Privacy notices and Record of Processing Activities

Record of Processing Activities

Why do we process personal data?

The University processes large volumes of personal data to enable us to communicate with and support our students, staff, alumni and others, to provide education and promote the university. Our processing activities take place across the institution, with our support departments controlling data in key areas such as academic registry, human resources, finance, information services and student operations. In addition to day-to-day business, we may process data for the prevention and detection of crime and monitoring the security of our community.

Through all stages of our data processing we remain compliant with the Data Protection Act 2018 (‘DPA’).

Whose personal data do we process?

• Students (current, prospective and unsuccessful applicants)
• Staff (current, prospective and unsuccessful applicants)
• Former staff
• Alumni
• Donors and business contacts
• Professional, statutory and regulatory bodies
• Contractors
• Visitors
• Third parties participating in research, teaching or placements
• Complainants, enquirers and persons who may be the subject of an enquiry
• Individuals captured by CCTV or photography
• Suppliers, professional advisers and consultants

What categories of personal data do we process?

• Biographical information and contact details
• Education details and student records
• Employment record and data
• Financial details
• Health and disability data
• Lifestyle and social circumstances
• Misconduct, disciplinary and grievances investigations and outcomes
• Next of kin and emergency contact information
• Qualifications and professional memberships information
• Student record and academic data
• Survey/feedback information
• Vetting and barring checks
• Visual images (identification, publicity and promotions)

We may also process the following special categories of personal data:

• Racial or ethnic origin
• Political opinion
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where used for the purpose of identifying a person)
• Health data
• Sex life or sexual orientation
• Criminal conviction information (where required)

Recipients of personal data

We will sometimes need to share the personal data we hold with other parties. The types of people and organisations that we may be required to share personal data with is as follows:

• Auditors
• Employers (previous and current)
• Financial organisations, debt collection and tracing agencies
• Governmental bodies including UKVI, ESFA, OfS, Inland Revenue and DSA
• Healthcare, social and welfare organisations
• Local Councils
• Official bodies requiring information for legal purposes (eg police, solicitors etc)
• Professional and regulatory bodies, including examining and accreditation bodies
• Students’ Union
• Suppliers and service providers, including consultants and professional advisers
• UCAS
• Work experience or other placement providers

Your data rights

As a data subject, you have a number of rights. You can:

• access and obtain a copy of your data via a subject access request
• require the university to change incorrect or incomplete data
• require the university to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
• to restrict the processing of your personal data in certain ways
• to withdraw consent where we have requested and obtained your consent
• to object to certain processing of your personal data by us
• where our lawful basis is consent or performance of a contract we will allow portability of your data.

If you would like to exercise any of these rights – see our Requesting information page, or contact the data compliance team at 01273 642010 or dataprotection@brighton.ac.uk.

Privacy notices

What follows are some details on our primary processing tasks. Other privacy notices exist within the university in respect of data held, you will be presented with these as and when you access services or use facilities.

Transfers of data outside the UK

It may be necessary for us to transfer personal data outside the UK where our data processors hold servers outside the UK or where the university’s suppliers, service providers and research partners are based outside the UK.

Where we transfer personal data outside of the UK as part of these relationships, we ensure appropriate contracts or other safeguards are in place, and ensure compliance with the UK GDPR and the Data Protection Act (2018).

How long will we keep the personal data we process for?

The university only holds personal data for as long as is necessary for the purpose(s) for which it is collected and we have a detailed schedule of retention timeframes in place.

How does the university protect data?

The university takes the security of your data seriously. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with our data protection, confidentiality and security standards.

The right to complain to the ICO

If you are unsatisfied with the way the university has processed your personal data, or have any questions or concerns about your data please contact dataprotection@brighton.ac.uk. If we are not able to resolve the issue to your satisfaction, you have the right to apply to the Information Commissioner’s Office (ICO).

Privacy notices and policies

Website privacy