Information Governance and Security
- / Information Governance and Security /
- Information Governance /
- Information Governance For The University /
- Data Protection /
- Data Subject Rights
Data Subjects Rights
The GDPR introduces a few additional rights for data subjects as well as continuing and/or updating some existing DPA rights:
Right to be Informed
Keele's obligation to be 'transparent' in telling the data subject how we deal with their personal data is also encompassed within the data subject's right to be informed. This right mirrors the requirements of our Privacy Notices and includes being told:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
In practice we should tell the data subjects at the time we collect or obtain their personal data from them (or in the case of data obtained from another source, within a reasonable time of obtaining that data).
Right of Access (Subject Access)
Individuals have the right to access their personal data and supplementary information and receive a response from the University within 30 days of submitting a written request. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Right to rectification
Individuals have the right to correct their personal data if it is inaccurate or incomplete. The University must make any needed amendments within one month and inform any third parties it has shared the data with.
Right to erasure
Individuals have the right to request that their personal data is removed, so long as there is no compelling reason for it to continue to be processed. This right is not an absolute right to 'be forgotten', individuals can have personal data erased or prevent its processing in the following circumstances:
- Where their personal data is no longer necessary for the purpose for which it was originally collected/processed.
- When they withdraw consent.
- When you object to the processing and there is no ‘legitimate interest’ for the University to continue the processing.
- Where your personal data was unlawfully processed.
- When your personal data has to be erased in order to comply with a legal obligation.
- Where your personal data is processed in relation to the offer of information society services to a child.
The University can refuse a request for erasure for the following reasons:
- To exercise the right of freedom of expression and information.
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority.
- For public health purposes in the public interest
- For archiving purposes in the public interest, scientific research, historical research, or statistical purposes.
- The exercise or defence of legal claims.
Right to restrict processing
Individuals have the right to restrict the processing of their personal data so that it may continue to be held but no longer processed.
The University will restrict processing in the following circumstances:
- If an individual contests the accuracy of the data.
- Where an individual objected to the processing of personal data where the University has a legitimate interest.
- When processing is unlawful but an individual opposes erasure and requests restriction instead.
- Where the University no longer needs the personal data but the individual requires it to establish, exercise or defend a legal claim.
Right to data portability
Individuals have the right to obtain their personal data in an easily transferable format to reuse for their own purposes.
This right only applies:
- To personal data they provided to the University;
- Where processing is based on consent or for the performance of a contract; and
- When processing is carried out by automated means.
Individuals can request that this data be provided to them in an open format, such as a CSV file, or that it be transferred directly to another organisation if this is technically feasible.
Right to object
Individuals have the right to object at any time to the processing of their personal data for the purposes of direct marketing; processing based on ‘legitimate interests’ or; processing for research or statistical purposes.
This right relates only to the three specific purposes for processing detailed below, there is no right to object to processing in general.
- Processing for the purposes of direct marketing – this is an absolute right and the University must cease processing an individual's personal data for direct marketing following receipt of their objection.
- Processing based on legitimate interests – an individual must have grounds relating to their particular situation in order to object to their personal data being processed for this purpose. The University must stop processing their data unless it can demonstrate compelling legitimate grounds which override the individual's interests, rights and freedoms.
- Processing for research or statistical purposes - an individual must have grounds relating to their particular situation in order to object to their personal data being processed for this purpose. If the research being conducted requires the processing of their personal data for the performance of a public interest task, the University is not required to comply with an objection.
Rights related to automated decision making, including profiling
Individuals have the right not to be subjected to a decision that is based on automated processing which results in a legal impact upon them.
In such a circumstance the University must ensure that individuals are able to have human intervention in the decision, express their views and receive an explanation of the decision so that they may challenge it.
This right does not apply if a decision does not have a legal effect upon an individual, or if a decision:
- Is necessary for entering into, or performance of, a contract between an individual and the University.
- Is authorised by law, for example for the purpose of fraud prevention.
- Is based on explicit consent.
If the University at any point uses automated processing for the purposes of profiling it must ensure that this process is fair and transparent, use appropriate mathematical procedures, take steps to minimise the risk of errors and secure the personal data to prevent any discriminatory effects.
Some rights apply at all times, such as the right of access, while the availability of other rights depends on the basis of processing used by the University, as shown below: