It is crucial that the University safeguards the personal data it holds to ensure compliance with the Data Protection Act 2018. Personal data is defined as ‘any information relating to an identified or identifiable living individual.’
There may be instances when you receive requests from individuals or third parties to disclose/provide personal data held by the University and it is important that such requests are handled correctly:
- Any requests received from an individual for a copy of their own personal data, or from a third party acting on behalf of an individual (e.g. a solicitor; an insurer) should be dealt with by the University’s Information Management team and sent immediately upon receipt to dpo@sussex.ac.uk. These types of requests - called ‘subject access requests’ - have statutory deadlines and the ‘clock’ starts on this from the point of initial receipt by the University.
- Any requests received from a third party such as the police or local authorities must also be dealt with by the University’s Information Management team and should also be sent directly to dpo@sussex.ac.uk for handling. No data should be disclosed in the meantime, including, for instance, even confirmation that an individual is a student/staff member. The Information Management team will ensure that the correct process is followed in responding to these requests.
- Requests for personal data which fall within ‘business as usual’ processes (i.e. make up part of usual day-to-day work), such as requests for transcripts or standard reference requests, for instance, can be handled by the relevant teams and do not need to be sent to the Information Management team. However, all processing (including disclosure) of personal data requires a legal basis and in cases where consent is the basis for processing the University needs to be assured that the appropriate consent has been required.
The Information Management team has published a number of guidance pages relating to handling and disclosing personal data, in particular guidance on disclosure of student data, but should you ever be unsure of how to proceed, please do not hesitate to contact the team for assistance at: dpo@sussex.ac.uk.