Data Protection and Data Breach

Here you can make a request to manage your personal information or report a data breach.

Data Protection

How to make a request to manage your personal information

The General Data Protection Regulations provide rights to individuals to manage their personal information. You can:

  • access and obtain a copy of your personal information that the University holds
  • require the University to change incorrect or incomplete information held about you
  • require the University to delete or stop processing your personal information, for example where the information is no longer necessary for the purposes of processing
  • object to the processing of your personal information where the University is relying on its legitimate interests as the legal ground for processing
  • ask the University to stop processing your personal information for a period if the information is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing the information

Subject Access Request Form

Use our online form to make a request to the University in relation to personal information.

Dyslexia assessment requests

To request a copy of your dyslexia assessment, please email The Student Hub: sedcen@soton.ac.uk

Other Data Subject Rights requests

To make a request under any other Data Subject Right, please contact the University’s Information Governance and Compliance team via email at data.protection@soton.ac.uk. To enable us to process your request as efficiently as possible, please include the right under which you are making your request in the subject line of your email.

While electronic communication is more efficient, data subject requests can also be posted to:
Information Governance and Compliance Team
University of Southampton
Building 37 Room 4015
University Road
Highfield
Southampton
SO17 1BJ

Authorised Agent

You can also use this form if you are acting for an individual and wish to make a request on their behalf. Applicants will also be required to provide satisfactory proof of identity.

Members of the University who submit an application electronically via their University email account will be deemed to have satisfied the requirement as to proof of identity.

The University takes the safekeeping of personal information that it holds very seriously, and applicants requesting third-party personal information (i.e. personal information concerning a person other than themselves) should be aware that such information will not be disclosed except in the limited circumstances permitted both by law and by the University’s Data Protection Policy.

If you are unhappy with the way that we have handled your personal information you can contact us or contact the Information Commissioner’s Office. See their website.

We have additional policies and guidelines concerning particular activities. If you would like further information please see our Publication Scheme.

Data Breach

All data breach incidents, actual and potential must be reported immediately a data breach occurs, is threatened or is suspected. This should be done by using the Incident Report Form below or telephoning +44(0)23 8059 4684 during office hours and Security +44(0)23 8059 2811 x22811 outside office hours.

Incident Report Form

Use our Incident Report Form in the event of a data breach.

Remember that the reporting of data breach incidents is for the common good and the major concern is not to apportion blame, but to contain, then resolve the situation and prevent a future re-occurrence. Failure to report data breach incidents is a serious matter as it could leave the University exposed to repeated and more serious attacks/breaches as well as to the imposition of large fines. 

Further, certain types of breaches must be reported by the Data Protection Officer to the Information Commissioner’s Office within 72 hours of becoming aware of the breach, therefore, it is important that you contain and respond immediately to the discovery of a data breach.

Incidents which must be reported include those which:

  • pose a threat to personal data including special category (sensitive) personal data, for example, personal data sent to the wrong recipient, an unauthorised disclosure loss of portable computing equipment e.g. Laptop; Mobile phone etc containing personal data;
  • pose a threat to privacy such as hacking or attempted hacking of systems containing personal data by staff, third-parties or outsiders and attempts to obtain personal data by deception (e.g. bogus phone calls, social engineering or e-mails); Actual or attempted unauthorised entry to a secure areas housing personal data.
  • breach confidentiality obligations such as disclosure of restricted or confidential information (especially passwords or other access control data) to unauthorised personnel.