Data Subject Rights
Data subjects enjoy the following rights:
- The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement which is usually satisfied by the provision of a privacy noticeLink opens in a new window at the point the personal data is collected by the University. A privacy notice should be given whether we receive personal data directly from an individual or indirectly from someone else.
- The right of access ("subject access requests"): Individuals have the right to access a copy of their personal data.
- The right to rectification: Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. This right is closely linked to the accuracy principle.
- The right to erasure ("the right to be forgotten"): Individuals have the right, in certain circumstances, to have their personal data erased.
- The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data in certain circumstances.
- The right to data portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without it affecting the usability.
- The right to object: Individuals have the right to object to the processing of their personal data in certain circumstances, including an absolute right to stop their data being used for direct marketing.
- The right not to be subject to decisions based solely on automated decision making and profiling.
- The right to be notified of data breaches: Individuals have the right to be told about certain personal data breaches that pose a high risk of harm to them. Individuals will be told, at least, the consequences of the breach for them, what the University is doing to address the breach, and to be provided with a contact point.
The University will respond to all rights requests without undue delay and at the latest within one month. That period may be extended by two further months if a request is complicated or we receive a number of requests from the same individual. If the University proposes to extend the time, we will tell the individual, within one month of receiving a request, why the extension is necessary and when it will be dealt with.
Where an individual makes a request by email we will generally respond by email unless the individual requests otherwise.
When providing information to an individual we will do so in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is especially the case if we are dealing with a child/young person. We can provide information verbally to the individual if they request so and we are satisfied they are entitled to the information.
If for whatever reason, we choose not to deal with the request then we will tell the individual why, without delay and at the latest within one month of receipt of their request. They will be advised that they may lodge a complaint with the Information Commissioner’s Office or seek a judicial remedy.
Requests to exercise rights are normally free of charge however where a request is manifestly unfounded or excessive (e.g. repetitive requests) we may:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request.
It is for the University to prove that a request is manifestly unfounded or excessive.
Where the University has reasonable doubts concerning the identity of the person making the request we may request the provision of additional information necessary to confirm their identity.
The rights above are not absolute; they apply in certain circumstances and are subject to exemptions.
How to Make a Request
To help us to facilitate any request regarding your data subject rights, please submit a request by completing the attached form:
In addition, you may need to provide a copy of one form of ID (passport, driving licence or another internationally recognised ID card) for yourself.
The University will not release personal data to you unless fully satisfied as to your identity.