The GDPR provides a range of rights for individuals when an organisation is processing their personal information. The information below explains these rights, the circumstances where these are available and how to exercise these with the College.
You will also find details on making a subject access request (right of access).
One of the principles of data protection legislation is transparency, with one of the data protection rights being the right to be informed. This means that the College must provide information to people about how their data is collected, what purpose it is used for and who it is shared with.
This information will be provided in writing, normally at the point when the personal data is being collected in a document called a privacy notice.
The College will always be transparent about what we do with people's data. You can find the main staff and student privacy notices here.
The right of access, commonly referred to as a subject access request, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why an organisation is using their personal data, and to understand if that use is lawful.
How to make a request
To make a subject access request please email data.protection@nclan.ac.uk with a description of the information requested.
How long will it normally take for a response to be made?
The College must respond to requests within one month of receipt. The clock starts ticking the day after a request was received and stops on the corresponding calendar date in the following month.
The time to respond can be extended by a further two months if the request is complex or where multiple requests have been made by the same individual. Where an extension is to be put in place, the College will let the individual know within one month of receiving their request and explain why the extension is necessary
Requests made about others
It is possible to make a subject access request via a third party. This could be a solicitor acting on behalf of a client or a parent making a request on behalf of their child. In such cases, the College will need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
Can a subject access request be refused?
Yes, where the request is fund to be manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If a request is refused, then an explanation must be given.
If personal data is inaccurate, out of date, or incomplete, individuals have the right to correct, update or complete that data. Collectively this is referred to as the right to rectification. Rectification may involve filling the gaps i.e. to have to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve adding a supplementary statement to the incomplete data to highlight any inaccuracy or claim thereof.
This right only applies to an individual’s own personal data; a person cannot seek the rectification of another person’s information.
What is the definition of inaccurate personal data?
The Data Protection Act 2018 defines inaccurate personal data as:
This may mean that opinions cannot be disputed under this right.
Refusing a request to rectification
If a request is refused then within one month of receipt of the request the College will confirm in writing the:
In certain circumstances people can ask for their personal data to be erased from the records held by organisations. However this is a qualified right; it is not absolute, and may only apply in certain circumstances.
When may the right to erasure apply?
When does the right to erasure not apply?
The right will not apply, when it is necessary for an organisation to make use of personal data for one of the following reasons:
The right to restrict processing means that an individual can limit the way that an organisation uses their personal data. This is an alternative to requesting the erasure of their data. If the right to restrict processing is available and applied, then the College can continue to retain/store personal data, however, no other use of the data can be made until such times as a restriction is lifted. In most cases a restriction will only apply for a limited time period.
When may the right to restrict apply?
When can a restriction be lifted?
Restrictions will normally be temporary when the accuracy of personal data are being contested, or when an objection to the use/processing of data has been made and an assessment of where the legitimate interest to further use may lay is being considered. Once decisions on either of those questions have been settled then a restriction can be lifted, however before doing so the College must inform the person concerned.
Refusing a request to restriction
If a request is refused then within one month of receipt the College will confirm in writing the:
Individuals have the right to get some of their personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file. Associated with this, individuals also have the right to ask an organisation to transfer their personal data to another organisation. However, the right to portability:
When may the right to portability be available?
Requests can be made where:
In some circumstances, individuals have the right to object to the processing. If the College agrees to an objection, it must stop using the personal data for that purpose unless it can give strong and legitimate reasons to continue to make use of the data, despite the objections that were raised.
Individuals have an absolute right to object to an organisation using their personal data for direct marketing. Once such an objection is raised use of personal data for direct marketing purposes must stop.
When may the right to object be available?
Individuals can only object to their personal data being used by the College, where this is used for the legal basis of:
When raising an objection, an individual must give specific reasons why they are objecting to the processing of their personal data. These reasons should be based upon their particular situation.
Refusing a request to objection
If a request is refused then within one month of receipt the College will confirm in writing the:
Individuals have the right to object to automatic decision making and profiling. Presently the College does not have such processes in operation; should it do so then that will be made known in the relevant privacy notice(s).
If you have any issues with the way the College has handled your personal information, please contact the College’s Data Protection Officer in the first instance: