Privacy notices and Record of Processing Activities

Record of Processing Activities

Why do we process personal data?

The University processes large volumes of personal data to enable us to communicate with and support our students, staff, alumni and others, to provide education and promote the university. Our processing activities take place across the institution, with our support departments controlling data in key areas such as academic services, human resources, finance, information services and student operations. In addition to day-to-day business, we may process data for the prevention and detection of crime and monitoring the security of our community.

Through all stages of our data processing we remain compliant with the Data Protection Act 2018 (‘DPA’).

Whose personal data do we process?

• Students (current, prospective and unsuccessful applicants)
• Staff (current, prospective and unsuccessful applicants)
• Former staff
• Alumni
• Donors and business contacts
• Professional, statutory and regulatory bodies
• Contractors
• Third parties participating in research, teaching or placements
• Complainants, enquirers and persons who may be the subject of an enquiry
• Individuals captured by CCTV or photography
• Suppliers, professional advisers and consultants

What categories of personal data do we process?

• Biographical information and contact details
• Criminal conviction information (where required)
• Education details and student records
• Employment record and data
• Equality information
• Financial details
• Health and disability data
• Lifestyle and social circumstances
• Misconduct, disciplinary and grievances investigations and outcomes
• Next of kin and emergency contact information
• Qualifications and professional memberships information
• Student record and academic data
• Survey/feedback information
• Vetting and barring checks
• Visual images (publicity and promotions)

We may also process the following special categories of personal data:

• Racial or ethnic origin
• Political opinion
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where used for the purpose of identifying a person)
• Health data
• Sex life or sexual orientation

Recipients of personal data

We will sometimes need to share the personal data we hold with other parties. The types of people and organisations that we may be required to share personal data with is as follows:

• Auditors
• Employers (previous and current)
• Financial organisations, debt collection and tracing agencies
• Governmental bodies including UKV&I, ESFA, OfS, Inland Revenue and DSA
• Healthcare, social and welfare organisations
• Local Councils
• Official bodies requiring information for legal purposes (eg police, solicitors etc)
• Professional and regulatory bodies, including examining and accreditation bodies
• Students’ Union
• Suppliers and service providers, including consultants and professional advisers
• UCAS
• Work experience or other placement providers

Your data rights

As a data subject, you have a number of rights. You can: · access and obtain a copy of your data via a subject access request

• require the university to change incorrect or incomplete data
• require the university to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
• object to the processing of your data, in certain circumstances, for example, where the university is relying on its legitimate interests as the legal ground for processing; or for direct marketing purposes
• ask the university to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the university's legitimate grounds for processing data
• withdraw your consent at any time, where we have requested and obtained your consent
• where our lawful basis is consent or performance of a contract we will allow portability of your data.

If you would like to exercise any of these rights – see our Requesting information page, or contact the data compliance team at 01273 642010 or dataprotection@brighton.ac.uk.

Transfers of data outside the UK

It may be necessary for us to transfer personal data outside the UK where our data processors hold servers in the European Economic Area (EEA) or where the university’s suppliers, service providers and research partners are based outside the EEA.

Where we transfer personal data outside of the UK as part of these relationships, we ensure appropriate contracts or other safeguards are in place, and ensure compliance with the UK GDPR and the Data protection Act (2018)

How long will we keep the personal data we process for?

The University only holds personal data for as long as is necessary for the purpose(s) for which it is collected and we have a detailed schedule of retention timeframes in place.

How does the university protect data?

The university takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

The right to complain to the ICO

If you are unsatisfied with the way the university has processed your personal data, or have any questions or concerns about your data please contact dataprotection@brighton.ac.uk. If we are not able to resolve the issue to your satisfaction, you have the right to apply to the Information Commissioner’s Office (ICO).

Privacy notices and policies

Website privacy