Guide to data subject rights
This Guide explains your rights under the General Data Protection Regulation (GDPR) and the accompanying Data Protection Act 2018 in relation to personal data that is processed by the University.
Throughout this guide, the following terms have the following meaning:
“Personal data” means any data that relates to you or by which you can be identified, either directly or indirectly. It can include identifiers such as student number and email addresses.
“Special categories of personal data” means data relating to your:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health or sex life and sexual orientation
- Genetic data
- Biometric data
- Criminal convictions.
“Processing” any operation or set of operations which is performed on personal data or sets of personal data whether or not by automated means. Examples include collection, recording, organisation storage, use, sharing and destruction of personal data.
“Profiling” means any form of automated processing intended to evaluate certain personal aspects, in particular to analyse or predict your:
- performance at work;
- economic situation;
- personal preferences;
- location; or
- We will facilitate the exercise of your rights.
- We may request additional information in order to identify you.
- We will not take any action to facilitate your request if we can demonstrate that we cannot identify you.
- Where your request is in electronic form, unless you request otherwise and where possible, the information will be provided to you in electronic form.
- We will keep you informed of any action taken by us normally within one month from your request. Where this is not possible due to complexity or number of requests, we may extend this by a further month but we will let you know within the first month if this is the case.
- Where we do not take action, we will inform you within one month of your right to complain to Information Commissioner’s Office (ICO)
- We will not charge a fee for the exercise of your rights though may charge for any additional copies of your data that you request.
- Where we can show that your request is unfounded, excessive or repetitive we may charge an administrative fee or refuse to act on your request.
To ensure that we process your data in a fair and transparent manner, when we collect data from you, unless you already have the information, you will be provided with the following information at the time of collection:
- Name of data controller and contact details
- the contact details of our Data Protection Officer
- the purposes of processing
- the legal basis of processing
- Recipients or categories of recipients
- details of data transfers outside the EU and how we make sure these are secure
- how long we will retain your data
- your rights in relation to the data
- whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data
- whether there is any automated decision making including profiling, together with logic involved and the significance and consequences of the processing for you
- your right to complain to the ICO
Unless we are under a legal duty to obtain or disclose your personal data, where we obtain your personal data not directly from you, we will make the above information available to you within a reasonable period of time or at the time we use the data to communicate with you or share the data with third parties. In most cases, we will also inform you of the sources of your personal data.
You have the right to ask us:
- To confirm that your personal data is being processed
- To access (i.e. have a copy) of that data
- To be provided with supplemental information about the processing.
The supplemental information we will provide you with is:
- The purposes of processing;
- The categories of data processed;
- The recipients, or categories of recipients (including any international transfer)
- The retention period
- Your rights of rectification, erasure, restriction or right to object
- Your right to complain to ICO
- Information regarding the source of data (if not collected directly from you)
- Any automated decision making including the logic involved and the significance and envisaged consequences of the processing.
We may not release all your data where doing so may adversely affect others. This includes trade secrets and intellectual property rights of us and others. We will consider how we can release some or all of your data to you without affecting other’s rights. Where we hold a lot of your personal data, we may ask you to specify the information or processing to which your request relates.
Where the data we hold on you is inaccurate, you may request that we rectify these inaccuracies. In certain circumstances, for example where relevant to the processing being undertaken by us, you can request that we complete any incomplete data, including providing a supplementary statement.
You have the right to have your data erased by us without undue delay if any of the following apply:
- The data is no longer necessary for the purpose for which it was collected
- The processing condition was consent (or explicit consent) and you withdraw your consent (and no other processing condition applies)
- The processing condition is legitimate interests and we cannot demonstrate that there are overriding legitimate grounds for the processing
- Where the data is otherwise unlawfully processed
- The data has to be erased to comply with EU or UK law.
Examples of when data is unlawfully processed include if we have not complied with the transparency obligations, we do not have a condition for processing, the data is not accurate and up to date or is excessive, we are processing the data for a further process which is incompatible with the purpose for which it was collected, we are failing to keep your data secure.
We may refuse to erase your data if processing is necessary:
- For the exercise of the right of freedom of expression and information
- For compliance with EU or UK laws;
- For performance of a public interest task;
- For public health reasons;
- For archival, research or statistical purposes;
- It is required for the establishment, exercise or defence of legal claims.
Where we erase your data we will notify any one to whom we have disclosed the data, unless this would be impossible or involve disproportionate effort.
Similarly, where we have made your personal data public we will take reasonable steps to inform all data controllers who are processing the data that you have requested erasure.
When data is restricted, this means that the only processing that we can carry out on your data is storing your data. We will not be able to further process your data unless:
- You consent
- The processing is necessary for the establishment, exercise or defence of legal claims
- For the protection of the rights of another natural or legal person; or
- For reasons of important EU or UK public interest.
Where we process your data by automated means, the restriction will take effect by technical means and will be noted in our IT systems. We will inform any person or organisation to whom your data has been disclosed that your data has been restricted and we will not lift the restriction without informing you in advance.
This right arises where:
- You dispute the accuracy of data. Processing will be restricted whilst we verify the data
- You object to processing on legitimate interests. Restriction will be in place whilst we verify the grounds for processing
- The processing is unlawful but you do not want your data erased
- We no longer need your data but you require the data for the purposes of legal claims.
This right applies to data meeting the following criteria:
- You have provided the personal data (this is not just data that you have provided directly but information gathered by us about you in the course of our dealings with you or generated from observation of your activities (but not inferred or derived by us, for example by use of algorithmic analysis of your behaviour)
- The personal data is held in electronic format (i.e. not in paper format)
- The processing condition for the personal data is either
- Consent and explicit consent or
- Performance of a contract
Where the above criteria are met you have the right to be provided by us with your data in a structured commonly used and machine readable format to enable you to transfer you data to another data controller. Where technically feasible we will transmit your data directly to the alternative data controller of your choice.
Your right to data portability is subject to the exercise of that right not adversely affect the rights and freedoms of others. It may not be possible for your data to be ported where your data is irrevocably interlinked with that of another data subject.
You have four specific rights to object to processing of your data:
1.Processing which is for direct marketing purposes.
You have the absolute right to object to processing of your data for direct marketing purposes. Once you do so, we will not process your data for direct marketing purposes any further.
Your right to object will be explicitly, in a clear and separate statement, brought to your attention at the latest at the time that we first communicate with you for direct marketing purposes. Where the direct marketing is done by electronic means, you will be able to exercise this right by automated means.
2.Processing for scientific/historical research/statistical purposes
You have on grounds based on your particular circumstances the right to object to the processing of your data unless the processing is necessary for the performance of a task carried out for reasons of public interest.
3.Processing based on legitimate interest grounds; and
4.Processing because it is necessary for the performance of a task carried out in the public interest or under official authority
You have the right to object based on your specific situation to processing based on the processing conditions in (3) and (4). We will then cease processing unless we can demonstrate that there are compelling grounds which override your interests or if the processing is need for the establishment exercise or defence of legal claims.
Your right to object will be explicitly, in a clear and separate statement, brought to your attention at the latest at the time that we first communicate with you when we are processing your data in the performance of a task carried out in the public interest.
You have the right not to be subject to a decision based solely on automated processing including profiling where this decision produces legal affects or significantly affects you.
This right does not apply where the decision is:
- Necessary for entering into or performing a contract between you and us;
- Authorised by EU or UK law
- Based on your explicit consent.
Where (1) or (2) apply, we will must in place suitable measures to safeguard you and at a minimum you will have the right to obtain human intervention to be able to express your view.
We will not make automated decision or profiling of your special category data without your explicit consent.
As you have seen in the section above “Your Rights”, the legal basis for processing in many cases determines the scope of your rights. There are seven conditions which the University relies upon to enable it to process your data.
1. With your consent
Your consent has to be freely given, specific, informed and unambiguous. The University will never treat silence, pre-ticked boxes or inactivity as your consent.
Some processing will require your explicit consent. This will require you to explicitly sign, tick or declare a form of words such as:
“I agree to the processing of my personal data by the University for the purposes of Y and Z”.
2. Where it is necessary for the performance of a contract we have with you
This would apply where the University provides services to you under contract, for example hiring our facilities or consultancy and non-charitable research services. As a student, you may also enter into other contracts with University during your time with us, for example for student accommodation. We will process your data to the extent necessary to perform these contracts.
3. Where it is necessary for compliance with a legal obligation to which the University is subject.
Examples of where this processing condition will be relevant are in relation to the University’s obligation as a sponsor of overseas students under UKVI rules. The University is also obliged to provide the local authority with details of students who reside in University accommodation for the purposes of council tax.
4. Where it is necessary for the performance of a task carried out in the public interest.
The University is a public authority for the purposes of some of its core activities, that of provision of education and the conduct of research.
5. Where it is necessary for the purposes of the legitimate interests pursed by University or by a third party, except where such interests are overridden by your interests or fundamental rights.
Examples of processing carried out under this condition would be:
• fraud prevention
• ensuring network and information security
• sharing your data with the Student’s union
• sharing your data with alumni.
In some cases, more than one of the above conditions will apply to the processing of your data. In those circumstances, we will usually only refer to the most applicable processing conditions in your privacy notice in order of most applicable.
6. Vital interests of you or another natural person
In very exceptional cases, it may be necessary to process your data to protect your vital interests or those of another person. Where these circumstances arise, the University will not always seek your explicit consent to the processing of special categories of personal data where you are unable physically or legally to give consent.
7. Necessary for the purposes of archiving purposes in the public interest, scientific or historical research or statistical purposes
Your data may be further processed for the above purposes. Where this is the case, the University will put in place safeguards at the technical and organisational level to ensure that data is kept to the minimum necessary that is compatible with these purposes. These measures will usually include pseudomymisation meaning that you will not be identifiable from the data without the use of additional information, which will be kept separate.