Data Governance

Applicable Data Protection Legislation

The Data Protection Act 2018 (UK), the General Data Protection Regulation (GDPR) ((EU) 2016/679), and any other relevant data protection laws.

Consent

Freely given, specific, informed, and unambiguous agreement by the Data Subject.

Data Breach

A breach involving destruction, loss, alteration, unauthorised disclosure, or access to personal data.

Data Controller

An individual or organisation that determines the purpose and means of processing personal data.

Data Protection Impact Assessment (DPIA)

A process to identify and reduce risks associated with data processing activities.

Data Processor

An entity that processes personal data on behalf of a Data Controller.

Data Protection Officer (DPO)

A role responsible for monitoring and ensuring compliance with data protection laws.

Data Subject

An identified or identifiable living individual about whom personal data is held.

Data Subject Rights

Rights granted to Data Subjects, including access to, correction of, and deletion of their personal data.

Personal Data

Information identifying or potentially identifying a Data Subject. It includes “Special Categories” of sensitive data and pseudonymised data but excludes fully anonymised data.

Special Categories of Personal Data

Sensitive personal data revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sexual life, sexual orientation, biometric or genetic data, or criminal convictions.

Processing

Any action involving personal data, including collection, recording, storage, use, modification, transfer, and deletion.

Privacy Notices

Statements provided to Data Subjects explaining how their personal data is used, tailored to specific contexts (e.g., employees or specific activities).

Pseudonymised Data

Data modified so individuals cannot be identified without additional, separately stored information.

Third Party

Any individual or entity other than the Data Subject and the Data Controller.

Under the Freedom of Information Act 2000, the University of Suffolk has to ensure that it makes certain information publicly available through a Publication Scheme.  This scheme is a clear and structured way of presenting all of the information that it is obligated to provide.

The University's Publication Scheme covers:

• Who we are and what we are about
• What we spend and how we spend it
• What our priorities are and how we are doing
• How we make our decisions 
• Our Policies and Procedures
• Lists and registers
• The services we offer
• Student charter

Our Publication Scheme is in line with the guidelines issued by the Information Commissioners Website (ICO).

In most cases, copies of these documents will be available in hard copy upon request.  However, the University does reserve the right to restrict some documents from being obtainable in this format. The Published Information Group chaired by the Director of External Relations meets regularly to review the information available through the scheme and ensures updates take place where and when necessary.

Subject Access Requests

You have the right to ask whether we are using or storing your personal information. You can also ask for copies of your personal information.

This is called the right of access and is commonly known as making a Subject Access Request (SAR). Before you submit a request it may help to read our Subject Access Request Guidance in addition to guidance provided by Information Commissioner's Office on requesting your personal data.

You can submit a SAR using the SAR online form 

Under the UK General Data Protection Regulations (UK GDPR) a response will be issued within one calendar month upon receipt of the request. Please ensure you provide two scanned copies of identification which can be sent to datagovernance@uos.ac.uk. The time limit of one calendar month is paused until ID is received and verified. We may need to contact you to seek further clarity and information on the request.

Freedom of Information

Under the rights established by the Freedom of Information Act 2000, any individual from anywhere in the world has the right to request access to any recorded information being held by the University of Suffolk. It should be noted, however, that some categories of information are exempt and will not be passed on - personal information, for example.

Please note that all information on the University of Suffolk website is provided free of charge. Other information may be provided free of charge, but we reserve the right to make an administrative charge if necessary.

We have made a lot of information available in the Publication Scheme webpages. Please check if the information you require is here before you make an information request.

How to make an information request

The University has a code of practice to outline what it does to meet its freedom of information obligations under the FoIA. You can submit a Freedom of Information request using the FOI online form and we will endeavour to provide a response within 20-working days.

What to do if you are dissatisfied with a response

If you are dissatisfied with any aspect of the response, you receive you may ask the University of Suffolk to conduct an internal review. Requests for internal review should be submitted using the Internal Review Form or by emailing Data Governance.

This process is available for anyone wishing to appeal our decision or the process used in answering a request made under one of the following pieces of legislation:

• Data Protection Act 2018 and GDPR (General Data Protection Regulations)
• The Freedom of Information Act 2000
• The Environmental Information Regulations 2004

This process should only be used in conjunction with information requests and should not be used for any other appeal or complaint.

Your request should be made within 40 working days after receipt of our response. Unless there are extenuating circumstances, requests made more than 40 days after the response will not be considered.

If your request for a review of our response, or handling of this, is not resolved to your satisfaction, you have the right of appeal to the Information Commissioner for a decision. Before doing so, you must exhaust this Internal Review Process.

The Information Commissioner’s Office can be contacted as follows:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.org.uk / casework@ico.org.uk

Data Protection Complaints 

Under the new Section 164A of the Data Protection Act 2018 (as amended by the Data Use and Access Act 2025), data controllers must facilitate the making of complaints by providing appropriate mechanisms, such as an electronic complaint form.  The University of Suffolk has introduced the: Data Protection Complaints Form. 

Process Overview 

• Those who are dissatisfied with how their personal data has been handled must first raise their complaint directly with the University. 
• Only after receiving a response may the individual escalate the matter to the Information Commissioners Office (ICO).  
• Complaints must be acknowledged within 30 days of receipt. 
• The University must take “appropriate steps” to investigate the complaint without undue delay, which includes: 
• • Making reasonable enquiries into the subject matter, and 
  • Keeping the complainant informed of progress. 
  • Once concluded, the complainant will be notified of the outcome via the contact details provided on the form. 

Data Protection Internal Review

If individuals are dissatisfied with our response to a request for information they may request an internal review either in writing or by using the Internal Review Request 

This may apply where: 

• Believes information was withheld or more information is held 

• Our response was delayed 

• Disagrees with how their request was interpreted 

• An unreasonable fee was charged. 

• Not compiled with the regulations in some way  

Internal Review Overview 

• Those who are dissatisfied with an outcome of an information request must first raise their concern with the University. 

• Only after receiving a response may the individual escalate the matter to the Information Commissioners Office (ICO).  

• Acknowledgement will be issued upon receipt 

• The University aims to complete an internal review in 20 working days unless clarification of the review is required. 

• If more time is needed due to complexity, the requester will be informed and provided with reasons for the delay. 

• The outcome will be communicated to the requestor via email. 

• The investigation will be undertaken wherever possible, by somebody other than the person who issued the initial response. 

Changed Circumstances

When conducting a review, the University must consider the circumstances at the time of the original request (or at the end of the statutory time limit). 

If circumstances have since changed and the information can now be released, where applicable this will be shared. 

If the requester remains dissatisfied with the outcome, they may refer to the Information Commissioner’s Office (ICO) for an independent assessment. However, the ICO encourages individuals to contact the University first, as many concerns can be resolved directly without the need for ICO intervention.  

Privacy Notice

The University of Suffolk is committed to protecting your personal data and respecting your privacy. This notice explains how we collect, use, and safeguard your information when you submit a data protection complaint or internal review. 

What Data We Collect 

• Name and contact details 

• Nature and description of the incident 

• Supporting evidence (optional) 

Lawful Basis for Processing 

• Legal Obligation: To comply with the Data Use and Access Act 2025 and other legislation. 

• Public Task: To investigate and respond to complaints in the public interest. 

• Consent: For optional information you choose to provide. 

Monitoring 

All complaints and internal reviews are recorded and tracked within the University’s case management and monitoring systems. 

Retention Period 

Complaints, internal reviews, and associated data are retained for two years from resolution, in accordance with the University’s retention schedule and legal obligations. 

Data Protection and Security 

• Stored securely with restricted access 

• Shared only when legally required 

• Access limited to authorised personnel involved in complaint handling 

Your Rights 

Under the DUAA and UK GDPR, you have the right to: 

• Access your personal data 

• Request correction or deletion 

• Object to processing 

• Lodge a complaint with the Information Commission 

Please note this process and form are intended solely for matters relating to Data Protection. If your enquiry concerns Student Appeals, Complaints, or Conduct cases, please refer to the OSACC procedures and policies available here 

Data Sharing Agreement - SU and University of Suffolk

All staff are expected to complete the University’s online Data Protection training module. The module is mandatory for anyone who has direct responsibility for handling data.