The right of access
Individuals are entitled to
make a subject access request for a copy of their personal data, including what
data is being held, where, and for what purpose. These will be free, although if further copies are requested, a charge can be made. Organisations
can refuse to respond to a request if it is manifestly unfounded or excessive,
or can choose to charge an administrative fee in these cases. Where large
volumes of personal data are processed, the individual should specify exactly
what information or processing their request relates to. Requests should be
responded to within one month. This can be extended by a further two months if
the request is complex or a large number of requests are received. Data can be
withheld if disclosure would adversely affect the rights and freedoms of
others. This includes rights affecting the organisation / business of the
organisation.
The right to be informed
The right to be informed
encompasses the obligation on organisations to provide "fair processing
information", typically through a privacy notice. This should be concise,
transparent, intelligible and easily accessible; written in clear and plain
language, particularly if addressed to a child.
The right to rectification
The individual has the
right to have personal data rectified. This is if it is inaccurate or incomplete.
The right to erasure ("right to be forgotten")
This is the right to be
able to request the deletion or removal of data where there is no compelling
reason for its continued processing, or overriding legitimate grounds to
justify processing. Data will not be erased if it is: necessary for rights of
freedom of expression or information; compliance with a legal obligation; in
the public interest; for archiving or research; for legal claims.
The right to restrict processing
Processing may be restricted
where the organisation is considering whether continued processing is
justified; where it is no longer necessary but when it is needed for legal
claims; when an individual wants it restricted but not erased; where the
accuracy of data is being verified.
The right to object to processing
This applies where the
organisation's processing is based on the following conditions: public task; or
legitimate interests. It does not apply if the processing is for legal claims,
or if the compelling legitimate interest overrides the interests of the
individual.
The right to object to direct marketing
This requires
organisations who are marketing to individuals to obtain unambiguous consent,
resting on a "clear affirmative action" by consumers.
The right to withdraw consent
If processing is based on
consent, the individual has the right to withdraw consent, at any time, where
relevant.
The right to data portability
This right exists to allow
individuals to obtain and reuse their personal data for their own purposes
across different services. It allows them to move, copy or transfer personal
data easily, in a machine readable format, from one IT environment to another
in a safe and secure way, without hindrance to usability. This right only
applies to personal data which has been provided to the organisation by the
individual.
Automated decision making and profiling
Individuals have the right
not to be subject to decisions made automatically that produce legal effects or
significantly affect them. This does not apply where the decision is based on
explicit consent from the individual; necessary for a contract with the
individual; subject to suitable safeguards, including a right to a human review
of the decision; authorised by law. Additional restrictions apply to automated
decision making or profiling using sensitive personal data or carried out on
children.
List of automated
decision making at the Çï¿ûÊÓƵ.
Exercising these rights
Individuals may exercise
these rights if the Çï¿ûÊÓƵ is processing personal data
pertaining to them, by: emailing compliance@gre.ac.uk, or writing to: Peter Garrod, Data Protection Officer, Çï¿ûÊÓƵ, Queen Anne Court, Park Row, London SE10 9LS.
The right to lodge a complaint
The individual has the
right to lodge a complaint with the supervisory authority, the Information
Commissioner's Office (ICO), at Wycliffe House, Water Lane, Wilmslow, Cheshire
SK9 5AF.