Individual Rights


The UK GDPR / Data Protection Act 2018 and EU GDPR (General Data Protection Regulations) put individuals in control of their data.  It enhances existing rights and introduces new ones.  Here is a brief summary of the rights of individuals under the regulations.

The Right to be Informed covers some of the key transparency requirements under GDPR.  It is about providing you with clear and concise information about what we do with your personal data.

Articles 13 and 14 of the GDPR specify what you have the rights to be informed about.  Please view our Privacy Notices.

The right of access, more commonly known as subject access, gives you the right to obtain a copy of your personal data as well as other supplementary information.

You have the right to obtain the following:

  • Confirmation that we are processing your personal data;
  • A copy of your personal data; and
  • Other supplementary information - this largely corresponds to the information we have within our Privacy Notices.

You are entitled to your own personal data and not to information relating to other people (unless the information is also about you or someone is acting on your behalf).  Please see the 'If you need help to apply' section.

You have the right to have inaccurate personal data rectified.  You may also be able to have incomplete data completed, however this will depend on the purposes for the processing.  It may involve providing a supplementary statement to the incomplete data.

You have the right to have your personal data erased.  This is also known as 'the right to be forgotten'.  However this right is not absolute and will only apply in certain circumstances.

You can request that your personal data be erased if:

  • The personal data is no longer necessary for the purpose for which the we collected or processed it for;
  • You withdraw your consent;
  • You object to the processing of your data and we have no over-riding legitimate reason to continue processing it;
  • You object to your personal data being used for direct marketing purposes;
  • We have processed your data unlawfully;
  • We have to comply with a legal obligation;
  • We have processed personal data to offer information society services to a child.

You have the right to restrict the processing of your personal data in certain circumstances.  This means that you can limit the way we use your data and is an alternative to requesting the erasure of your data.

You have the right to restrict the processing where you have a particular reason for wanting the restriction.  This could be because you have issues with the content of the information we hold or how we have processed your data.  In most cases we will not be required to restrict your personal data indefinitely, but we will need to have the restriction in place for a certain period of time.

You can request that we restrict the processing of your personal data in the following circumstances:

  • You contest the accuracy of your personal data and we are verifying the accuracy;
  • The data has been unlawfully processed and you oppose erasure and request restriction instead;
  • We no longer require the personal data but you need us to keep it in order to establish, exercise or defend a legal claim; or
  • You have objected to us processing your data under Article 21(1) and we are considering whether our legitimate grounds override yours.

The right to data portability gives you the right to receive personal data, that you have provided to us, in a structured, commonly used and machine readable format.  It also gives you the right to request this data is transmitted by us (as the data controller) directly to another controller.

The right to data portability only applies when:

  • Our lawful basis for processing the information is consent OR for the performance of a contract; and
  • We are carrying out the processing by automated means (ie excluding paper).

Information is only within the scope of the right to data portability if it is your personal data that you have provided to us.

The right to object to the processing of your personal data allows you to ask us to stop processing your data.

The right to object only applies in certain circumstances. Whether it applies depends on the purposes for which we are processing it and our lawful basis for processing.

You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes.  You can also object if the processing is for:

  • A task carried out in the public interest;
  • The exercise of official authority vested in the University;
  • Our legitimate interests (or those of a third party).

In these circumstances the right to object is not absolute.

If the we are processing data for scientific or historical research, or statistical purposes, the right to object is more limited.

Automated individual decision-making is a decision made by automated means without any human involvement.

Examples of this include:

  • An online decision to award a loan
  • A recruitment aptitude test which uses pre-programmed algorithms and criteria.

Automated individual decision-making does not have to involve profiling, although it often will do.

Organisations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.                             

Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. 

Based on the traits of others who appear similar, organisations use profiling to:

  • Find something out about individuals’ preferences;
  • Predict their behaviour; and/or
  • Make decisions about them.

This can be very useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.

Automated individual decision-making and profiling can lead to quicker and more consistent decisions. But if they are used irresponsibly there are significant risks for individuals. The GDPR provisions are designed to address these risks.

The University does not currently undertake any profiling activities or take automated decisions about you.

In most cases we will not charge a fee.

However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.

We can also charge a reasonable fee if you request further copies of your data following a request, this fee will be based on the administrative costs of providing further copies.

A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that you are asking for your own personal data.

You can make a request either verbally or in writing, we recommend that you email  Please give a full and clear description of the nature of your request, this will help us to handle it effectively. 

You will be required to provide valid ID (birth certificate, driving licence or passport)

Please provide sufficient details in order for us to locate your personal information.

You can appoint someone to act as an agent to make the request on your behalf. Proof of your consent along with your valid ID will need to be given.

We will acknowledge your application and we may contact you in order to clarify the information that you have requested.

We are legally obliged to provide you with the information you are entitled to under GDPR within one month of receipt. The time starts on the date of receipt or upon receipt of:

  • Any requested information to clarify the request;
  • Any information requested to confirm the requester's identity.

So to be clear: 

  • If a request is received on 5th May then the time limit will start on 5th May. This will give us until 5th June to comply.
  • If this is not possible because the following month is shorter (and there is no corresponding date), then release will be the last day of the following month (example: 
    If a request is received on 31st May the time limit will start on 31st May. There is no corresponding date in June so therefore we will have until 30th June to comply).
  • If the corresponding date falls on a weekend or bank holiday then we will have until the next working day to comply.
  • The time will start once we receive a complete request (this includes receiving valid ID or any clarification we may have requested).

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right.  You can complain to the University here.  If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner's Office (ICO).  The ICO can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113


Need advice?

You can contact us at

Alternatively for detailed guidance please visit the ICO's website.