Guide to Your Data Rights

The General Data Protection Regulation (GDPR) gives individuals a range of rights in relation to personal data. This guide aims to explain those rights to you and let you know how you can make use of them if North East Scotland College processes your personal data.

Your personal data

This is any information about you that means you can be identified. As a college we gather lots of personal data — about students, staff and members of the public — so we can deliver our services.

When we use (process) personal data we will make sure abide by the GDPR principles (Article 5), which mean we must:

• Have good reason to process your personal data and tell you what we are doing with it
• Only use your personal data for the purposes for which you have given it to us
• Only hold personal data that is adequate, relevant and limited to what we need
• Ensure your personal data is accurate and kept up–to–date
• Personal data that identifies you is only kept for as long as it is needed
• Ensure that your personal data is kept securely and cannot be accidently lost, destroyed or damaged

One of the main aims of GDPR is to empower individuals by giving more control over their personal data and to help you understand if we are meeting the principles of the data protection legislation. To do this, GDPR gives you the following rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erase
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Right to be informed

You have the right to know how the college is processing your personal data, including:

• why we are processing your personal data
• what categories of personal data we are processing
• who we are sharing your personal data with
• how long we will retain your personal data

We publish this information in our privacy notices, which we make available at the time of collecting information from you. They are also in the Data Protection section of our website.

Right of access

You have the right to ask for a copy of the personal data we hold about you, along with information on why and how it is processed. This will help you understand what data is being used for and to verify the lawfulness of that use.

This is generally known as making a ‘subject access request’. A subject access request is free of charge, unless it is excessive or repetitive. If this is the case, we may charge a reasonable fee to cover the costs of providing the information.

We will require verification of your identity before responding to the request, to make sure we have the right person and the right information.

We will provide you with the information you have requested within 1 month, although if the request is complex we may extend the deadline by a further 2 months. If this is the case we will discuss it with you.

There are some exemptions which may apply and might mean not all of the information you request will be available, for example if providing the information would also disclose the personal data of another person. In such circumstances we will redact (withhold) some or all of the information. We will explain our reasons for doing this when we provide the response.

Help and advice on making a subject access request will be available in our Guide to Making a Subject Access Request (coming soon).

Right to rectification

You have the right to have your personal data rectified if it is inaccurate or incomplete.

If we are unable to correct your data and have a legitimate reason for this, we will keep your statement requesting rectification on your record(s). We will also explain our reasons for this to you.

If we have passed your personal data on to any other organisations (in accordance with lawful processing and as described in our privacy notices) we will ask them to update the personal data they hold.

If the personal data held by us is correct we will not make any changes and will advise you of this.

Right to erasure (the right to be forgotten)

You have the right to ask us to delete or remove personal data we process when there is no compelling reason for us to process it. For example:

• where it is no longer necessary for the purpose for which it was originally collected/processed
• when you withdraw consent
• if you object to the processing and there is no overriding legitimate interest for continuing the processing
• the use of the data is unlawful
• the data has to be erased to comply with a legal obligation
• the data is processed in relation to the offer of information society services to a child

This is not an absolute right, which means we can refuse a request for erasure if the processing of personal data is:

• used to exercise the right of freedom of expression and information
• needed to comply with a legal obligation or the performance of a public interest task
• needed for public health purposes in the public interest
• for archiving in the public interest, for scientific or historical research, or for statistical purposes
• needed for making or defending legal claims

When this right is exercised we will stop any further processing, delete all your personal data and advise any other organisations we may have passed your data to (in accordance with lawful processing and as described in our privacy notices) to do the same.

Right to restrict processing

You have the right to ask us to stop processing your personal data if:

• You contest the accuracy of the personal data we are processing
• You believe our processing is unlawful and you would like us to stop (but not have your information deleted)
• We no longer need to process your personal data, but it needs to be kept to make or defend a legal claim

We will retain enough personal data to meet the needs for keeping it and will make sure it is not processed for any of the purposes for which you have asked us to stop.

Right to portability

You have the right to ask for a digital copy of personal data held about you. This allows you to move, copy or transfer your data from one IT system to another in a safe and secure manner.

This right only applies to personal data:

• that you have provided to the college
• that is processed based on your consent or because it is necessary as part of a contract
• that is processed by automated means

We will provide the information requested in a machine-readable format so that it can be reused by any other organisation you choose to pass it to.

Right to object

You have the right to object to our processing of your personal information when the college is processing your personal data:

• In the legitimate interests of the organisation or because we have a public task in the public interest. We must show compelling legitimate grounds to be able to continue to process your data.
• For direct marketing, including profiling.
• For scientific or historical research or for statistical purposes, unless the processing is necessary to carry out a public task in the public interest.

We will stop processing your personal data unless there is a compelling reason that is greater than your individual rights.

Rights relating to automated decision making and profiling

Automated decision making is where a decision is made solely by automated means, without any human intervention e.g. by a computer algorithm. Profiling is the automated process of using personal data to evaluate certain things about an individual.

You have the right to:

• Know whether an organisation is using automated decision making and processing
• Request human intervention and to challenge a decision

NESCol does not currently use any automated processes or profiling activities without human intervention.