Right to Be Informed

The first principles of the GDPR requires that the University must be fair, lawful and transparent about the personal data we collect, use and generally process about people (Data Subjects).

This requirement to be ’transparent’ means that we are required to communicate to data subjects enough relevant information about our processing of their personal data for them to understand exactly what we do with it, provide them with more choice about providing it, and if necessary, allow them to use this knowledge to challenge or raise concerns about our processing.

What must the University do

The University must provide ‘privacy notices’ to individuals describing the information the University collects about them.

In principle, the information must be provided in writing (e.g. via a privacy notice) and where appropriate by electronic means (for example through our website).

The privacy notice must be made available either when we collect information about them (if collected directly) or at the earliest opportunity (if collected via a third party).

What information must be provided and when?

A privacy notice must contain the following information:

	Where Data is obtained directly from data subject	Where data is not obtained directly from data subject
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer.	Yes	Yes
Purpose of the processing and the lawful basis for the processing.	Yes	Yes
The legitimate interests of the controller or third party, where applicable.	Yes	Yes
Categories of personal data.		Yes
Any recipient or categories of recipients of the personal data.	Yes	Yes
Details of transfers to third country and safeguards.	Yes	Yes
Retention period or criteria used to determine the retention period.	Yes	Yes
The existence of each of data subject’s rights.	Yes	Yes
The right to withdraw consent at any time, where relevant.	Yes	Yes
The right to lodge a complaint with a supervisory authority.	Yes	Yes
The source the personal data originates from and whether it came from publicly accessible sources.		Yes
Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.	Yes
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.	Yes	Yes

Additional Information

If the University envisages to further process personal data for a purpose other than the purposes for which it is initially collected, the University must provide the data subject information on such purpose(s) together with any other relevant information, prior to the further processing takes place.

Are there any exemptions to providing notices?

If personal data is collected directly from the data subject, the information obligations do not apply if the data subject already has the information – privacy notice only has to be provided once).

If personal data is not collected directly from the data subject, the information obligations do not apply if:

a) the data subject already has the information;

b) the provision of information is impossible or requires a disproportionate effort, provided that the controller takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including by making the information publicly available;

c) if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject’s legitimate interests; or

d) if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

How long does the University have to comply?

There are statutory timescales for providing privacy notices to individuals:

Information to be provided when personal data are collected from the data subject

The information should be given to the data subject at the time of collection from the data subject.

Information to be provided when personal data are not collected directly from the data subject

The information must be given to the data subject:

within a reasonable period of having obtained the personal data (maximum one month);

if the data is to be used to communicate with the data subject, at the latest when the first communication takes place; or

if disclosure to another recipient is envisaged, at the latest, before the personal data is disclosed.

What must the University do?

The University must identify all personal data processing activates that we conduct and identify the legal basis for processing data for those activities.

We must then ensure that appropriate Privacy Notices are in place to inform the relevant data subjects (Staff. Students, business contacts etc) as these will be used fulfil the requirement to inform.

This may require new privacy notices to be created for new processing areas or data subjects

The University must review on an annual basis (or sooner if required) to ensure that privacy notices remain accurate and up to date.

Are there any exemptions to providing notices?

If personal data is not collected directly from the data subject, the information obligations do not apply if:

a) the data subject already has the information;

c) if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject’s legitimate interests; or

d) if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

What if the University does not comply?

Failure to provide accurate privacy notices to individuals would mean that the individuals can request the ICO to undertake the judicial review of our actions: