Your Information – Your Rights

Introduction

As an organisation we may use (“process”) your information (“personal data”) for all sorts of different reasons, for example, to establish your contract with us, or to be able to contact you about your membership.

By “process” we mean everything we do with your personal data from collection to deletion, for example, storing it, organising it, using it and sharing it with others.

By “personal data” we mean both personal data and special categories of personal data. Personal data may include things like your name, address, an identification number or an online identifier.  Special categories of personal data are data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, details of your health, sex life or sexual orientation, your genetic data and any biometric data that identifies you.

Whenever we process your personal data we must do so lawfully, fairly and in a transparent manner to comply with the General Data Protection Regulations (GDPR) and Data Protection Act 2018.  This guide informs you of your rights under the GDPR.

Full details of your rights are contained in Chapter III of the GDPR.  The Information Commissioners website also provides further information.

If you would like to exercise any of your rights, have any questions or would like a copy of this information in a different format, for example, presented by icons, in large type, Braille or on audio CD please contact the Academy’s Data Protection Officer:

Data Protection Officer
Legal and Democratic Services
1st Floor
Civic Centre
Regent Street
Gateshead
NE8 1HH
DPO@gateshead.gov.uk
(0191) 433 2192

Right to be informed (what we must tell you)

When we collect personal data from you …at the time we collect it we will provide you with our contact details (or those of our representative).  We will also provide you with the contact details of our Data Protection Officer.  We will tell you what we will do with your personal data, including sharing it with third parties and the legal basis for the processing.

We do this by way of a privacy notice. In the unlikely event we need to transfer your personal data to a country that is not covered by the GDPR, we will let you know whether or not the European Commission has made a decision regarding the adequacy of that country’s data protection practices. In the unlikely event we need to transfer your personal data to an international organisation we will provide you with details of the safeguards that have been put in place to keep your personal data secure.

We will also tell you how long we will keep your personal data and what your rights are in relation to that data. These may include the right to have any errors in your personal data corrected, the right to have your personal data erased, the right to stop us processing your personal data and the right to object to us processing your personal data. Please note not all of these rights apply in all situations. We will provide you with specific information on which rights apply at the point we collect your personal data.

Where we have asked for your consent to process your personal data we will also provide you with information on your right to withdraw consent at any time. We will tell you if providing your personal data is a statutory or contractual requirement and where you are obliged to provide your personal data. We will also tell you of the consequences of you not providing the data.

We will inform you of any automated decision making, including profiling and what the consequences of that decision might be. We will also provide you with the contact details of a person who you can contact for an explanation of the decision. You will be able to inform that person of your point of view and ask them to revisit the decision in light of what you have told them.

If we would like to process your personal data for a reason other than that for which we collected it we will contact you before doing so. We will also provide you with any further information necessary to ensure the way we process your personal data is fair and transparent and inform you of your right to make a complaint to the Information Commissioner’s Office (ICO).

We will usually provide this information in writing. This is known as a privacy notice. We may provide this information in combination with standardised icons in order to give a clear visual overview of the intended processing. In cases where you have already received this information we may not provide it to you.

When we have received your personal data from someone other you…in addition to the above information, we will let you know the categories of personal data, for example, whether we have received your name, an identification number, location data, an online identifier or information about your physical, physiological, genetic, mental, economic, cultural or social identity. We will also tell you who provided us with the information, including whether it came from a publicly accessible source.

We will provide this information to you in a reasonable period depending on the circumstances of the case and in all cases at the latest within one month of the date we received your personal data. If we intend to use your personal data to contact you we will provide this information at the point of first contact, at the latest. If we intend to disclose the information to a third party we will provide this information at the point we first disclose your personal data, at the latest.

There may be some circumstances in which we would not provide you with this information i.e. where providing this information proves impossible or would involve disproportionate effort, where obtaining or disclosing your information is laid down in law or where the personal data must remain confidential subject to an obligation of professional secrecy regulated by law, including a statutory obligation of secrecy.

Wherever we received your personal data from, the GDPR allows us to use it for archiving in the public interest, for scientific or historical research or for statistical purposes. You do, however, have the right to object to such processing. If we do use your personal data for any of these reasons we must keep it safe in accordance with the GDPR.

Right of access (to a copy of your personal data)

You can request a copy of your personal data by writing to {insert school contact who handles requests for information]

The purpose of being able to access your personal data is so you can be aware of and verify the lawfulness of the processing.

  1. On making a request we will need to confirm your identity and whether or not we hold your personal data. Where we do hold your personal data we will usually provide you with a copy. Where we hold a lot of information about you we may ask you to specify what information you would like us to provide. In addition to providing you with a copy of your personal data we will provide the following information:
  2. The purposes of the processing;
  3. The categories of personal data;
    Who we have or will disclose your personal data to, in particular recipients in countries not covered by the GDPR or international organisations;
  4. How long we will store your personal data for;
  5. Whether you have the right to request your personal data be corrected if it is inaccurate;
  6. Whether you have the right to request your personal data be erased;
  7. Whether you have the right to request that we stop processing your data or to object to us processing your personal data;
  8. Your right to make a complaint to the ICO;
  9. Where we received your personal data from, if we did not receive it from you;
  10. The existence of automated decision-making, including profiling, along with some meaningful information about the logic involved and the significance and possible consequences of such processing;
  11. In the unlikely event we have transferred your personal data to a country that is not covered by the GDPR, we will let you know whether or not the European Commission has made a decision regarding the adequacy of that country’s data protection practices. Where the European Commission has not made a decision regarding the adequacy of that countries data protection practices we will provide you with details of the safeguards that have been put in place to keep your personal data secure; and
  12. In the unlikely event we have transferred your personal data to an international organisation we will provide you with details of the safeguards that have been put in place to keep your personal data secure.

We may not be able to provide you with a copy of your personal data where doing so would adversely affect the right and freedoms of others. For further information see our Subject Access Request Procedure.

Right to rectification

If we hold inaccurate personal data about you, you have the right to have it corrected. Taking into account the reason we are processing your personal data, you have the right to have incomplete personal data completed. This may include, for example, you providing a supplementary statement.

Where we have corrected your personal data we will notify any third parties we have disclosed the inaccurate data to unless it would be impossible or involve disproportionate effort. We will let you know who those third parties are on request.

N.b we do not have to change data just because you disagree with it, if that was the opinion of a professional at the time. But we are required to add a file note saying what you dispute.

Right to erasure (‘right to be forgotten’)

There are certain circumstances in which you have a right to have your personal data erased and certain circumstances in which you do not.

This right applies where:

  1. It is no longer necessary for us to hold your personal data for the purposes we collected it;
  2. Where our processing of your personal data was solely based on your consent and you have withdrawn that consent;
  3. Where you object to the processing and there are no overriding legitimate grounds for the processing;
  4. Where you object to the processing of your data for direct marketing purposes;
  5. We have processed your personal data unlawfully;
  6. We have to erase your personal data to comply with a legal obligation; or
  7. We have collected a child’s personal data in relation to the offer of information society (online) services.

Where we have disclosed the personal data to third parties we will inform them unless it would be impossible or involve disproportionate effort. We will let you know who those third parties are on request.

This right does not apply where we need to process your personal data:

  1. To comply with a legal obligation;
  2. For the performance of a task in the public interest or in the exercise of official authority;
  3. For public health reasons in the public interest;
  4. For archiving purposes in the public interest, scientific or historical research or statistical purposes, where erasing the data would make it impossible or seriously affect our ability to achieve the aims of the processing; or
  5. To take legal action or defend legal claims.

Right to restriction of processing

In certain circumstances you have the right to stop us from further processing your personal data. This right applies where:

  1. You challenge the accuracy of the personal data. In such cases we will stop processing your personal data until we have confirmed it is accurate;
  2. Our processing is unlawful and you choose to restrict processing rather than have us erase your personal data;
  3. Where we no longer need the data and intend to delete it but you ask us to keep it for the establishment, exercise or defence of a legal claim; or
  4. Where you have objected to the processing of your data and are awaiting a decision on whether the legitimate grounds we have claimed for the processing override yours.

Where we have disclosed the personal data to third parties we will inform them unless it would be impossible or involve disproportionate effort. We will let you know who those third parties are on request.

With the exception of storing your personal data if we have agreed to restrict processing we will only process the data with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another person or for reasons of important public interest or UK law.

We will inform you inform you before the restriction of the processing is lifted.

Right to data portability

The right to data portability enables you get a copy of your personal data in a commonly used machine readable format for your own use, for example, to transfer to another service provider or organisation. Where technically possible you have the right to have the data transferred directly to another service provider or organisation.

This right applies in cases where you have provided the personal data, the processing is based on your consent and carried out by automated means.

Right to object

You have the right to object to the processing of your data in relation to a task we are undertaking in the public interest or in the exercise of official authority. Where you do object we will stop processing your data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or we need to process the information to establish, exercise or defend a legal claim.

You have the right to object to the processing of your personal data for direct marketing, including profiling relating to direct marketing. Where you object to processing on this basis we will stop processing your personal data immediately.

You also have the right to object to the use of your personal data for scientific or historical research or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task undertaken in the public interest.

Right not to be subject to automated decision making

This right provides a safeguard against a potentially damaging automated decision, including profiling, being made about you without human intervention; in cases where the decision produces a legal of similarly significant effect. We will notify you of any automated decision making of this nature. We will also provide you with the contact details of a person who you can contact for an explanation of the decision. You will be able to inform that person of your point of view and ask them to revisit the decision in light of what you have told them.

This right does not apply if the decision is necessary for entering into or the performance of a contract, is authorised by law or you have consented to the decision being made by automated means.

How we will respond to your request to exercise your rights

Where you make a request to exercise one of your rights detailed above we will need to confirm your identity and whether or not we hold your personal data. Where we do hold your personal data we will respond to your request without undue delay and in any event within one month of your request. We may need to extend the time period by a further two months depending on the complexity and number of requests. If we do need to extend the timescale we will inform you within one month of receiving your request and let you know the reason for the delay.

This service is free of charge, however, where we consider your request to be manifestly unfounded or excessive, in particular where it is a repeat request we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested. We may also refuse to act upon your request.

Notifying you of a data protection breach

In the event we breach your data protection and that breach is likely to result in a high risk to your rights and freedoms we will notify you of the breach without undue delay. We will explain to you clearly and in plain language the nature of the breach and provide you with the contact details of our Data Protection Officer or other point of contact from whom you can obtain further information. We will explain the likely consequences of the breach and what we have done to address the breach and reduce the possible impact on you. We may also suggest things you may want to do to reduce the potential impact on you.

Where we have implemented technical or organisational measures, for example, used encryption software that would prevent the information being read or taken action to ensure the potential high risk to you is unlikely to materialise we may not inform you of the breach.

Where contacting you directly would involve disproportionate effort, for example, in cases where lots of people are affected we may issue a public communication or similar measure to ensure you are informed in an equally effective manner.  while that is the case you do have the right to make further requests for your personal data following a reasonable passage of time to exercise your right to be aware of, and verify, the lawfulness of our processing.

If we fail to act upon your request we will inform you within one month of the reasons why we did not take action and advise you of your right to make a complaint to the ICO or seek a judicial remedy.

Top