Staff obligations - rights
Individuals' Rights
The General Data Protection Regulation (GDPR) sets out a number of other rights for individual rights aside from the right of access.
Individuals therefore have a right to exercise these rights and the University must handle these requests accordingly.
Staff must be able to identify requests promptly and pass these through to the Information Governance Office.
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
The University must provide individuals with information including the purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with. This is known as ‘privacy information’.
We must provide privacy information to individuals at the time we collect their personal data from them. Should we obtain personal data from other sources, we must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
The information we provide to individuals must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
Getting the right to be informed correct will help the University to comply with other aspects of the GDPR and build trust with people. Getting it wrong can leave us open to fines and lead to reputational damage for the University.
Right to rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Individuals can make a request for rectification verbally or in writing and the University will have one calendar month to respond to a rectification request.
There are certain circumstances when we can refuse a request for rectification.
It is important that the University complies with its obligations for accurately processing data as this right is closely linked to this obligation. Requests for rectification may also increase should we not keep accurate records.
Right to erasure
The GDPR introduces the right to erasure. This will be known as the ‘the right to be forgotten’.
Individuals will be able to make a right to be forgotten request both in writing and verbally. The University will have one calendar month to respond to a request.
This is not an absolute right and it will only apply in certain circumstances. However, staff must ensure that these requests are identified promptly and passed to the Information Governance Office to handle.
Right to restrict processing
Individuals will also have a right to request the restriction or suppression of their personal data. As with the right to be forgotten, this is not an absolute right and will only apply in certain circumstances.
Individuals will be able to make a request to restrict processing both in writing and verbally. The University will have one calendar month to respond to a request.
Should we restrict processing for an individual, the University will be able to store the information but we will not be able to use it.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right of portability only applies to information an individual has provided to the University.
Some organisations in the UK already offer data portability through ‘midata’ and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
Right to object
The GDPR gives individuals a right to object to the following:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Individuals must have 'grounds relating to his or her particular situation' in order to exercise their right to object to processing for research purposes.
If you are conducting research where the processing of personal data is necessary for the performance of a public interest task, we may not be required to comply with an objection to the processing.
The University must offer individuals a right to object online.
If an individual wishes to exercise any of the above rights then they can do so by emailing the Information Governance Office.
Alternatively they can be pointed to our online form on our public-facing pages.