The data protection legislation gives individuals a number of rights in respect of their personal information. These include the right to:
- Be informed about the collection and processing of their persona l data
- Request access to their personal data
- Request correction of the personal data
- Request erasure of their personal data
- Restrict processing of their personal data
- Request data portability, i.e. the transfer of their personal data to them or a third party
- Object to processing of their personal data where the processor is relying on a legitimate interest
- Withdraw consent
- Request not to be subject to a decision based solely on automated processing, including profiling and
- Complain to the Information Commissioner.
There are some specific exclusions to these rights set out in the data protection laws including, for example, in relation to personal data collected for research purposes or by reason of national security and defence, public security, and the prevention, investigation, detection and/or prosecution of crime. Please see below for further information and guidance.
The data protection laws require organisations to provide transparent information to individuals about the collection and processing of their personal data the specific information to be provided is set down in the data protection laws.
The University Group provides information to data subjects in the form of privacy notices and fair processing notices including for example the University Group’s:
- Coventry University Website Privacy Notice
- Coventry University Privacy Notices for staff, students, alumni and others
- Coventry University London Campus Privacy Notices for staff, students, alumni and others
- CU Coventry Privacy Notices for staff, students, alumni and others
- CU London Privacy Notices for staff, students, alumni and others
- CU Scarborough Privacy Notices for staff, students, alumni and others
Access to personal data
Individuals have the right to request access to their personal data. This enables them to receive a copy of the personal data that an organisation holds about them and to check that the organisation is lawfully processing it.
View further information regarding how to make a subject access request.
You can also dowload a copy of the University’s subject access request form.
Correction of personal data
Individuals have the right to request correction of the personal data that an organisation holds about them. This enables them to have any incomplete or inaccurate data held about them corrected.
Erasure of personal data
Individuals can ask an organisation to delete or remove personal data where there is no good reason for continuing to process it. This is also known as the ‘right to be forgotten’.
It may not always be possible to comply with a request for erasure as a result of specific legal reasons. Where this is the case the individual should be notified of this.
Restriction of processing
Individuals can ask an organisation to suspend the processing of their personal data in the following scenarios:
- They want to establish the data's accuracy;
- Where the organisation’s use of the data is unlawful but the individual does not want it to be deleted;
- Where the individual needs the organisation to hold the data, even where it is no longer required by the organisation, to allow them to establish, exercise or defend legal claims; or
- The individual has objected to the use of their data but the organisation needs to verify whether it has overriding legitimate grounds to use it.
Individuals can request the transfer of their personal data to themselves or to a third party.
This right only applies to automated information which the individual initially provided consent for the organisation to use or where the personal data has been used to perform a contract with them.
Individuals can object to processing of their personal data where:
- an organisation is relying on a legitimate interest (or those of a third party); and
- there is something about the individual’s particular situation which makes them want to object to processing on this ground as they feel it impacts on their fundamental rights and freedoms.
Data subjects also have the right to object to processing for direct marketing purposes.
In some cases, we may be able to demonstrate that the University has compelling legitimate grounds to process the personal data which override the data subject’s rights and freedoms.
Withdrawal of consent
An individual can withdraw consent at any time where an organisation is relying on consent to process the personal data. However, this does not affect the lawfulness of any processing carried out before the data subject withdraws their consent.
Automated processing and profiling
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling.
You have the right to complain to the University about the way your personal data is handled. You also have the right to complain to the Information Commissioner’s Office (the Supervisory Authority in the UK).
Further information about filing a complaint, which may be filed online, can be found on the Information Commissioner’s Office website.
This section is intended to assist you in making a Subject Access Request under the GDPR. It is not intended to serve as a comprehensive guide or instruction, and we would recommend that you also visit the Information Commissioner’s Office website which provides further information and guidance on making a Subject Access Request.
Before making a Subject Access Request, you should think about what it is you want to know and whether a formal request is necessary. It may be possible to make an informal request, for example a routine enquiry about whether we have received payment of your tuition fees. If we can answer your request quickly as a routine matter, this will save you the time of going through the formal Subject Access Request process. If it is not possible for us to handle your request informally, for example, if you would like to see a full copy of your student record we will tell you that is the case and you will need to make a formal request.
The Subject Access Request process
1.1 How to make your Subject Access Request
Subject Access Requests can be made verbally or in writing, however, in order for us to be able to identify you and better understand the nature of your request, it would be preferable that you make the request in writing and, in any case, it should include the information below:
- Full name
- Telephone number
- Email address (if you would like us to communicate with you by email)
Identity information, such as a copy of your driving licence, your student ID or employee number and faculty in which you are a student or staff member, which will help us to identify you particularly where we have personal data relating to individuals with the same name
- The specific right that you wish to exercise, including full details of the information that you require and any relevant dates
Information Governance Unit
163 New Union Street
You should always keep a copy of your request for future reference.
We cannot release personal data to anybody other than the data subject unless we have their express consent to do so. Therefore, where a Subject Access Request is made on behalf of the data subject, the request must also include proof that the data subject has consented to the request and to their personal data being provided to that person.
1.2 When will you receive a response to your Subject Access Request?
Following receipt of your request we will have 1 month in which to respond to Subject Access Requests made under the GDPR. We will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case we will inform you within one month of the receipt of the request and explain why the extension is necessary. This timeframe runs from the date when we receive your request and any additional information that we ask you to provide to enable us to identify you. We will write to you to confirm we have received your request and request any information that we require in order to identify you. We may charge a reasonable fee when a request is manifestly unfounded or excessive particularly if it is repetitive.
1.3 How will we respond to your Subject Access Request?
Once we have been able to identify you, we will conduct searches of our records to identify what personal data we hold about you in order to respond to your Subject Access Request within the above timeframe.
Our response will either provide you with the information you have requested, or inform you that we do not hold that information.
Where you have asked us to provide you with a copy of personal information held, we will provide you with a copy sent in the same manner as your request, unless you request otherwise. For example if your original Subject Access Request is made in writing by post, we will respond to you and provide you with a hard copy of the personal data by recorded post unless you ask us to send it to you by email or other means.
1.4 Can Coventry University Group withhold information?
The GDPR allows us to withhold certain information when responding to your Subject Access Request if disclosing the information would adversely affect the rights and freedoms of others. This includes information about other people which may be recorded together with your personal data. We are not permitted to share anybody else’s information without their consent.
1.5 What to do if you are unhappy with our response
If you are unhappy with our response, for example if you believe you have not received all of the information that you requested, please write to us at Information Governance Unit, Coventry University, 1st Floor, Portal House, 163 New Union Street, Coventry, CV1 2PL or you can email email@example.com and set out your concerns in as much detail as possible. For example, if you think that the information sent to you is incomplete, please tell us what it is you were expecting to receive.
If you are not satisfied with the University’s proposed resolution of your complaint you have the right to contact the Information Commissioner’s Office. Further information can be found on the Information Commissioner’s website at www.ico.org.uk or via their helpline on 0303 123 1113.