Rights of the Data Subject

Introduction

Under the General Data Protection Regulation (GDPR) and the Data Protection Act (2018), data subjects have certain rights in relation to how their own information is processed. Some of these rights existed previously, such as the right to rectification, some existed but have been amended, such as the right to subject access, and some are new rights bestowed upon individual’s, such as the right to data portability. This document will explain how the University abides by these rights and how a data subject invokes them, where appropriate.

In most instances, a request to invoke the majority of the rights under GDPR will be made to Lancaster University’s Information Governance Manager, who is also the nominated Data Protection Officer for the University.

Role of the Data Protection Officer

GDPR mandates that organisations must appoint a Data Protection Officer (DPO) if:

  • they are a public authority;
  • they carry out large scale systematic monitoring of individuals; or
  • they carry out large-scale processing of special categories of data or data relating to criminal convictions and offences

As a public authority (as defined under the Freedom of Information Act 2000) Lancaster University has taken a view that it is required to appoint a Data Protection Officer.

The DPO’s minimum tasks are defined in Article 39 of GDPR:

  • to inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
  • to monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessment; train staff and conduct internal audits
  • to be the first point of contact for supervisory authorities and for individuals whose data is being processed (e.g. staff, students, etc.)

Right to be informed

The right to be informed emphasises the need for transparency over how Lancaster University uses personal and special category data which it collects. The University is required to inform data subjects of why it collects information, how it will use it, who it will be shared with, how it will be safeguarded and when it will be assessed for deletion. The University is also required to inform individuals of their rights in relation to data which is processed about them.

How does Lancaster University meet this right?

Fair Processing information is available via the University’s suite of Privacy Notices.

Right of access

Individuals have a right to access their personal data and supplementary information. This right allows data subjects to be aware of and verify the lawfulness of the processing. Data subjects are entitled to:

  • confirmation that their data is being processed;
  • access to their personal data;
  • other supplementary information, such as who the data is shared with.

How does Lancaster University meet this right?

Lancaster University has a process in place to ensure that data subjects are able to exercise their legal right of access. Access requests will be complied with within 1 month of receiving confirmation of the identity of the requester (provisions allow this timescale to be extended in certain circumstances) and the right of access is free of charge in the vast majority of cases.

For further information about the right of access, please visit the University’s Subject Access web page.

Right to rectification

The right to rectification gives individuals the right to have personal data, held about them, to be rectified where it is inaccurate or incomplete.

How does Lancaster University meet this right?

In the majority of cases the University will comply with a request to rectify incorrect information within 1 month of receiving the request. Where the request for rectification is complex the University reserves the right to extend this timescale by 2 months.

Requests for rectification can be made to the University academic faculty or department which holds the data or can be made directly by contacting the University’s Information Governance Manager.

If the University has disclosed the incorrect personal data to third parties, it is obligated to inform each recipient of the rectification, unless this proves impossible or would involve disproportionate effort. If the individual requests so, the University must also inform them of any recipients of the rectified information.

Where a right to rectification is received but the University do not consider the information held to be inaccurate or incomplete and therefore deem that no rectification is required, the Information Governance Manager will write to the individual and explain why their request for rectification is not being actioned. This correspondence will also inform the individual of their right to complain to the Information Commissioner and their right to a judicial remedy.

Right to erasure

The right to erasure is also known as the ‘right to be forgotten’. The main principle of this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for the University to continue to keep processing that information.

How does Lancaster University meet this right?

The right to erasure is not an absolute right. The right to erasure is applicable to individuals under the following, specific, circumstances:

  • where the personal data is no longer necessary in relation to the purpose for which is was originally collected/processed;
  • when the individual withdraws consent (where consent is the legal basis for processing);
  • when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR or Data Protection Bill);
  • the personal data is processed in relation to the offer of information society services to a child.

This right is not limited to processing activities which may cause unwarranted and substantial damage or distress to an individual. However, if the processing is deemed to be causing damage or distress, this will strengthen the individual’s case for erasure.

The University can refuse to comply with a request for erasure where the personal data is processed under the following circumstances (exemptions):

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation for the performance of a public interest task or exercise of an official authority;
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research, historical research or statistical research;
  • the exercise of legal claims.

If the personal data which has been requested to be erased has been shared with third parties, then the University is obligated to inform those parties of the erasure of the information, unless this proves impossible or involves disproportionate effort.

Where the University receives a request for erasure from an individual but that information is exempt from the right to erasure, the Information Governance Manager will write to the individual and explain to them that their request will not be complied with, and explain which exemption applies.

Requests for erasure should be made directly to the University’s Information Governance Manager.

Right to restrict processing

In certain circumstances individuals can exercise their right to ‘block’ or supress processing of their personal data. Where processing is restricted, the University will be allowed to retain the personal data but not use it in any way.

How does Lancaster University meet this right?

The University will be required to restrict the processing of personal data in the following situations:

  • Where an individual contests the accuracy of personal data, the processing of that data should be restricted until the accuracy of the data has been verified;
  • Where an individual has objected to the processing of their personal information (where it is necessary for the performance of a public task or purpose of legitimate interests), and the University is considering whether its legitimate grounds override those of the individual;
  • Where processing is unlawful and the individual opposes erasure and has requested that the processing of their personal data be restricted instead;
  • If the University no longer requires the personal information but the individual requires the data to establish, exercise or defend a legal claim.

If the personal data which has been requested to be restricted has been shared with third parties, then the University is obligated to inform those parties of the restriction of the information, unless this proves impossible or involves disproportionate effort. If the individual requests so; the University must also inform them of any recipients of the restricted information.

Requests for the restriction of processing of personal data should be made directly to the University’s Information Governance Manager (contact details are at the bottom of this page).

Should the University decide to lift the restriction on the processing of personal information, the individual concerned will be informed of this in writing by the Information Governance Manager.

Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows individuals to move, copy or transfer personal data from one IT environment to another in a safe a secure way, without hindrance to usability.

How does Lancaster University meet this right?

The right to data portability only applies:

  • To personal data an individual has provided to the data controller themselves;
  • Where the processing is based on the individual’s consent or for the performance of a contract;
  • When processing is carried out by automated means.

All three of the above conditions must be met before the right to data portability can be invoked.

Where the University receives a request for data portability, the information will be provided in a structured, commonly used and machine readable form – most commonly in a CSV file. The information will be provided free of charge. The University will respond within one month of receiving a request from an individual exercising their right to data portability. The University is able to extend this timescale to two months, where the request is complex or where multiple requests have been received.

If requested by the individual, the University will transmit the information directly to another organisation. The University is only required to do this where it is technically feasible. The University will not be required to invest in new technology to ensure that the transmission is technically feasible.

Where the University does not comply with a request for data portability, the Information Governance Manager will write to the individual and explain to them that their request will not be complied with and provide an explanation why.

Requests for data portability should be made directly to the University’s Information Governance Manager.

Right to Object

Individuals have the right to object to:

  • information processing based on legitimate interests or the performance of a task in the public interest/exercise of an official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for the purposes of scientific/historical research and statistics.

How does Lancaster University meet this right?

In order for an individual to exercise the right to object – the objection must have grounds relating to their particular situation. The University will cease to process personal information unless:

  • the University can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

The University informs individuals of their right to object to processing via their suite of Privacy Notices.

Direct Marketing

Where the right to object has been exercised in relation to the University’s direct marketing activities; the processing must cease immediately, as soon as the objection is received. There are no exemptions or grounds to refuse.

Research

An individual must have grounds relating to his or her particular situation in order to exercise their right to object to the processing of their personal information for research purposes. Where the University is conducting research and the processing is necessary for the performance of a public interest task, it shall not be required to comply with an objection to the processing.

Objections to processing should be made directly to the University’s Information Governance Manager.

The University will not charge a fee to an individual who is exercising their right to object.

Where the University receives an objection to processing yet determines that the right to object does not apply, the individual concerned will be informed of this in writing by the Information Governance Manager.

Rights related to automated decision making including profiling

Individuals have the right to not be subject to a decision based solely on automated processing, including profiling, where this produces legal effects on them or affects them in a similar way.

How does Lancaster University meet this right?

Automated decision making will only be carried out where the decision is:

  • Necessary for the entry into or performance of a contract; or
  • Authorised by UK law applicable to the University; or
  • Based on the individual’s explicit consent.

Where automated decision making and/or profiling of individuals does occur, the University will:

  • inform individuals of the processing;
  • introduce simple ways for them to request human intervention in automated decision making processes;
  • secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.

Special category data will only be used to carry out automated decision making and/or profiling, where:

  • the University has the explicit consent of the individual to do so; or
  • the processing is necessary for reasons of substantial public interest.

Any proposed use of automated decision making and/or profiling will be subject to the completion of a data protection impact assessment.

Should automated decision making and/or profiling be used, the University will provide individuals, whose data is processed in this way, meaningful information about the logic involved in the decision making process as well as the envisaged consequences for the individual involved. The University will also ensure that individuals can:

  • request a non–automated review of any decision made
  • express their point of view;
  • obtain an explanation of the decision and challenge it.

If individuals believe that they have been subject to automated decision making and/or profiling at the University and would like to exercise their rights, as outlined above, in relation to their personal data, they should contact the University’s Information Governance Manager.

Information Governance Manager

Lancaster University’s Information Governance Manager and designated Data Protection Officer is:

Mike Abbotts
Information Governance Manager
Lancaster University
Bailrigg
Lancaster
LA1 4YW
United Kingdom

Email: information-governance@lancaster.ac.uk