Your privacy rights

The General Data Protection Regulation (2016) (GDPR) provides you with legal rights over the personal data the University holds about you. This guide will explain your rights and help you to use them.

You do not need to know details about which right applies in which case in order to make a request; it’s our responsibility to understand how to handle a request you make.

Your personal data rights are:

  • Be informed
  • Access
  • Rectify
  • Be Forgotten
  • Restrict
  • Portability
  • Object
  • Automated decisions and profiling

We are committed to helping you to exercise your rights through:

  • Keeping our guidance simple
  • Making it readily available
  • Responding to a request from you:
    • In writing: by means of your choice wherever practical. If you email us, we’ll respond by email unless you ask us to do something different
    • Verbally: if you wish, providing we have proof of ID
    • Promptly: and no longer than a month after receiving it. If your request is particularly large and complicated, we are allowed to extend the deadline by up to 2 months. If we need to do this we’ll let you know within a month and explain why.
    • In plain English: avoiding legal terms where possible, but explaining them where we need to use them

The University’s Data Protection Policy gives our commitment to providing for your rights and complying with other aspects of the law.

Making a request

How do I make a request?

Please complete the privacy rights form and send to dpa@aru.ac.uk

Please read through this guidance on the various rights before you make your request as this may help you to get the outcome you expect.

How will you know that a request about me has come from me?

We won’t act on a request to exercise your rights without being satisfied that it is you, or someone who you have allowed to act on your behalf. Where we have doubts about a requestor’s identity, we will ask for proof of ID and won’t go ahead unless we’ve received this and are satisfied that you are identified. We will accept requests made from ARU-provided student or staff email accounts without the need for further ID.

Are you allowed to charge me for a request, or refuse it?

You should not have to pay us when you’re exercising your rights; however, the law does allow us to charge you a reasonable fee if your request is unreasonable or is a repeat of something we’ve already done for you. In these cases we may be allowed to refuse your request rather than charge. If we plan to charge or to refuse your request, we will let you know and explain why we believe the law lets us do this.

There are other reasons in the law which may mean we cannot do what you ask us to do with your personal data. We have explained these under each of your ‘Rights’ in this guide.

What if I’m not happy with your response to my request?

We’ll always do our best to do what you ask with the personal data we hold about you, however, the law places a responsibility on us to balance your rights against the rights of other people who may be affected and against our legal powers and those of other organisations. It may not always be the case that your rights are stronger than those of others in every situation. We’ll always explain our reasons and will gladly take another look at our decision if you want to challenge it.

If you still feel that we haven’t done what we should then you have the right to complain to the Information Commissioner (ICO).

Limiting your Rights

The law allows for the Government to make certain decisions which could result in Data Protection rights being reduced to some extent. However, the law requires that any restrictions of this kind must still be in line with your basic human rights and must be what is expected of rules applying to a democratic country.

The Government may decide to limit the rights for reasons such as national security, preventing crime, investigating certain professional conduct cases etc. We have to take these decisions into account when considering requests from you to exercise your rights.

Your Right to be Informed

It is important that you know what happens to your personal data whilst we hold it. The law requires us to be honest and open with you about these details and we do this through publishing a number of Privacy Notices on our website.

These Notices are available for you to read and understand so that you know what to expect when ARU is provided with your data; either before you share it with us, or where it is given to us from another organisation that holds it.

We have taken care to explain the details on the Notices in simple language but we would be grateful for any feedback on this to help us with our commitment to review and improve the guidance we give you.

Here are the main things we need to tell you about what we do with your personal data:

  • Who we are: The name of our Data Protection Officer and their contact details.
  • A description of the type of data we collect about you
  • The reasons why we need this data
  • An explanation of how the law allows us to hold and use your data
  • Who we might share the data with (either because they provide a service on our behalf or they need it for their own purposes and the law allows this)
  • Whether your data may be sent to or stored in a country that is outside the European Economic Area (EEA)
  • When will we no longer need your data and how soon after this we’ll delete it
  • Which of your rights you are able to use, including the right to withdraw your consent (if this is what allows us to hold your data)
  • How to complain to the Information Commissioner’s Office (ICO)
  • Where we got your data from (if you didn’t give it to us yourself)
  • Whether we use your data to make automated-decisions or to do profiling

We will make sure the right Privacy Notice is available to you:

  • At the time you share your data with us, or
  • When it has been shared with us by another organisation, in which case:
    • No later than a month after we receive it
    • The first time we contact you about this data, or sooner
    • Before or when we share the data with someone else

See our website for a list of published Privacy Notices

Visit the Information Commissioners website for more information.

Your Right to Access your Information

The personal data we hold about you is still yours. You have the right to ask us for access to the data to be satisfied that our use of it is lawful. Unless the law prevents us from doing so, we must give you:

  • Confirmation that we hold your data
  • An explanation of what that data is
  • Access to your information
  • Confirmation of which Privacy Notice(s) explain why we have your data and what we do with it

When dealing with your request we will:

  • Let you know what additional information we may need to identify you
  • If a request has been made by someone on your behalf, ensure that they have your permission
  • Confirm how you would like to receive your information
  • Help you to make the request clearer if we do not understand the information you want.
  • Make sure the information you receive is information you are entitled to under the law – having considered your rights against the rights of others whose information may be included within documents relating to you, and any other legal reason which may prevent us from sharing data.
  • Let you know within a month at the latest about any expected delay, for example if your request is complex, about any fee that the law allows us to charge, or explain any reason we may have to refuse your request.

If your personal data is being used as part of one of our research projects, please be aware that the right of access does not apply if your access request would seriously harm the purpose of the research. In practice however, the University will want to be transparent and help with your request where it is reasonable to do so.

Please see the privacy rights form which should be used to make your request.

Visit the Information Commissioners website for more information.

Your Right to have your Data ‘Rectified’

The University has a legal responsibility to make sure the data we hold about you is accurate and complete. Where we are made aware that we may hold inaccurate or misleading data about you we must consider ‘rectifying’ it (correct it). 

Where you may have moved to a new address, changed contact details or even changed a surname; these are simple changes to make. However, there may be more complex cases where you disagree with an opinion we have recorded about you, and you may decide to ask us to change this. In some cases the law allows us to refuse to make changes to the personal data we hold. 

Any request to change your personal data will be fairly considered and if where having reviewed a contentious record we feel it is inaccurate then we will make changes.

If we do refuse to make changes we will always:

  • Explain to you in writing the reasons why we are refusing your request
  • Consider adding a statement of your opinion to the record to reflect that there has been a challenge to our professional judgement.

If your personal data is being used as part of one of our research projects, please be aware that the right of rectification does not apply if your request would seriously harm the purpose of the research. In practice however, the University will want to support you and help with your request where it is reasonable to do so.

Please see the privacy rights form which should be used to make your request.

Visit the Information Commissioners website for more information.

Your Right to be Forgotten

The right to Erasure, known as the right to be forgotten, is where you can ask us to consider deleting information that we hold about you.

We will already have explained to you through our Privacy Notices how long we intend to hold your personal data before we delete it, however you still have the right to challenge us to delete your data at any time.

You can expect your request for deleting your personal data to be successful if:

  • It is no longer ‘necessary’ for us to keep the data for the purpose stated on the relevant Privacy Notice
  • We’re holding and using the data based only on your consent, and you have decided to withdraw this consent
  • We’re holding and using the data for our ‘legitimate interests’. You may decide to object to this, and we can’t give a reason for keeping it that outweighs your decision.
  • We’re holding and using the data to allow us to market goods and services to you and you ask us to stop.
  • We have been holding and using your data unlawfully.
  • Deleting is required by law.
  • We’re using data about you to support a chargeable online service.

The law has a number of reasons why we are allowed to refuse erasure requests, those that are most likely to apply to ARU are where we’re holding or using your data:

  • To comply with a legal requirement
  • Where we are doing something in the public interest or acting within our role as a University.
  • To keep a historical record of the University’s activity for future generations.
  • Because it supports a legal case.

When we agree to delete information about you, we will have procedures in place to let other organisations who we’ve shared your data with know; for example if we have contractors working on our behalf. Our decision to delete your data means that they should delete it also.

When we agree to delete information following your request, or routinely as part of our records management procedures, we will make sure that the data in whatever format is destroyed securely and cannot be reused, or it will be permanently changed so that it can no longer identify you.

Please see the privacy rights form which should be used to make your request.

Visit the Information Commissioners website for more information.

Your Right to Restrict the Processing of your Data

Should you have concerns about an aspect of what we do with your personal data, such as who we share it with or how we manage it, you have the right to ask us to stop doing it. This means we are still allowed to hold it, but we are ‘restricted’ in the ways we can use your data.

Aside from storing your data, we can only continue to use it when it is under a restriction if:

  • We have your consent
  • It is to be used for a legal claim or case
  • It is needed to support someone else’s rights
  • We believe the use is in the public interest.

When use of data is under a restriction, we consider doing the following in order to help us to comply:

  • Removing your data from one database or system and storing it in another in order to separate it from data which is still in use
  • ‘Lock’ or ‘Protect’ a record containing your data to prevent staff from accessing and using it.
  • Taking published data down from a website.
  • Labelling the data to ensure that users are aware of the restriction

You can expect your request for restricting the use of your personal data to be successful if:

  • You want our use of your data to stop whilst its accuracy is being reviewed.
  • The data had been used unlawfully and you opt for a restriction rather than request us to delete (erase) your data.
  • We don’t believe it is necessary for us to keep your data any longer, but you wish us to keep it for a potential legal case.
  • You have raised an ‘objection’ and we need time to consider whether your rights outweigh our potential claim that we have a legitimate need to keep using your data.

As with other rights, the law allows us to refuse a request in certain circumstances. In this case we can refuse (or charge a reasonable fee) if we believe the request is unfounded or excessive. In such cases we will contact you and explain our decision, and let you know how to complain.

When we decide to lift any restriction on the use of your data, we must let you know about this in advance. We must let you know how this affects any related requests under your rights to ‘rectify’ and to ‘object’, and also let you know how to complain.

If your personal data is being used as part of one of our research projects, please be aware that the right of restriction does not apply if your request would seriously harm the purpose of the research. In practice however, the University will want to support you and help with your request where it is reasonable to do so.

Please see the privacy rights form which should be used to make your request.

Visit the Information Commissioners website for more information.

Your Right to Data Portability

The right to Data Portability gives you the means of asking an organisation to give your personal data to another organisation on your behalf, or back to you for you to give to another organisation – making your data ‘portable’, i.e. easily usable by another supplier of services to you.

The law allows this right to apply in a very narrow set of circumstances which make it highly unlikely that it would apply to any data held by the University, but in brief the right applies when data you have provided:

  • Is being held and used by us under your consent or supporting a contract, AND
  • The use of the data is being carried by an automated process (i.e. staff are not involved in physically doing something with the data).

If this right did apply to your data, we would need to provide it in a format that was commonly in use, allowing the majority of software products to read and use the data in an automated way.

Please see the privacy rights form which should be used to make your request.

Visit the Information Commissioners website for more information.

Your Right to Object to Data Processing

The law provides you with the right to ‘object’ to us holding and using your personal data but only in certain circumstances. Our Privacy Notices, under the section “What is the Legal basis for using your personal data” will let you know the ‘legal condition’ we are relying on to hold and use your data and they will also explain when you have the right to ‘object’. If we are relying on one of the following legal conditions, then the right is available to you:

  • “Legitimate interests”, or
  • “Performance of a task in the public interest/ exercising our official authority” (including profiling), or
  • “Scientific or Historical research and statistics”

In order to exercise your right you must have an objection which is specific to your particular situation. You can’t therefore object to our general practices, you must be able to argue that there is something we are doing with your personal data that impacts you specifically.

If this does apply, then we must stop doing what is causing you concern unless we can do one of the following:

  • Show you that there are legitimate grounds for our actions and that these outweigh your rights
  • Show that our actions with your personal data are necessary to support evidence for a legal case or claim

If we hold your data for direct marketing purposes then we must stop doing so when we receive your objection. We would have no grounds to challenge your decision.

If your personal data is being used as part of one of our research projects, please be aware that the right to object does not apply if your access request would seriously harm the purpose of the research. In practice however, the University will want to support you and help with your request where it is reasonable to do so.

Please see the privacy rights form which should be used to make your request.

Visit the Information Commissioners website for more information.

Rights over Automated decision-making & Profiling

What do these terms mean?

  • Automated decision-making
    This is making decisions about you using your personal data through an automated process, i.e. a computer calculation where data is processed in order to give a result which affects you. There is no human involvement in this calculation process.
  • Profiling
    Using personal data to make decisions about categorising you based on any number of characteristics.

Where we do these types of activity we have to let you know about it on our Privacy Notices. These will explain the process we go through and what the potential consequences are of the decisions made.

The law only allows us to do this kind of activity individual in the following circumstances:

  • If we were evaluating you as part of entering into a contract (i.e. to see whether someone meets the criteria to be eligible for one of our services)
  • If the law specifically allows it
  • You have given us your recorded consent

And we can only use sensitive personal data if for these activities if:

  • We have your recorded consent, or
  • We can justify that what we’re doing is important in the public interest

If what we’re doing isn’t completely automated and the decisions are not significant, then we don’t need to rely on these reasons, but we still need to let you know what we’re doing and explain how the law allows us to do it.

The law says that this type of activity has the potential for error that may have negative consequences for you, or the law has concerns that decisions are made in ways that aren’t transparent and are potentially unfair. You therefore have the right to:

  • Challenge us over decisions we make in this way
  • Demand that a member of staff undertakes the process rather than a computer
  • Make us aware of your opinions to support this decision making

We must make sure that the systems we use to make such decisions are working as they should in order to avoid errors and to ensure we are fair, and we must take reasonable steps to keep your data secure within this process.

Any system we use to carry out this type of process will have been risk assessed and will have been approved by our Data Protection Officer as complying with the law.

Please see the privacy rights form which should be used to make your request.

Visit the Information Commissioners website for more information.

When do my Rights apply?

This table shows which of your Rights apply in which circumstances.

Our Privacy Policy has sections titled “What is the legal basis for using your personal data?” In these you will be able to find the ‘legal basis’ relevant to why we use your personal data (the ‘Purpose’). In the table below, find the relevant ‘Legal Basis’. In the columns next to the ‘Basis’ you will see which Rights apply in these circumstances. A ‘tick’ means the Right is applicable (although there may still be grounds for us to refuse a request), and a ‘cross’ means that the law doesn’t allow the Right to be exercised in this case. You do not need to know this detail in order to make a request it is our responsibility to explain these details when we respond to you.

The Right to be ‘Informed’, and the Right of ‘Access’ apply in all cases.

 

Rectify

Erase

Restrict

Object

Auto-decisions/ Profiling

Portability

Personal Data (Article 6 of GDPR)

a) Consent

Yes

Yes

Yes

Yes

Yes

Yes

b) Contract

Yes

Yes

Yes

No

Yes

Yes

c) Legal Obligation

Yes

No

Yes

No

Yes

No

d) Vital Interests

Yes

No

Yes

No

No

No

e) Public Task

Yes

No

Yes

Yes

Yes

No

f) Legitimate Interests

Yes

Yes

Yes

Yes

Yes

No

Special Category Data (Article 9 of GDPR)

a) Explicit Consent

Yes

Yes

Yes

Yes

Yes

Yes

b) Employment, Social Security & Protection Law

Yes

Yes

Yes

No

Yes

No

c) Vital Interests

Yes

No

Yes

No

No

No

d) Not for profit

Yes

Yes

Yes

Yes

Yes

No

e) Public Domain

Yes

Yes

Yes

Yes

Yes

Yes

f) Legal Defence & Claims

Yes

No

Yes

No

Yes

No

g) Substantial Public Interest

Yes

No

Yes

No

No

No

h) Health & Social Care

Yes

No

Yes

No

Yes

No

i) Public Interest in Public Health

Yes

No

Yes

No

Yes

No

j) Research, Statistics, Archiving

No

No

Yes

Yes

Yes

No

Any use for direct marketing

Yes

Yes

Yes

Yes

Yes

No