Your Rights

Personal data includes information that is about someone or relates to someone - known under data protection legislation as a “data subject”.

You are the data subject, for example, when the University holds your name on its computer system.

Your name could be together with your address, date of birth and details of any services provided.

Each of these items of information will be personal data you are the data subject as you are the individual to whom it relates. It also includes your opinions or opinions of you by others.

As the Data Subject of personal data, you have fundamental rights under data protection legislation (GDPR and the Data Protection Act 2018).

This section provides you with further information regarding what your rights are, as well as clear instructions regarding how you can use these rights.


The University has a duty of transparency.

Transparency means we tell you about how we use your personal data when it is collected. This includes when it is collected directly from you by the University or by a third party organisation. The University provides you with clear and easily accessible Information regarding how the University is going to process your data. We tell you about the purposes of the processing as well as the legal basis for using your data.

The University tells you if there is a change to the conditions underpinning any of the statements included in all our Privacy Notice.

If you want to access the University’s Privacy Notices, please click the following link:

You can find further information regarding how the University processes your data, accessing one of our Data Protection documents available on the University Data Protection main page.

You have the right to access the personal information we hold about you.

The right of access to the personal data is called a Subject Access Request.

When you make a Subject Access Request, the University confirms whether or not we process data about you and provides you with a copy of your personal data and information about the processing.

However this right is not universal because it is subject to certain exemptions.


There are various exemptions which specify the circumstances in which we can refuse to provide access to your personal data.

The most likely situations in which we could refuse a subject access request are where a student requested access to an examination script, other than examiners' comments. Another exemption is where request data contained in a confidential reference provided by the University.

You could be refused access if releasing the data would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders.

From May 2018, the GDPR also gives you the right to “data portability”. This right allows you to obtain and reuse your personal data for your own purposes across different services.

According to the ICO website, you are allowed “to move, copy or transfer your personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.”

The right to data portability is intended to improve competition among businesses. One of the applications of the data portability right is to give you the right to ask your usage data from your current energy provider in a machine readable format and give this to another provider so you can have a comparison of costs.

If you discover the University has details about you that are not factually correct, you can ask us to change or, in some cases, remove these details.

You have also the right to ask the University to complete your data if you think that there is something missing.

In certain circumstances Teh University may refuse a request for rectification.

If you challenge how the University processes your data, we can restrict the processing of your data for a limited period until we verify the accuracy of the personal data.

This is not an absolute right and only applies in certain circumstances.

If you feel that the University does not have a valid reason for holding or processing your personal details, or you have withdrawn consent previously given, or you think that we have taken your details in an unfair way, you can ask us to remove these details.

You have the right to have your personal data erased if:

  • the personal data is no longer necessary for the purpose which the University originally collected or processed it for;
  • the University is relying on consent as the lawful basis for holding the data, and the individual withdraws their consent;
  • the University is relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • the University is processing the personal data for direct marketing purposes and the individual objects to that processing;
  • the University has processed the personal data unlawfully;
  • the University must delete the data to comply with a legal obligation; or
  • the University has processed the personal data to offer information society services to a child.


If this is the case, please write to the University, explaining your concerns or outlining which details are incorrect.

If we asked for your consent to process the data, you do not need to give us any reasons.


You have the right to object if the University intends to use your details for the performance of a legal task or the University’s legitimate interests, including any profiling based on the previous legal grounds.

You can write to the University, explaining your concerns or outlining which details are incorrect. The University will evaluate your particular situation, including any unnecessary damage or distress, and will stop the use of your personal details unless a specific exemption applies.

You can also object if the processing is intended for direct marketing purposes.

In this case, the University must stop processing your personal data for direct marketing purposes as soon as we receive your objection. 

Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated by a computer, unless you agree to this. For example, such important decisions may be about your marking or performance assessment.

You have the right to object from automated decision making and request human input. The University should inform you about what data processing involves automated decision making.

If you have a concern about the way the University is handling your information you should write to the Data Protection Officer saying that you are concerned that you have not handled my personal information properly.

You can contact the Data Protection Office sending an email to You ca find further details on the University Data Protection main page.

The University takes any concern seriously and will work with you to try to resolve it.

If you are still unhappy with the result, because the University has been unable, or unwilling, to resolve your information rights concern, you can raise the matter with the Information Commissioner’s Office.

To make a complaint, write or email the Information Commissioner’s Office explaining your case. 

To contact the ICO:

Due to the Coronavirus outbreak, the ICO's offices will be closed for the foreseeable future.

They are therefore unable to receive correspondence via post. 

In order to contact the ICO, please refer to the link to their contact page.

You will find further information regarding your right to raise a complaint with the ICO here:

Under data protection law, you are entitled to take your case to court to:

  • enforce your rights under data protection law if you believe they have been breached
  • claim compensation for any damage caused by any organisation if they have broken data protection law, including any distress you may have suffered, or
  • a combination of the two.

If you want to read further information regarding this right please visit the ICO webpage:


The University, as Data Controller, should facilitate the exercise of your rights as a data subject.

All Data Protection requests are free of charge.

  • You can make a request orally or in writing. You are not obliged to make a request using a particular format. However, we will need to undertake to check your identify. This is so that we do not release information to someone pretending to be you.
  • You do not have to make your request in hard copy. You can also make a valid request using electronic means, like by email. The University will try to reply to your request using the same mean unless otherwise requested by you.
  • You could also use social media, for example via the University’s Facebook or Twitter account, although it may be impractical for the University to supply information to you using the same method.

However, to ensure the University promptly satisfies your request, we recommend you to read the following guidance:

1)      Please read carefully the guidance regarding Your Rights available on this page, particularly regarding the right you would like to exercise. This will give you a clear understanding of the right as well as provide you with an idea of what you should expect from the University

2)      Think about your request and the related personal data. It will save time if in your request you find out what personal data is the focus of your request and state it clearly, if you identify the right department and the right person the University should contact to fulfil your request. Please also ensure you that the details are easy to understand.

3)      Communicate to the University your request using an official channel. In order to facilitate the exercise of your rights, the University would recommend you to communicate your request in the following manners:

a)      Fill our online form. This will be sent automatically to a safe email account checked regularly

b)      You can also fill the word document and send it to the email addresses included in the form

c)      Send a letter or email to the University addressing it to the Data Protection Officer or the Information Governance Manager. You ca find further details on the University Data Protection main page.

You should receive information within 1 month from your request unless the request is particularly complex. In that case, the University has up to other additional 2 months to reply. 

You can resubmit your request to the University more than once.

However, if the University thinks that your repeated request is ‘manifestly unfounded or excessive’, we may be able to refuse access or charge an administrative fee.

If you are thinking of resubmitting a request, you should think about whether

  • it is likely that your data has changed since your last request
  • enough time has passed for it to be reasonable to request an update on how your data is being used, or
  • the University has changed its activities or processes recently



Connect with us

Last edited: 28/09/2020 13:13:00