Privacy notices and Record of Processing Activities

Record of Processing Activities

Why do we process personal data?

The University processes large volumes of personal data to provide administrative and support services to our students and staff; to support alumni relations and fundraising; to promote the University and recruit students; to maintain our records, accounts, and commercial activities; and to manage the overall running of the University, including maintaining our campus, to ensure the safety of our community and monitoring and evaluating performance and effectiveness.

Our lawful basis for processing personal data

We use a variety of lawful basis to support our work:               

• As a public authority we process some data on the basis that it is necessary for the performance of our tasks carried out in the public interest (‘public task’), in connection with our teaching and research activities. 
• We process personal data where it is necessary for the performance of a contract, or in order to take steps at an individual’s request prior to entering a contract. This include processing of staff and student data and may include interacting with individuals before they are enrolled as a student, as part of the admissions process, or the recruitment and hiring of staff.  
• We may also need to process personal data to comply with our legal obligations. This can include compliance and regulatory obligations, immigration obligations and safeguarding requirements, or to assist with investigations carried out by the police or other authorities. We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or when necessary for the purposes of establishing, exercising or defending legal rights. 
• In some cases, we process personal data because it is necessary for our or a third party’s legitimate interests, or in circumstances where we have specific consent to do so. Finally, in limited circumstances, we may also process personal data where it is necessary to protect a person’s vital interests (i.e. in matters of life or death) 

Whose personal data do we process?

• Students (current, prospective and unsuccessful applicants)
• Staff (current, prospective and unsuccessful applicants)
• Former staff
• Alumni
• Donors and business contacts
• Professional, statutory and regulatory bodies
• Contractors
• Visitors
• Third parties participating in research, teaching or placements
• Complainants, enquirers and persons who may be the subject of an enquiry
• Individuals captured by CCTV or photography
• Suppliers, professional advisers and consultants

What categories of personal data do we process?

• Biographical information and contact details
• Education details and student records
• Employment record and data
• Financial details
• Health and disability data
• Lifestyle and social circumstances
• Misconduct, disciplinary and grievances investigations and outcomes
• Emergency contact information
• Qualifications and professional memberships information
• Student record and academic data
• Survey/feedback information
• Vetting and barring checks
• Visual images (identification, publicity and promotions)

We may also process the following special categories of personal data:

• Racial or ethnic origin
• Political opinion
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where used for the purpose of identifying a person)
• Health data
• Sex life or sexual orientation
• Criminal conviction information (where required)

Recipients of personal data

We will sometimes need to share the personal data we hold with other parties. The types of people and organisations that we may be required to share personal data with is as follows:

• Auditors
• Employers (previous and current)
• Financial organisations, debt collection and tracing agencies
• Governmental bodies including UKVI, ESFA, OfS, Inland Revenue and DSA
• Healthcare, social and welfare organisations
• Local Councils
• Official bodies requiring information for legal purposes (eg police, solicitors etc)
• Professional and regulatory bodies, including examining and accreditation bodies
• Students’ Union
• Suppliers and service providers, including consultants and professional advisers
• UCAS
• Work experience or other placement providers

Your data rights

As a data subject, you have a number of rights. You can:

• access and obtain a copy of your data via a subject access request
• require the university to change incorrect or incomplete data
• require the university to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
• to restrict the processing of your personal data in certain ways
• to withdraw consent where we have requested and obtained your consent
• to object to certain processing of your personal data by us
• where our lawful basis is consent or performance of a contract we will allow portability of your data.

If you would like to exercise any of these rights – see our Requesting information page, or contact the data compliance team at 01273 642010 or dataprotection@brighton.ac.uk.

The right to complain to the ICO

If you are unsatisfied with the way the university has processed your personal data, or have any questions or concerns about your data please contact dataprotection@brighton.ac.uk. If we are not able to resolve the issue to your satisfaction, you have the right to apply to the Information Commissioner’s Office (ICO).

Transfers of data outside the UK

It may be necessary for us to transfer personal data outside the UK where our data processors hold servers outside the UK or where the university’s suppliers, service providers and research partners are based outside the UK.

Where we transfer personal data outside of the UK as part of these relationships, we ensure appropriate contracts or other safeguards are in place, and ensure compliance with the UK GDPR and the Data Protection Act (2018).

How long will we keep the personal data we process for?

The university only holds personal data for as long as is necessary for the purpose(s) for which it is collected and we have a detailed schedule of retention timeframes in place.

How does the university protect data?

The university takes the security of your data seriously. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with our data protection, confidentiality and security standards.

The existence of automated decision making, including profiling

We will not generally use personal data for automated decision making about you as an individual, but we do we will inform you about the logic involved, including the significance and the envisaged consequences of such processing.  

Applicants and Students of BSMS

Brighton and Sussex Medical School (BSMS) is an equal partnership between the Universities of Brighton and Sussex that works with NHS organisations in the delivery of the following:

• The delivery of undergraduate and postgraduate education and training
• Medical research
• The provision of the Academic Training programme. 

Along with some of the information presented on this page, for more information on how the two universities share and process personal data, see Privacy policy - BSMS.

Privacy notices and policies

What follows are some details on our primary processing tasks. Other privacy notices exist within the university in respect of data held, you will be presented with these as and when you access services or use facilities.

Website privacy