The Data Protection Act 2018 which applies the UK GDPR provide a range of rights to individuals to help them understand how their personal data is used by organisations and provide them with some control over this.
These rights set out in law, apply all to organisations processing personal data in the UK. If you process personal data of EU citizens you must comply with their data protection rights set out in the EU GDPR.
All organisations should have appropriate processes in place to manage requests from individuals exercising their rights. These individuals may be staff, customers or members of the public.
Processes should include:
- Training staff to recognise requests to exercise data protection rights.
- A logging system to ensure records are maintained.
- Acknowledging receipt of requests.
- Investigating the matters.
- Providing responses within one calendar month as required by law.
- Recording the outcomes.
It is important to note that requests can be made verbally or in writing. You must communicate using clear plain language.
So what are these rights?
Right to be informed
Individuals have the right to be told about the collection and use of their personal data. The law sets out what you must tell them and when. Most organisations do this by providing privacy notices online or in hard copy when they collect personal data.
Right of access
This is often called a Data Subject Access Request, or just Subject Access Request (SAR). Individuals are entitled to receive copies of the personal data you are processing about them as well as other information about how it is used, how long it is held, who you may share it with, and whether it leaves the UK.
Right to rectification
If the data held by an organisation about an individual is factually incorrect, the individual can ask them to rectify it.It is important to note that this right only applies to factual information and not professional opinions.
Right to erasure
This right applies when your personal data is being processed based on your consent, under a contract which reached its term, or when based on the legitimate interests of the organisation. Personal data processed to meet a legal obligation, or in the wider public interest under official authority, or where it is essential for the life of the data subject or someone else, cannot be erased.
Right to restrict processing
Sometimes individuals are unhappy about the processing and believe it is unlawful. In those cases they can ask for their personal data to be restricted, and only held securely, until their concerns have been responded to.
Right to data portability
This right enables data subjects to request that organisations transfer their digital data from one IT environment to another. It only applies when the use of your personal data is based on your consent or under contract. Even then it only applies where processing is fully automated, i.e., is electronically processed without human intervention.
Right to object
Individuals can object to their personal data being processed where it is based on their consent, an organisations legitimate interests, or in the wider public interest under official authority.
Individuals have an absolute right to object to direct marketing regardless of the legal basis for processing.
Rights related to automated decision-making, including profiling.
Individuals have the right to object to automated decision-making including profiling. Individuals can ask for the decision to be made by a human being instead. This applies to all processing except where it is necessary to save a life.
For further advice and support on how to comply with information law please go to https://igs.essex.gov.uk/