Your personal rights

Subject to an exemption, you have rights with respect to your personal data:

Right to Be Informed:

You have the right to be informed about the collection and use of your personal data. We do this by including a privacy notice when we ask for your information, which can be provided to you in a number of different ways, for example:

Right of Access:

This is commonly known as subject access. You can submit a Subject Access Request to:

  • Confirm whether your data is being processed
  • Gain access to your personal data
  • Verify the lawfulness of the processing; and
  • Access other supplementary information – however all other information should be held in the relevant privacy notice.

From the 25 May 2018 subject access requests can be made verbally or in writing and will be free of charge, unless we consider your request to be:

  • deemed as manifestly unfounded, or
  • excessive or repetitive

If we deem one of the above to be the case we may request a reasonable fee or refuse to process your request. If a fee is applied this will be based on the administrative cost of providing the information to you.

We must provide you with your information within one month of receiving your subject access request, however we can lawfully extend this by a further two months if your request is complex or numerous. If there is a delay in dealing with your request we will inform you within one month of receipt of your request and explain why the extension is necessary.

We may also be required to ask you for documents to prove your identity. If this is required then the one month will commence from the date your identity is confirmed.

If we refuse to process your request we will explain why and inform you of your right to complain to the Information Commissioner, and to a judicial remedy within one month of receipt.

Find out how to make a subject access request

Right to Request Rectification: 

You are entitled to have personal data rectified if it is inaccurate or incomplete.

Requests for rectification will be responded to within one month of receipt however if we believe your request to be manifestly unfounded or excessive then we may request a reasonable fee or refuse to deal with your request. The fee will be based on the administrative costs of complying with your request

If we decide to charge a fee we will also notify you within one month of receipt however we will not comply with you request until the fee is received.

We may also be required to ask you for documents to prove your identity. If this is required then the one month will commence from the date your identity is confirmed.

We do have the right to extend the time to respond by a further two months if your request is complex or numerous. We will write to you to advise you of the delay within one month of receiving your request.

If we decide not to take action in response to your request for rectification, we will explain why and inform you of your right to complain to the Information Commissioner and to a “judicial remedy”. We will do this within one month of receiving your request.

If we have disclosed personal data deemed as inaccurate or incomplete to others, then we will contact the recipient(s) and inform them of the rectification, unless to do so proves impossible or involves disproportionate effort.

If you would like to have your data rectified please contact the Data Protection Officer.

Right to Erasure – the right to be forgotten

The right to erasure is also known as ‘the right to be forgotten’. This right enables you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

The right to erasure is not an absolute right and only applies in the following circumstances;

  • Your personal data is no longer necessary for the purpose which we originally collected or processed it for.
  • We relied on your consent as your lawful basis for holding the data, and you now wish to withdraw your consent.
  • We relied on legitimate interests as our reason for processing your personal data and you now object to us processing your data, and we have no overriding legitimate interest to continue this processing.
  • We are processing your personal data for direct marketing purposes and you object to that processing.
  • We have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the first principle).
  • We have to do it to comply with a legal obligation.

From the 25 May 2018 we will accept requests for erasure in writing, by email or by post. We will respond to your request within one month of receipt however this can be extended by a further two months if your request is complex or numerous. If proof of identity is required the one month will commence when your identity is confirmed.

If there is a delay in dealing with your request we will inform you within one month of receipt of the request and explain why the extension is necessary.

We may also request a reasonable fee or refuse to comply with your request for erasure if we consider it is manifestly unfounded or excessive. We will write to you within one month of receipt of your request and explain our decision. Any fee will be based on the administrative costs of complying with the request. If we charge a fee then your request will not be processed until the fee is received.

If we refuse to process your request we will explain why and inform you of your right to complain to the Information Commissioner, and to a judicial remedy within one month of receipt.

There are some specific circumstances where the right to erasure does not apply and therefore a request may be refused. These reasons could involve data processed for the following purposes:

  • To exercise the right of freedom of expression and information.
  • To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • For public health purposes in the public interest.
  • Archiving purposes in the public interest, scientific research historical research or statistical purposes.
  • The exercise or defence of legal claims.

If we have disclosed your personal data to others, including making it public on an online environment, and then subsequently erase on request, we will contact the recipient(s) and inform them of the erasure, unless to do so proves impossible or involves disproportionate effort.

If you would like to have your data erased please contact the Data Protection Officer.

The Right to Restrict Processing

Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, organisations are permitted to store the personal data, but not further process it.

Organisations can retain just enough information about the individual to ensure that the restriction is respected in future.

The right to restrict processing is not an absolute right and only applies in certain circumstances.

We are required to restrict the processing of your personal data in the following circumstances:

  • Where you contest the accuracy of your personal data, we must restrict the processing until we have verified the accuracy of your personal data.
  • We have unlawfully processed your personal data and you oppose the erasure and request restriction instead.
  • We no longer need the personal data but you need us to keep it in order to establish, exercise or defend a legal claim.
  • You have objected to us processing your data under Article 21(1), and we are considering whether our legitimate grounds override your right to object.

From the 25 May 2018 requests for erasure will be accepted in writing  by email or by post, however proof of identity may be required. If proof of identity is sought then the one month will commence when your identity is confirmed.

We may extend the time to respond to you by a further two months if your request is complex or numerous. If there is a delay in dealing with your request we will inform you within one month of receipt of the request and explain why the extension is necessary.

We may also request a reasonable fee or refuse to comply with your request for restriction if we consider it is manifestly unfounded or excessive. We will write to you within one month of receipt of your request and explain our decision. Any fee will be based on the administrative costs of complying with the request. If we charge a fee then your request will not be processed until the fee is received.

If we refuse to process your request we will explain why and inform you of your right to complain to the Information Commissioner, and to a judicial remedy within one month of receipt.

If we have disclosed personal data to others, which we subsequently restrict on request, then we will contact the recipient(s) and inform them of the erasure, unless to do so proves impossible or involves disproportionate effort.

We will also advise you when the restriction on processing is lifted.

If you would like to have the processing of your person data restricted please contact the Data Protection Officer.

Right to Data Portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.

It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability only applies:

  • To personal data you have provided to a data controller,
  • where the processing is based on the your consent or for the performance of a contract, and
  • when processing is carried out by automated means.

We will provide your personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data.

This enables other organisations to use your data.

The information will be provided free of charge.

If requested and technically feasible we will transmit the data directly to another organisation.

If your personal data concerns more than your own data, we must consider whether providing the information would prejudice the rights of the other person.

We will respond to your request for data portability within one month however this can be extended by two months where the request is complex or we receive a number of requests. We will inform you within one month of the receipt of the request and explain why the extension is necessary.

Where we are not taking action in response to a request, we will explain why and inform you of your right to complain to the Information Commissioner and to a judicial remedy without undue delay and at the latest within one month.

If you would like to obtain and reuse your personal data, please contact the Data Protection Officer.

 

Right to Object

Individuals have the right to object to:

  • The processing of your personal data based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
  • The processing of their personal data for direct marketing (including profiling).
  • The processing of their personal data for the purposes of scientific/historical research and statistics.

We will stop processing your personal data unless:

  • We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual, or
  • the processing is for the establishment, exercise or defence of legal claims.

We will inform you of your right to object at the point of first communication and in our privacy notice.

If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

If you would like to object to processing your personal data please contact the Data Protection Officer.

Rights Relating to Automated Decision Making

 

Automated individual decision making and profiling is a decision made by automated means without any human involvement.

Examples of where an organisation may use this includes:

  • An online decision to award a loan and
  • a recruitment aptitude test which uses pre-programmed algorithms and criteria.

The new data protection law will restrict organisations from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects, although these effects are not defined, the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

We will only carry out solely automated decision making with legal or similarly significant effects if the decision is:

  • Necessary for entering into or performance of a contract between an organisation and the individual.
  • Authorised by law (for example, for the purposes of fraud or tax evasion).
  • Based on the individual’s explicit consent.
  • The processing is necessary for reasons of substantial public interest.

 

Restrictions to Information Rights

When dealing with your information rights request, a data controller or processor can restrict your rights if they consider it necessary to safeguard:

  • (a) National security.
  • (b) Defence.
  • (c) Public security.
  • (d) The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
  • (e) Other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security.
  • (f) The protection of judicial independence and judicial proceedings.
  • (g) The prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.
  • (h) A monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g).
  • (i) The protection of the data subject or the rights and freedoms of others.
  • (j) The enforcement of civil law claims.

If we do place a restriction then we will advise you unless we believe by doing so would undermine the purpose for the restriction. We will advise you of your right to complain to the Information Commissioner.

Right to complain to the Information Commissioner

If you are concerned about the way we have handled your information you have the right to make a complaint to the Information Commissioner.

The Information Commissioners Office can be contacted:

By phone:
Opening hours are Monday to Friday 09:00-17:00
0303 123 1113

By email:
casework@ico.org.uk

By post:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF