Data Subject Rights

One of the principles of data protection legislation is transparency, with one of the data protection rights being the right to be informed. This means that the College must provide information to people about how their data is collected, what purpose it is used for and who it is shared with.

This information will be provided in writing, normally at the point when the personal data is being collected in a document called a privacy notice.

The College will always be transparent about what we do with people's data. You can find the main staff and student privacy notices here.

The right of access, commonly referred to as a subject access request, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why an organisation is using their personal data, and to understand if that use is lawful.

How to make a request

To make a subject access request please email data.protection@nclan.ac.uk with a description of the information requested.

How long will it normally take for a response to be made?

The College must respond to requests within one month of receipt. The clock starts ticking the day after a request was received and stops on the corresponding calendar date in the following month.

The time to respond can be extended by a further two months if the request is complex or where multiple requests have been made by the same individual. Where an extension is to be put in place, the College will let the individual know within one month of receiving their request and explain why the extension is necessary

Requests made about others

It is possible to make a subject access request via a third party. This could be a solicitor acting on behalf of a client or a parent making a request on behalf of their child. In such cases, the College will need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.

Can a subject access request be refused?

Yes, where the request is fund to be manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If a request is refused, then an explanation must be given. 

If personal data is inaccurate, out of date, or incomplete, individuals have the right to correct, update or complete that data. Collectively this is referred to as the right to rectification. Rectification may involve filling the gaps i.e. to have to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve adding a supplementary statement to the incomplete data to highlight any inaccuracy or claim thereof.

This right only applies to an individual’s own personal data; a person cannot seek the rectification of another person’s information.

What is the definition of inaccurate personal data? 

The Data Protection Act 2018 defines inaccurate personal data as:

• ““inaccurate”, in relation to personal data, means incorrect or misleading as to any matter of fact.”
• “Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.”

This may mean that opinions cannot be disputed under this right.

Refusing a request to rectification 

If a request is refused then within one month of receipt of the request the College will confirm in writing the:

• reasons for refusal
• right to make a complaint to the ICO
• ability to seek to enforce this right through a judicial remedy.

In certain circumstances people can ask for their personal data to be erased from the records held by organisations. However this is a qualified right; it is not absolute, and may only apply in certain circumstances.

When may the right to erasure apply? 

• When the personal data is no longer necessary for the purpose for which it was originally collected or processed for.
• If consent was the lawful basis for processing personal data and that consent has been withdrawn. The College relies on consent to process personal data in very few circumstances.
• The College is relying on legitimate interests as a legal basis for processing personal data and an individual has exercised the right to object and it has been determined that the College has no overriding legitimate grounds to refuse that request.
• Personal data are being processed for direct marketing purposes e.g. a person’s name and email address, and the individual objects to that processing.
• There is legislation that requires that personal data are to be destroyed.

When does the right to erasure not apply? 

The right will not apply, when it is necessary for an organisation to make use of personal data for one of the following reasons:

• to exercise the right of freedom of expression and information.
• to comply with a legal obligation e.g. tax legislation requires that certain financial records are kept for a number of years.
• for the performance of a task carried out in the public interest or in the exercise of official authority.
• for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
• for the establishment, exercise or defence of legal claims.

The right to restrict processing means that an individual can limit the way that an organisation uses their personal data. This is an alternative to requesting the erasure of their data. If the right to restrict processing is available and applied, then the College can continue to retain/store personal data, however, no other use of the data can be made until such times as a restriction is lifted. In most cases a restriction will only apply for a limited time period.

When may the right to restrict apply? 

• a person contests the accuracy of their personal data and the College then needs to verify the accuracy of that data.
• the data has been unlawfully processed i.e. there is no lawful basis available that can be applied to validate the College’s use of that personal data, and the person concerned does not wish for their data to be erased and requests the right of restriction as an alternative.
• the College no longer needs the personal data, but an individual needs their data to be retained in order to establish, exercise or defend a legal claim e.g. this could apply to CCTV footage.
• an individual has exercised their right to object (Article 21(1) GDPR) (see below) and the College is in the process of considering whether there are legitimate grounds that would allow for the right to object to be refused.

When can a restriction be lifted? 

Restrictions will normally be temporary when the accuracy of personal data are being contested, or when an objection to the use/processing of data has been made and an assessment of where the legitimate interest to further use may lay is being considered. Once decisions on either of those questions have been settled then a restriction can be lifted, however before doing so the College must inform the person concerned.

Refusing a request to restriction

If a request is refused then within one month of receipt the College will confirm in writing the:

• reasons for refusal
• right to make a complaint to the ICO
• ability to seek to enforce this right through a judicial remedy.

Individuals have the right to get some of their personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file. Associated with this, individuals also have the right to ask an organisation to transfer their personal data to another organisation. However, the right to portability:

• only applies to personal data which a person has directly given to the College in electronic form; and
• onward transfer will only be available where this is “technically feasible”.

When may the right to portability be available? 

Requests can be made where:

• personal data have been made available to the College in electronic form under the legal basis of consent or contract; and
• the personal data are processed by automated means i.e. paper files/records are excluded from this right.

In some circumstances, individuals have the right to object to the processing. If the College agrees to an objection, it must stop using the personal data for that purpose unless it can give strong and legitimate reasons to continue to make use of the data, despite the objections that were raised.

Individuals have an absolute right to object to an organisation using their personal data for direct marketing. Once such an objection is raised use of personal data for direct marketing purposes must stop.

When may the right to object be available? 

Individuals can only object to their personal data being used by the College, where this is used for the legal basis of:

• a task carried out in the public interest
• the College’s legitimate interests
• scientific or historical research, or statistical purposes
• direct marketing.

When raising an objection, an individual must give specific reasons why they are objecting to the processing of their personal data. These reasons should be based upon their particular situation.

Refusing a request to objection

If a request is refused then within one month of receipt the College will confirm in writing the:

• reasons for refusal
• right to make a complaint to the ICO
• ability to seek to enforce this right through a judicial remedy.

Individuals have the right to object to automatic decision making and profiling. Presently the College does not have such processes in operation; should it do so then that will be made known in the relevant privacy notice(s).