Data Subject Rights
It is vitally important that staff receiving a request to exercise any of these rights refer to the IMPS office as soon as possible. Please send all correspondence to firstname.lastname@example.org. Please note some of these rights can be made verbally, call 0118 378 8981 if you need any advice. For the majority of requests, the IMPS office are required to respond within 1 calendar month.
The University must provide information to people about how their data is collected, what purposes it is used for, who it is shared with, and how to exercise their rights. People must also be informed of the contact details of the Data Protection Officer and where to go for advice.
We must always be transparent about what we do with people's data.
This information should be communicated at the point of collection and can take various forms, such a web privacy notice, an application form, a research information sheet for participants, or a link to further information provided at the point staff or students join the organisation. Our core privacy notices are currently being updated. If you have a bespoke website for your department or project that does not currently link to the central University Privacy Notice (Policy), and you have not already been contacted by the IMPS team, please contact email@example.com
If you are about to embark on a new use of data already collected we may need to check the activity is already covered in our privacy notices. Please contact firstname.lastname@example.org if you are unsure.
Individuals have the right to access their personal data. This is commonly referred to as subject access. Individuals can make a subject access request (SAR) verbally or in writing. People may refer to the Freedom of Information Act (FOIA) when making these requests however the request is made under data protection laws if it is related to the individual's own data. There is no fee for accessing the data but verification of identity will be required. If the request is deemed manifestly unfounded or excessive we may charge a "reasonable fee" for the administrative costs of complying with the request.
The individual should clearly describe the information they are requesting access to. The IMPS Office make a form available to assist with this, however a request can be made by any written or verbal means and does not have to quote the legislation. If you are unsure if you have received a data access request, contact email@example.com in the first instance.
There are exemptions to subject access rights where we can refuse access to data. These include examination scripts, information that would prejudice criminal investigation proceedings, or prejudice negotiations with the individual. IMPS are responsible for assessing whether exemptions apply so you will be required to make all information available to the IMPS office on request.
If you receive a request to access personal data refer this to firstname.lastname@example.org as soon as possible. Do not respond yourself unless on the advice of the IMPS office. Call 0118 378 8981 if you need advice.
More information on making a subject access request can be found here.
Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed - although this will depend on the circumstances.
In some cases you will be able to action a request without referring to IMPS, for example if a student or staff member notices an incorrect spelling or address. However, you must attend to this within 1 month of receiving the request. If you have any reason you cannot rectify the data, or if you have reason to believe the data is not inaccurate, then please refer to email@example.com in the first instance or call us for advice. Please note, there may be circumstances where we have a legitimate need to keep an historical record of data we held, in this case we may need to annotate the record. Data that is out of date is not to be assumed to be inaccurate.
Commonly referred to as the 'right to be forgotten', the GDPR introduces a new right to have personal data erased. The right is not absolute and only applies in certain circumstances, for example, where we cannot evidence a legitimate basis for retaining it, or where the data has not been used lawfully. These requests can be received verbally as well as in writing. The IMPS office will be responsible for responding to these requests.
If you receive a request to erasure it is vitally important that you refer this to firstname.lastname@example.org as soon as possible. Do not respond yourself unless on the advice of the IMPS office. Call 0118 378 8981 if you need advice.
Please note, the University retain the majority information relating to student and staff complaints, disciplinary matters, fitness to practice and appeal files for 6 years from the end of the relationship with the individual for the purposes of exercising or defending legal claims, for the performance of a public task in the public interest, or due to legal obligations.
Individuals have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. This may be because they have issues with the content of the information you hold or how you have processed their data or where an inaccuracy is being looked in to.
If you receive a request to restrict it is vitally important that you refer this to email@example.com as soon as possible. Do not respond yourself unless on the advice of the IMPS office. Call 0118 378 8981 if you need advice.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows people to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. It only applies to data held for the performance of a contract, held on a consensual basis, and held in an automated format. This a new right under the GDPR.
If you receive a request for data portability it is vitally important that you refer this to firstname.lastname@example.org as soon as possible. Do not respond yourself unless on the advice of the IMPS office. Call 0118 378 8981 if you need advice.
Individuals have the absolute right to object to the processing of their personal data if it is for direct marketing purposes. If you receive a request to be removed from a marketing list you must comply with it and ensure their preferences are updated. These do not need to be referred through to the IMPS team and can be dealt with by your team or department.
Individuals can also object to uses of their data for the purposes of performing our public tasks in the public interest (including research), for exercising our official authority, and data we hold on the basis of our legitimate interests. In these circumstances the right to object is not absolute and we can refuse a request providing we can evidence the reasons for doing so.
If you receive a right to object it is vitally important that you refer this to email@example.com as soon as possible. Do not respond yourself unless on the advice of the IMPS office. Call 0118 378 8981 if you need advice.
Individuals have the right to object to any decisions that are made by purely automated means. For example if a computer programme was used to assess someone's eligibility for a course and reject an individual without any human intervention taking place. This is more common within credit scoring industries and not likely to affect practices at the University. The right is for a human to assess that decision independently.
If you receive a right relating to automated decision making it is vitally important that you refer this to firstname.lastname@example.org as soon as possible. Do not respond yourself unless on the advice of the IMPS office. Call 0118 378 8981 if you need advice.