.  

University point of contact: dpo@sussex.ac.uk (for queries relating to personal data breaches); GDPR@sussex.ac.uk (for general data protection queries)

Support available: Advice and guidance.

Each Faculty or PS Division should:

  • Ensure all members of staff are aware of the University’s Data Protection Policy.
  • Ensure all new members of staff undertake their mandatory Data Protection training.
  • Ensure all potential personal data related risks are identified and reported to the Data Protection team.
  • Ensure any activity that may require personal data to be processed is discussed with the Data Protection officer to manage any risks.
  • Ensure that the policy guidance and template is used when drafting a new or updating an existing policy.

Relevant webpage(s):

Data Protection Policy; Data Protection pages; Transferring data outside the UK; Reporting data breaches; Policies at the University

Compliance indicators:

Your Faculty or PS Division has a mechanism in place to identify when a personal data breach has occurred and report breaches to the Data Protection Officer immediately.

Your Faculty or PS Division liaise with the Data Protection Officer to ensure appropriate contractual arrangements are in place whenever an external party processes personal data on behalf your Faculty or PS Division.

Your Faculty or PS Division liaise with the Data Protection Officer if you intend to process personal data that is likely to result in a high risk to individuals or if you are thinking of delivering any major project which requires the processing of personal data.

Your Faculty or PS Division liaise with the Data Protection Officer whenever personal data is transferred outside of the UK.

You appoint an Information Asset Owner who ensures that your Information Asset Register reflects all information assets related to all processing of personal data within your Faculty or PS Division.