The past decade has seen a marked shift in the regulatory landscape of UK higher education. Institutions are increasingly assuming responsibility for preventing campus sexual misconduct, and are responding to its occurrence through – amongst other things – codes of (mis)conduct, consent and/or active bystander training, and improved safety and security measures. They are also required to support victim-survivors in continuing with their education, and to implement fair and robust procedures through which complaints of sexual misconduct are investigated, with sanctions available that respond proportionately to the seriousness of the behaviour and its harms. This paper examines the challenges and prospects for the success of university disciplinary processes for sexual misconduct. It focuses in particular on how to balance the potentially conflicting rights to privacy held by reporting and responding parties within proceedings, while respecting parties’ rights to equality of access to education, protection from degrading treatment, due process, and the interests of the wider campus community. More specifically, we explore three key moments where private data is engaged: (1) in the fact and details of the complaint itself; (2) in information about the parties or circumstances of the complaint that arise during the process of an investigation and/or resultant university disciplinary process; and (3) in the retention and disclosure (to reporting parties or the university community) of information regarding the outcomes of, and sanctions applied as part of, a disciplinary process. We consider whether current data protection processes – and their interpretation – are compatible with trauma-informed practice and a wider commitment to safety, equality and dignity, and reflect on the ramifications for all parties where that balance between rights or interests is not struck.