Division of General Counsel, Governance and Compliance

Rights of Individuals

One of the aims of the Data Protection legislation is to give individuals (commonly known as ‘data subjects’) better control over how and why their personal data is processed. So the legislation gives data subjects a number of rights in relation to their personal data.

A data subject can exercise their rights by making a request, either verbally or in writing. We must respond to data subject requests within statutory timescales so please contact the Data Protection Officer immediately if you receive a request. Generally, we have one calendar month to respond.

Information about each of the rights is summarised below.

1. Right to be informed

One of the important principles in the legislation is transparency and individuals have the right to be informed about the collection and use of their personal data. This information should be provided at the time that personal data is collected and should, amongst other things, set out the following:

  • What data is being collected
  • How it will be used and why
  • How long the data will be kept
  • If the data will be shared with other parties
  • Whether the data will be transferred overseas

The University also needs to provide information to data subjects about their rights, including their right to complain to the Information Commissioner’s Office (‘ICO’).

The University provides this information to data subjects in its Privacy Notice. We also have a number of specific privacy notices, such as for processing of Alumni and Donor personal data.

Individuals should also be informed about the use of any special category data or criminal offence data. This is set out in our Appropriate Policy Document.

2. Right of access

In addition to understanding why the University is processing personal data, individuals have a right to access that data. This is known as a subject access request.

The University must confirm whether or not we are processing personal data about the individual and, if so, provide access to that data along with certain information about the processing. This enables individuals to check how and why the University is using their personal data, and to receive a copy of the data.

Please remember that an individual is only entitled to their own personal data, and not to information relating to other people although a third party, such as a lawyer, can make a request on an individual’s behalf with their consent.

For more guidance on the right of access and information on how to make a request, please see our guidance on subject access requests.

3. Right to rectification

Individuals have a right to ask the University to rectify any personal data that is inaccurate or not up to date. If the personal data being held is incomplete, individuals have a right to ensure that the data is completed. This is particularly important if the University is using the information to make decisions about the individual.

If we have shared inaccurate data with any third parties we will also need to contact those third parties and provide them with the updated information.

Please note that the right to rectification does not extend to opinions about an individual. For example, opinions about a person might be held in relation to disciplinary matters, or as part of the appraisal process. As long as those opinions are clearly recorded as such they do not fall within the scope of the right to rectification.

4. Right to erasure

In some cases, individuals have the right to have their personal data erased, also known as the ‘right to be forgotten’. The right is intended to allow an individual to have personal data erased when there is no lawful requirement for the University to retain or use it. However, it is not an absolute right and only applies in certain circumstances.

For example, an individual can ask for personal data to be erased where it is no longer necessary for the purpose it was originally provided, or where consent was given which is then withdrawn, or where the data is being used for direct marketing purposes.

The University’s Data Protection and the Right to Erasure Policy details when the right to erasure arises and how the University deals with such requests.

5. Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data. This means they can ask that the University limits the way that it uses their personal data, but only in certain circumstances.

For example, if personal data is inaccurate or an individual objects to the basis for processing, they can ask that any processing is restricted whilst the data is updated or the matter is considered.

6. Right to data portability

The right to data portability gives individuals more control over their personal data by allowing them to access and reuse their personal data for their own purposes. It enables them to transfer or copy personal data to different IT environments, service providers etc.

This right only relates to personal data that the individual has provided to the controller and which is processed by automated means (i.e. excluding paper files). The right also only applies when the lawful basis for processing is consent or performance of a contract.

When an individual has the right to data portability, we must provide the data in a structured, commonly used and machine-readable format.

7. Right to object

Individuals have a right to object to the processing of their personal data in certain circumstances. Where personal data is used for direct marketing, this is an absolute right and the University is obliged to comply. But in other cases, it depends on our purpose for processing and the lawful basis that the University is relying on.

Where the right arises, the University should cease to process the personal data unless there are compelling legitimate grounds for doing so.

How to make a request?

Individuals, or those acting on their behalf, can make a request relating to data subject rights either in writing or verbally. For ease, though, requests can be made to the Data Protection Officer either by emailing dpo@sussex.ac.uk or by post to Data Protection Officer, University of Sussex, Sussex House, Brighton, BN1 9RH.

If your request is for access to your data, please see our guidance on subject access requests.

If your request is for erasure of your personal data, the University publishes a Right to Erasure Request Form which may assist you in making your request.

If you have any queries about your rights or how to make a request, please contact the Data Protection Officer. Further information about the individual’s rights under the legislation can be found on the ICO’s Your Data Matters webpages.

 

Last updated 1 December 2021