Data Subject Rights
An individual has the following rights (all of which are qualified in different ways):
-
Right to be informed
A data subject has the right to be informed about the collection of their personal data and to be informed of how it is being used by the University. This is a key transparency requirement under the Data Protection legislation.
Data subjects must be provided with information including: the purpose(s) for processing their personal data, the retention periods and who it will be shared with. This is called 'privacy information' and must be provided to individuals at the time personal data is collected from them. The information provided must be concise, transparent, intelligible, easily accessible and it must use clear and plain language. Privacy information must be reviewed regularly and where necessary, updated. Any new uses of an individual's personal data must be brought to their attention before processing commences.
If personal data is obtained from other sources, individuals must be provided with privacy information within a reasonable period of obtaining the data and no later than one month.
There are a few circumstances when privacy information does not need to be provided, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
Further information
-
Right of access (Subject Access Requests)
What is a Subject Access Request (SAR)?
The UK General Data Protection Regulation ("UK GDPR") Article 15 gives individuals the right of access to any of their personal data that the University holds about them.
This is known as a Subject Access Request ("SAR").
What is personal data?
Personal data is information that relates to a living individual.
The individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.
What should a member of staff do upon receiving a SAR?
If a SAR is received by any member of staff it should be forwarded immediately via email to gdpr@ulster.ac.uk or in hard copy to Mr Eoin Coyle, Data Protection & Information Compliance Manager, Ulster University, Cromore Road, Coleraine BT52 1SA
What is the time limit for responding to a SAR?
The University must respond to a SAR as quickly as possible and no later than one calendar month.
A calendar month starts on the day the University receives the request even if that day is a weekend or a public holiday. It ends on the corresponding calendar date of the following month. However, if the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day. Also, if the corresponding calendar date does not exist because the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the following month.
The clock starts to tick as soon as a request is received and it is important that all requests are forwarded without delay to the Data Protection & Information Compliance Manager, Mr Eoin Coyle, as detailed above.
If the request is complex the response time can be extended to a maximum of 3 calendar months starting from the day after receipt of the request.
Does a SAR have to be in a particular format?
A SAR does not have to be submitted in any particular format and can be made verbally or in writing. A request does not have to include the phrase 'subject access request' or refer to data protection legislation. It must however be clear that the requester is asking for their personal data.
If an individual makes a verbal request that is then passed to the Data Protection & Information Compliance Unit, a follow up in writing will be issued asking for the individual to confirm that our understanding of the request is correct.
If the requester is not known to the University, the University will require sufficient information to verify their identity.
Third Party Requests
SARs can be submitted via a third party usually by a solicitor acting on behalf of a client but sometimes an individual simply wants someone else to act for them. The University needs to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this entitlement.
There may be occasions where staff will be approached by the PSNI for information such as personal data or CCTV footage. The University will not release the personal data of individuals unless the appropriate Form 81 has been received by the Data Protection & Information Compliance Unit.
Is there a fee for processing SARs?
The University cannot usually charge a fee for processing SARs except in limited circumstances, where the request is manifestly unfounded or excessive, or if an individual requests further copies for their data, in which cases a 'reasonable fee' for the administrative costs of complying with a request may be charged.
What information is an individual entitled to? What information is an individual entitled to?
Subject access is often used by individuals who want to see a copy of the personal data the University holds about them.
Under subject access an individual is also entitled to the following information:
- the purposes for processing personal data
- the categories of personal data concerned
- the recipients or categories of recipient the University discloses the personal data to
- the retention period for storing the personal data
- the individual’s right to request rectification, erasure or restriction or to object to such processing
- the right to lodge a complaint with the ICO or another supervisory authority
- where personal data is not collected from the individual, any available information as to its source
- the existence of automated decision-making (including profiling)
- the safeguards the University provides if the data is transferred to a third country or international organisation
Is there any information exempt from subject access?
There are some restrictions on disclosing information in response to a SAR e.g. where this would involve disclosing information about another individual.
The University considers the application of exemptions on a case by case basis.
Is there an appeal process to a response?
If an applicant is not satisfied with how the University has dealt with the request, the matter can be raised under the University's internal review process for Subject Access Requests. Please submit written details of your appeal to Clare Jamison, Ulster University, Coleraine BT52 1SA, email at university secretary@ulster.ac.uk
The University will normally undertake to issue a decision on an appeal within 20 working days of receipt.
-
Right to rectification
Under Article 16 of the UK GDPR a data subject has the right to have inaccurate personal data held by the University rectified or completed if it is incomplete.
Under Article 18 of the UK GDPR a data subject has the right to request restriction of the processing of their personal data where they contest its accuracy and the University is checking it.
If you wish to rectify your personal data please contact gdpr@ulster.ac.uk directly or complete our online form.
Further information
-
Right to be forgotten
A data subject has the right to have their personal data held by the University erased. This right is not absolute and only applies in certain circumstances.
If you would like your personal data to be erased, please contact gdpr@ulster.ac.uk or complete the online form
Further information is available in Right to Erasure | ICO
-
Right to restrict processing
A data subject has the right to restrict processing of their personal data. This right is not absolute and only applies in certain circumstances as detailed in Article 18 of the UK GDPR.
This right involves limiting the way in which the University can use an individual's personal data. It is an alternative to requesting the erasure of personal data.
If you wish to raise a concern in this area please contact gdpr@ulster.ac.uk directly or complete an online form.
Further information
-
Right to data portability
A data subject has the right to receive copies of their personal data in a machine readable and commonly used format. This right is not absolute and only applies in certain circumstances as detailed in Article 20 of the GDPR.
This right allows data subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a sage and secure way without affecting its usability. This right only applies to personal data that a data subject has provided to the University.
If you require your personal data please contact gdpr@ulster.ac.uk directly or complete an online form.
Further information
-
Right to object
A data subject has the right to object to the processing of their personal data. This right is not absolute and only applies in certain circumstances as detailed in Article 21 of the GDPR.
It includes a right to object to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not necessary in the public interest.
If you wish to object to the processing of your personal data please contact gdpr@ulster.ac.uk directly or complete the online form
Further information is available in Article 21 of the GDPR
-
Rights about automated decision making and profiling
A data subject has a right not to be subject to a decision based solely on automated decision-making using their personal data without any human involvement.
Profiling (automated processing of personal data to evaluate certain things about an individual) can be part of an automated decision making process.
This right is not absolute and only applies in certain circumstances as detailed in Article 22 of the GDPR.
If you wish to raise a concern in this area please contact gdpr@ulster.ac.uk directly or complete an online form.
Further information is available in Article 22 of the GDPR
Exercising your rights
Any person who wishes to exercise any of those rights detailed above, is required to make their request to +44(0)28 7032 4533 or gdpr@ulster.ac.uk
If a request is received by any member of staff it should be forwarded immediately to gdpr@ulster.ac.uk
The University does not normally charge a fee to process such requests but where the request is manifestly unfounded or excessive, the University may charge a reasonable fee for the administrative costs or refuse to comply (taking into account whether the request is repetitive in nature).
The University must respond to requests without undue delay and at the latest within one month of receipt of a request. This period may be extended by a further 2 months where necessary, taking into account the complexity and number of requests. The Data Subject shall be informed of any such extension within 1 month of the receipt of the request, together with the reasons for the delay.
In the event the University refuses to comply with a request, it will inform the individual without undue delay and within one month of receipt of the request, together with an explanation for not taking action as well as informing the individual of their right to make a complaint to the ICO and of their ability to seek to enforce this right through a judicial remedy.
Where the University has doubts concerning the identity of the individual making the request, the provision of additional information necessary to confirm the identity of the data subject may be requested prior to acting upon a request. The University shall let the Data Subject know without undue delay and within one month if it needs such additional information. The University does not need to act upon the request until it has received such information.
Rights in relation to automated decision making and profiling
The University undertakes to consider an objection without undue delay. In compliance with the law the University will confirm the action it has taken within one month of receipt of an objection.
In the event that the University refuses to comply with an objection, it will similarly inform the individual without undue delay and within one month of receipt of the objection. In such circumstances, the University shall explain its reasons for not taking the action and inform the individual of their right to challenge or appeal such decision and the grounds on which they can appeal.