Data Protection, Freedom of Information and Data Breach

Here you can make a request to manage your personal information, make a freedom of information request or report a data breach.

Data Protection

How to make a request to manage your personal information

The General Data Protection Regulations provide rights to individuals to manage their personal information. You can:

  • access and obtain a copy of your personal information that the University holds
  • require the University to change incorrect or incomplete information held about you
  • require the University to delete or stop processing your personal information, for example where the information is no longer necessary for the purposes of processing
  • object to the processing of your personal information where the University is relying on its legitimate interests as the legal ground for processing
  • ask the University to stop processing your personal information for a period if the information is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing the information

Subject Access Request Form

Use our online form to make a request to the University in relation to personal information.

To make a request under any other Data Subject Right, please contact the University’s Information Governance and Compliance team via email at To enable us to process your request as efficiently as possible, please include the right under which you are making your request in the subject line of your email.

While electronic communication is more efficient, data subject requests can also be posted to:
Information Governance and Compliance Team
University of Southampton
Building 37 Room 4015
University Road
SO17 1BJ

Authorised Agent

You can also use this form if you are acting for an individual and wish to make a request on their behalf. Applicants will also be required to provide satisfactory proof of identity. Please see the University’s Data Protection Policy.

Members of the University who submit an application electronically via their University email account will be deemed to have satisfied the requirement as to proof of identity.

The University takes the safekeeping of personal information that it holds very seriously, and applicants requesting third-party personal information (i.e. personal information concerning a person other than themselves) should be aware that such information will not be disclosed except in the limited circumstances permitted both by law and by the University’s Data Protection Policy.

If you are unhappy with the way that we have handled your personal information you can contact us or contact the Information Commissioner’s Office. See their website.

We have additional policies and guidelines concerning particular activities. If you would like further information please see our Publication Scheme.

Freedom of Information

The Freedom of Information Act 2000 gives the public the right, subject to certain exemptions enumerated in the Act, to access information held by public authorities (such as universities). It also requires such public authorities to make information available proactively through a publication scheme. The University has adopted the new Model Publication Scheme prepared and approved by the Information Commissioner.

How you can make a request for information

Any person who makes a request to the University for information not made available through the publication scheme is entitled (subject to the exemptions enumerated in the Act) to be informed in writing whether the University holds the information requested and if so, to have the information communicated to him or her.

Any request must be in writing, must state the applicant's name and an address for correspondence, and must contain a description of the information required. It must be clearly addressed to the University: the University will not respond to letters or emails which are not clearly addressed to and intended for the University. This includes emails which are sent as "blind copies" or Bcc which, following good practice, for security reasons are automatically routed to spam as a potential cyber threat.

Freedom of Information requests can be emailed to the Information Governance and Compliance Team at

Freedom of Information requests can also be posted to:'
Information Governance and Compliance Team
University of Southampton
Building 37 Room 4015
University Road
SO17 1BJ

Reviews and appeals

If you do not feel that we have dealt with your request in accordance with the requirements of Part I of the Act, you may request a review. Your request for a review should specify in what respect you do not feel that the requirements of Part I have been met. The request for a review should be to: The Chief Operating Officer, University of Southampton, Highfield, Southampton, SO17 1BJ, United Kingdom or sent by email to

The Information Commissioner is responsible for enforcing rights of access to information and the operation of the publication scheme. You may apply to the Information Commissioner in writing (FOI/EIR Complaints Resolution, Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF) or online for a decision whether, in any specified respect, your request for information has been dealt with by the University in accordance with the requirements of Part I of the Act. The Information Commissioner will not normally take action unless he is satisfied that the University's review procedures have been exhausted.

Data Breach

All data breach incidents, actual and potential must be reported immediately a data breach occurs, is threatened or is suspected. This should be done by using the Incident Report Form below or telephoning +44(0)23 8059 4684 during office hours and Security +44(0)23 8059 2811 x22811 outside office hours.

Incident Report Form

Use our Incident Report Form in the event of a data breach.

Remember that the reporting of data breach incidents is for the common good and the major concern is not to apportion blame, but to contain, then resolve the situation and prevent a future re-occurrence. Failure to report data breach incidents is a serious matter as it could leave the University exposed to repeated and more serious attacks/breaches as well as to the imposition of large fines. 

Further, certain types of breaches must be reported by the Data Protection Officer to the Information Commissioner’s Office within 72 hours of becoming aware of the breach, therefore, it is important that you contain and respond immediately to the discovery of a data breach.

Incidents which must be reported include those which:

  • pose a threat to personal data including special category (sensitive) personal data, for example, personal data sent to the wrong recipient, an unauthorised disclosure loss of portable computing equipment e.g. Laptop; Mobile phone etc containing personal data;
  • pose a threat to privacy such as hacking or attempted hacking of systems containing personal data by staff, third-parties or outsiders and attempts to obtain personal data by deception (e.g. bogus phone calls, social engineering or e-mails); Actual or attempted unauthorised entry to a secure areas housing personal data.
  • breach confidentiality obligations such as disclosure of restricted or confidential information (especially passwords or other access control data) to unauthorised personnel.