Under current data protection laws individuals have a range of rights in relation to personal data.
Guide to your rights
The General Data Protection Regulation (UK GDPR) gives individuals certain rights in relation to personal data. This guide explains these rights to you and lets you know how you can make use of them if Dumfries & Galloway College (the College) processes your personal data.
When we use (process) personal data we will abide by the Data Protection Principles under UK GDPR, which means we must:
- Have a good reason to process your personal data and tell you what we are doing with it.
- Only use your personal data for the purposes for which you have given it to us.
- Only hold personal data that is adequate, relevant, and limited to what we need.
- Ensure your personal data is accurate and kept up to date.
- Only keep personal data that identifies you for as long as it is needed.
- Ensure that your personal data is kept securely and take reasonable steps to ensure that it can’t be accidently lost, destroyed or damaged.
- Be able to show that we have complied with the six principles above.
You have the right to know how the College is processing your personal data, including:
- Why we are processing your personal data.
- What categories of personal data we are processing.
- Who we are sharing your personal data with.
- How long we will retain your personal data.
We publish this information in our privacy notices, which we make available at the time of collecting information from you. They are also published on the Data Protection section of our website under Privacy Notices
You have the right to ask for a copy of the personal data we hold about you, along with information on why and how it is processed. This will help you understand what your data is being used for and to verify the lawfulness of that use.
This is generally known as making a ‘Subject Access Request’ (SAR). A subject access request is free of charge, unless it is excessive or repetitive. If this is the case, we may charge a reasonable fee to cover the costs of providing the information or we may refuse to provide the information.
We will require confirmation of your identity before responding to the request, to make sure we have the right person and the right information.
We will provide you with the information you have requested within one month, although if the request is complex, we may extend the deadline by a further two months. If this is the case, we will discuss it with you.
There are some exemptions which may apply. This may mean not all the information you request will be available, for example if providing the information would also disclose the personal data of another person. In such circumstances we will redact (withhold) some or all the information. We will explain our reasons for doing this when we provide the response.
You have the right to have your personal data rectified (corrected) if it is inaccurate or incomplete.
If we are unable to correct your data and have a legitimate reason for this, we will keep your statement requesting rectification on your record(s). We will also explain our reasons for this to you.
If we have passed your personal data on to any other organisations (in accordance with lawful processing and as described in our privacy notices) we will ask them to update the personal data they hold.
If the personal data held by us is correct, we will not make any changes and will advise you of this.
You have the right to ask us to delete or remove personal data we process when there is no compelling reason for us to process it. For example:
- Where it is no longer necessary for the purpose for which it was originally collected/processed
- When you withdraw consent
- If you object to the processing and there is no overriding legitimate interest for continuing the processing
- Our use of the data is unlawful
- The data must be erased to comply with a legal obligation
- The data is processed in relation to the offer of information society services to a child.
The right to be forgotten is not an absolute right, which means we can refuse a request for erasure if the processing of personal data is:
- used to exercise the right of freedom of expression and information
- needed to comply with a legal obligation or the performance of a public interest task
- needed for public health purposes in the public interest
- used for archiving in the public interest, for scientific or historical research, or for statistical purposes
- needed for making or defending legal claims.
When this right is exercised, we will stop any further processing, delete all your personal data and advise any other organisations we may have passed your data to (in accordance with lawful processing and as described in our privacy notices) to do the same.
You have the right to ask us to stop processing your personal data if:
- you contest the accuracy of the personal data we are processing
- you believe our processing is unlawful and you would like us to stop (but not have your information deleted)
- we no longer need to process your personal data, but it needs to be kept to make or defend a legal claim.
When this right is exercised, we will retain enough personal data to meet the purpose for keeping it. We will also make sure it is not processed for any of the purposes for which you have asked us to stop.
You have the right to ask for a digital copy of personal data held about you. This allows you to move, copy or transfer your data from one IT system to another in a safe and secure manner.
This right only applies to personal data:
- that you have provided to the College.
- that is processed based on your consent or because it is necessary as part of a contract.
- that is processed by automated means.
We will provide the information requested in a machine-readable format so that it can be reused by any other organisation you choose to pass it to.
You have the right to object to our processing of your personal information in limited circumstances. For example, when the College is processing your personal data:
- In the legitimate interests of the organisation or because we are carrying out a public task in the public interest. We must show compelling legitimate grounds to be able to continue to process your data.
- For direct marketing, including profiling.
- For scientific or historical research or for statistical purposes, unless the processing is necessary to carry out a public task in the public interest.
Where you exercise this right, we will stop processing your personal data unless there is a compelling reason that is greater than your individual rights.
Automated decision making is where a decision is made solely by automated means, without any human intervention e.g. by a computer algorithm. Profiling is the automated process of using personal data to evaluate certain things about an individual. You have the right to:
- Know whether an organisation is using automated decision making and profiling.
- Request human intervention and to challenge a decision.
If you would like to exercise any of these rights, ask for more information about your rights or raise any concerns about how we handle your personal information, please use the Data Subject Rights form below, or contact us at DPO@dumgal.ac.uk or by calling 01387 734000.
You also have the right to complain to the Information Commissioner’s Office (ICO). This is the independent regulatory office in charge of upholding information rights in the interest of the public in the UK.