Data Subject Rights
Data Protection legislation provides a number of rights to data subjects. Each right is applicable in certain circumstances or conditions.
Individuals have a right to be informed about the collection and use of their data.
The right to be informed applies in almost all circumstances where personal data processing is taking place, but limited exceptions may apply. Privacy information is generally provided to individuals via a Privacy Notice.
If you would like to exercise any of the rights listed below:
Right of access
Individuals have a right to request access to and a copy of any personal data that the University holds on them, and to request details regarding that data’s use, retention and any relevant sharing of the data. Data Protection law provides a formal procedure for individuals to ask for access to and copies of their personal data. This is called a Subject Access Request (SAR).
The right of access is generally applicable with exemptions only in specific, limited circumstances.
Right to rectification
If personal data is inaccurate, out of date, or incomplete, individuals have the right to have that data corrected, updated or completed.
This right does not apply if the use or storage of the data is necessary for:
- compliance with a legal obligation, or for performance of a task carried out the in the public interest or in the exercise of official authority
- public health reasons
- for archiving in the public interest, scientific or historical research purposes or statistical purposes and erasure would seriously impair these objectives
- for the establishment, exercise, or defence of legal claims
- exercising the right of freedom of expression and information
Right to erasure
Individuals can request that their personal data is erased or destroyed. Also known as the “right to be forgotten”.
This right is applicable if:
- the data are no longer needed for the purposes for which they were collected
- consent was given to obtain the data and consent has been withdrawn
- the data subject objects to the processing and the University has no overriding legitimate grounds to keep the data
- the data has been unlawfully processed, e.g. the University cannot meet an appropriate processing condition for using/holding it
- the data must be erased to ensure compliance with a legal obligation
This right does not apply if the use or storage of the data is necessary for:
- compliance with a legal obligation, or for performance of a task carried out the in the public interest or in the exercise of official authority
- public health reasons
- for archiving in the public interest, scientific or historical research purposes or statistical purposes and erasure would seriously impair these objectives
- for the establishment, exercise or defence of legal claims
- exercising the right of freedom of expression and information
Right to restriction
Individuals can request that the use or storage of their data is restricted in a manner of the individuals’ choosing.
This right is applicable if:
- the accuracy of personal data is contested by the data subject
- the use or storage of the data is unlawful and the data subject opposes erasure
- the University no longer needs the data but the individual needs the data for the establishment, exercise, or defence of legal claims
- the individual has objected to the processing and verification of the legitimate grounds of the University to override the objection is pending
Right to data portability
Individuals have the right to both receive their personal data in a structured, commonly used and machine-readable format and to transmit those data to another organisation.
This right is applicable if:
- the data subject has provided the personal data to the controller
- the use or storage of the data is based on consent or on a contract
- the use of the data is carried out by automated means
Right to object
Individuals have the right to object at any time to the use or storage of their personal data.
This right is applicable if:
- the use or storage of the data is based on public interest tasks or legitimate interests
- the data are being used or stored for direct marketing purposes
This right does not apply if the University has compelling legitimate grounds for the use or storage of the data which either override the interests, rights, and freedoms of the individual, or are necessary for the establishment, exercise, or defence of legal claims.
Automated individual decision making, including profiling
Individuals have the right not to be subject to automated processing, including profiling.
This right is applicable if:
- the automated processing results in a decision with a legal or similarly significant effect on the individual
This right does not apply if the decisions resulting from the automated processing:
- are necessary for entering into or the performance of a contract between the individual and the University
- are authorised by UK or EU law
- are based on the individual’s explicit consent
Individuals also have the right to:
- complain to the ICO;
- appeal against a decision of the ICO;
- bring legal proceedings against a controller or processor; and
- claim compensation from a controller or processor for any damage suffered as a result of their non-compliance with UK data protection legislation.