As we adjust to new ways of working - seeing colleagues and checking shared inboxes less often - it can be easy to miss requests which need to be forwarded to other teams for handling.
The Information Management (IM) team handles a number of types of requests for information and personal data centrally on behalf of the University (i.e. requests dealt with under the GDPR/Data Protection Act 2018 or the Freedom of Information Act 2000) and these are all subject to statutory deadlines.
Most importantly, the timeframe for compliance starts from the point at which the request is received by the University, rather than the date that it is forwarded to the Information Management team for handling.
As such, it is crucial that any such requests are forwarded to the IM team as urgently as possible, in order to maximise the time we have to comply – particularly as remote working and limited access to records mean that compliance may currently take longer than usual.
Here is a reminder of where requests to be handled by the IM team should be sent:
- If you receive a request marked as a Freedom of Information request, or simply a request for information held by the University which falls outside of your business as usual processes, please send this straight away to the IM team at foi@sussex.ac.uk. The University only has 20 working days to respond to these types of requests.
- If you receive any data subject requests – i.e. individuals asking for copies of their own personal data, or to exercise any of their rights under the GDPR/Data Protection Act (for example, erasure or deletion of their personal data) – please forward this to the IM team at dpo@sussex.ac.uk. The University only has one calendar month to respond to these requests.
- The Information Management team also handles requests for personal data received by third parties (police or local authorities, for example), where disclosure of information must be authorised by the University’s Data Protection Officer, Alex Elliott. These requests are always treated as urgent, and so should also be sent to dpo@sussex.ac.uk immediately for consideration.
Additionally, it is important that any personal data breaches which occur are reported to the IM team as soon as you become aware of them, so that the team can make an assessment of the severity of the breach and work to take any required mitigation steps as quickly as possible. If the breach is reportable to the Information Commissioner’s Office, the report must be made to the ICO by the Data Protection Officer within 72 hours (regardless of working days) of the University becoming aware of the breach.
The easiest way to report a data breach to the IM team, to ensure that they have all of the required information, is to use the breach reporting form on the University’s webpages – but you can also contact dpo@sussex.ac.uk directly.
The vast majority of personal data breaches at the University arise through the use of email, which is now being increasingly relied upon with most staff working remotely. The IM team has published some guidance relating to data protection and the use of email, which you should familiarise yourself with. Find out more about personal data breaches.
If you have any queries about any requests received, or about data breaches, please do not hesitate to contact the team on dpo@sussex.ac.uk or foi@sussex.ac.uk.