New College Lanarkshire is committed to protecting the data protection rights of individuals who entrust us with their personal data. We take our responsibility seriously to ensure that all data is secure and protected in line with the law.
Our Data Protection Policy outlines our commitment to transparency, accountability and compliance with both the UK General Data Protection Regulation and the Data Protection Act 2018.
You can read our Privacy Notices here. These notices explain how we process your personal data.
For information on your rights in relation to your personal data, including how to make a subject access request, please see below your Data Subject Rights.
The UK GDPR provides a range of rights for individuals when an organisation is processing their personal data. The information below explains these rights, the circumstances where these are available and how to exercise these with the College.
We must respond to all rights requests within one month of receipt. The time to respond can be extended by a further two months if the request is complex or where you have made multiple requests. Where an extension is to be put in place, we will let you know within one month of receiving the request and explain why the extension is necessary.
Where you make a request by email, we will normally respond by email unless you request otherwise.
Requests to exercise rights are normally free of charge however where a request is manifestly unfounded or excessive (e.g. repetitive requests) we may:
charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
refuse to act on the request.
Where the College has reasonable doubts concerning the identity of an individual making the request, we may request additional information to confirm their identity before progressing.
The rights below are not absolute; they apply in certain circumstances and are subject to exemptions.
One of the principles of data protection legislation is transparency, with one of the data protection rights being the right to be informed. This means that the College must provide information to people about how their data is collected, what purpose it is used for and who it is shared with.
This information will be provided in writing, normally at the point when the personal data is being collected in a document called a privacy notice.
The College will always be transparent about what we do with people's data. You can find the main staff and student privacy notices here.
The right of access, commonly referred to as a subject access request, gives you the right to obtain a copy of your personal data as well as other supplementary information.
How to make a request
We ask for requests to be put in writing by emailing firstname.lastname@example.org. This allows you to keep a record of the request you have made to the College.
You can also make a request via the phone by contacting our Data Protection Officer – 0300 555 8080
You should include the following information to help us identify you and understand your request:
Your name (please specify if we will have known you by a different name)
Any other relevant information that would allow the College to identify you e.g., student number, course, payroll number
Your current contact details (to allow us to contact you for any clarification)
What your request is for, by describing the data you would like a copy of, in as much detail as possible
Requests made about others
It is possible to make a subject access request via a third party. This could be a solicitor acting on behalf of a client or a parent making a request on behalf of their child. In such cases, the College will need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request, or it might be a more general power of attorney.
If personal data is inaccurate, out of date, or incomplete, you have the right to correct, update or complete that data. Collectively this is referred to as the right to rectification. Rectification may involve filling the gaps i.e. to have to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve adding a supplementary statement to the incomplete data to highlight any inaccuracy or claim thereof.
This right only applies to an individual’s own personal data; a person cannot seek the rectification of another person’s information.
What is the definition of inaccurate personal data?
The Data Protection Act 2018 defines inaccurate personal data as “incorrect or misleading as to any matter of fact”
What about opinions?
Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.
In certain circumstances people can ask for their personal data to be erased from the records held by organisations. However this is a qualified right; it is not absolute, and may only apply in certain circumstances.
When may the right to erasure apply?
When the personal data is no longer necessary for the purpose for which it was originally collected or processed for.
If consent was the lawful basis for processing personal data and that consent has been withdrawn. The College relies on consent to process personal data in very few circumstances.
The College is relying on legitimate interests as a legal basis for processing personal data and an individual has exercised the right to object and it has been determined that the College has no overriding legitimate grounds to refuse that request.
Personal data are being processed for direct marketing purposes e.g. a person’s name and email address, and the individual objects to that processing.
There is legislation that requires that personal data are to be destroyed.
When does the right to erasure not apply?
The right will not apply, when it is necessary for an organisation to make use of personal data for one of the following reasons:
to exercise the right of freedom of expression and information.
to comply with a legal obligation e.g. tax legislation requires that certain financial records are kept for a number of years.
for the performance of a task carried out in the public interest or in the exercise of official authority.
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
for the establishment, exercise or defence of legal claims.
The right to restrict processing means that you can limit the way that the College uses your personal data, in certain circumstances. If the right to restrict processing is available and applied, then the College can continue to retain/store personal data, however, no other use of the data can be made until such times as a restriction is lifted. In most cases a restriction will only apply for a limited time period.
When may the right to restrict apply?
You contest the accuracy of your personal data and the College then needs to verify the accuracy of that data.
the data has been unlawfully processed i.e. there is no lawful basis available that can be applied to validate the College’s use of that personal data, and you do not wish for your data to be erased and requests the right of restriction as an alternative.
the College no longer needs the personal data, but you need the data to be retained in order to establish, exercise or defend a legal claim
you have exercised your right to object (see below) and the College is in the process of considering whether there are legitimate grounds that would allow for the right to object to be refused.
When can a restriction be lifted?
Restrictions will normally be temporary when the accuracy of personal data are being contested, or when an objection to the use/processing of data has been made and an assessment of where the legitimate interest to further use may lay is being considered. Once decisions on either of those questions have been settled then a restriction can be lifted, however before doing so the College must inform the person concerned.
Individuals have the right to get some of their personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file. Associated with this, individuals also have the right to ask an organisation to transfer their personal data to another organisation. However, the right to portability:
only applies to personal data which a person has directly given to the College in electronic form; and
onward transfer will only be available where this is “technically feasible”.
When may the right to portability be available?
Requests can be made where:
personal data have been made available to the College in electronic form under the legal basis of consent or contract; and
the personal data are processed by automated means i.e. paper files/records are excluded from this right.
In some circumstances, you have the right to object to the processing of your personal data. If the College agrees to an objection, it must stop using the personal data for that purpose unless it can give strong and legitimate reasons to continue to make use of the data, despite the objections that were raised.
You have an absolute right to object to the use of your personal data for the purposes of direct marketing.
When may the right to object be available?
You can only object to your personal data being used by the College, where this is used for the legal basis of:
a task carried out in the public interest
the College’s legitimate interests
scientific or historical research, or statistical purposes
When raising an objection (except for direct marketing), you must give specific reasons why you are objecting to the processing of your personal data. These reasons should be based upon your particular situation.
Individuals have the right to object to automatic decision making and profiling. Presently the College does not have such processes in operation; should it do so then that will be made known in the relevant privacy notice(s).
If you have any concerns with the way we handle your personal data or would like to exercise any of your rights, please contact the College’s Data Protection Officer - Lorna Miller