Skip navigation

Right to Be Informed

The first principles of the GDPR requires that the University must be fair, lawful and transparent about the personal data we collect, use and generally process about people (Data Subjects).

This requirement to be ’transparent’ means that we are required to communicate to data subjects enough relevant information about our processing of their personal data for them to understand exactly what we do with it, provide them with more choice about providing it,  and if necessary, allow them to use this knowledge to challenge or raise concerns about our processing.

What must the University do

The University must provide ‘privacy notices’ to individuals describing the information the University collects about them.

In principle, the information must be provided in writing (e.g. via a privacy notice) and where appropriate by electronic means (for example through our website).

The privacy notice must be made available either when we collect information about them (if collected directly) or at the earliest opportunity (if collected via a third party).

What information must be provided and when?

A privacy notice must contain the following information:

  Where Data is obtained directly from data subject Where data is not obtained directly from data subject
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer. Yes  

Yes

Purpose of the processing and the lawful basis for the processing.  

Yes

 

Yes

The legitimate interests of the controller or third party, where applicable.  

Yes

 

Yes

Categories of personal data.    

Yes

Any recipient or categories of recipients of the personal data.  

Yes

 

Yes

Details of transfers to third country and safeguards.  

Yes

 

Yes

Retention period or criteria used to determine the retention period.  

Yes

 

Yes

The existence of each of data subject’s rights.  

Yes

 

Yes

The right to withdraw consent at any time, where relevant.  

Yes

 

Yes

The right to lodge a complaint with a supervisory authority.  

Yes

 

Yes

The source the personal data originates from and whether it came from publicly accessible sources.    

Yes

Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.  

Yes

 
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.  

Yes

 

Yes

 

Additional Information

If the University envisages to further process personal data for a purpose other than the purposes for which it is initially collected, the University must provide the data subject information on such purpose(s) together with any other relevant information, prior to the further processing takes place.

Are there any exemptions to providing notices?

If personal data is collected directly from the data subject, the information obligations do not apply if the data subject already has the information – privacy notice only has to be provided once).

If personal data is not collected directly from the data subject, the information obligations do not apply if:

a) the data subject already has the information;

b) the provision of information is impossible or requires a disproportionate effort, provided that the controller takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including by making the information publicly available;

c) if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject’s legitimate interests; or

d) if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

 

 

How long does the University have to comply?

There are statutory timescales for providing privacy notices to individuals:

Information to be provided when personal data are collected from the data subject

The information should be given to the data subject at the time of collection from the data subject.

Information to be provided when personal data are not collected directly from the data subject

The information must be given to the data subject:

  • within a reasonable period of having obtained the personal data (maximum one month);
  • if the data is to be used to communicate with the data subject, at the latest when the first communication takes place; or
  • if disclosure to another recipient is envisaged, at the latest, before the personal data is disclosed.

What must the University do?

  • The University must identify all personal data processing activates that we conduct and identify the legal basis for processing data for those activities.
  • We must then ensure that appropriate Privacy Notices are in place to inform the relevant data subjects (Staff. Students, business contacts etc) as these will be used fulfil the requirement to inform.
  • This may require new privacy notices to be created for new processing areas or data subjects
  • The University must review on an annual basis (or sooner if required) to ensure that privacy notices remain accurate and up to date.

Are there any exemptions to providing notices?

If personal data is collected directly from the data subject, the information obligations do not apply if the data subject already has the information – privacy notice only has to be provided once).

If personal data is not collected directly from the data subject, the information obligations do not apply if:

a) the data subject already has the information;

b) the provision of information is impossible or requires a disproportionate effort, provided that the controller takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including by making the information publicly available;

c) if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject’s legitimate interests; or

d) if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

What if the University does not comply?

Failure to provide accurate privacy notices to individuals would mean that the individuals can request the ICO to undertake the judicial review of our actions:

  • If the ICO finds again the University, this may result in a fine or a requirement to undertake corrective actions.


+

Northumbria Open Days

Open Days are a great way for you to get a feel of the University, the city of Newcastle upon Tyne and the course(s) you are interested in.

Research at Northumbria
+

Research at Northumbria

Research is the life blood of a University and at Northumbria University we pride ourselves on research that makes a difference; research that has application and affects people's lives.

+

Order your prospectus

If you would like to know more about our courses, or life in general as a student at Northumbria, then we can help you.

Latest News and Features

More news
More events

Upcoming events

Back to top