Privacy Notices
Privacy Notices inform data subjects about how the University processes their personal data.
Privacy Notices for the following categories of data subjects have been published:
- Alumni and Supporters
- Customers of Retail Office
- Day Nursery
- Employees
- Individuals captured by CCTV
- Job Applicants/Potential Applicant
- Researchers
- Student Applicants/Potential Applicants
- Students
- Suppliers
- Visitors
- Durham University Assessment Centre Clients
- University Secretary's Office: Council & Sub-Committee Members
- General Privacy Notice
- Privacy Notice for Data in the National Pupil Database
- Privacy Notice for Library and Collections
Individual rights regarding personal data
Informed
Individuals have the right to be made aware of how their personal data is being used.
Timescale: This should be documented and communicated in a Privacy Notice available at the point of data collection.
Access
Individuals have the right to access their personal data so that they are aware of and can verify the lawfulness of the data processing, as well as correcting any inaccuracies in that data. There are some circumstances under which the University will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. For more information please refer to the Subject Access Request page.
Timescale: Respond without undue delay and information provided within one calendar month. This may be extended by a further two months where necessary, considering the complexity of the request.
Rectification
Individuals have the right to have personal data rectified where it is inaccurate or incomplete which could include but is not limited to:
- Having incomplete personal data completed, including by means of providing a supplementary statement
- Having incorrect information rectified.
Timescale: Respond without undue delay and no later than one calendar month. This may be extended by a further two months where necessary, considering the complexity of the request.
Erasure
Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This is often called the 'right to be forgotten'. This right is not absolute and only applies in specific circumstances:
- The reason for processing has ceased
- Consent has been withdrawn (if consent was the basis for processing)
- The data subject has objected to processing and there is no legal basis for continuing
- The data has been unlawfully processed.
Timescale: Respond without undue delay and no later than one calendar month. This may be extended by a further two months where necessary, considering the complexity of the request.
Restriction
Individuals have the right to ask us to temporarily stop processing their personal data in certain circumstances whilst such processing is reviewed:
- The individual contests the accuray of the personal data
- The processing is unlawful (and the subject has not requested deletion)
- The controller no longer needs the data but there is a requirement to keep it for statutory or legal reasons
- The data subject has objected.
Timescale: Respond without undue delay and no later than one calendar month. This may be extended by a further two months where necessary, considering the complexity of the request.
Data portability
Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Note that this only applies:
To personal data an individual has provided to a controller,
Where the processing is based on the individual’s consent or for the performance of a contract, and
When processing is carried out by automated means.
Timescale: Respond without undue delay and information provided within one calendar month. This may be extended by a further two months where necessary, considering the complexity of the request.
Object
Individuals have the right to object to:
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
Direct marketing (including profiling)
Processing for purposes of scientific/historical research and statistics.
Timescale: Respond without undue delay and no later than one calendar month. This may be extended by a further two months where necessary, considering the complexity of the request.
Automated decisions / profiling
Individuals have the right not to be subject to a decision made solely by automated means and to profiling (automated processing of personal data to evaluate certain things about an individual).
Timescale: Respond without undue delay and no later than one calendar month. This may be extended by a further two months where necessary, considering the complexity of the request.
Individuals have a number of rights granted under data protection legislation, as described above.
If you would like to exercise your rights, you should refer to the relevant Privacy Notice, which will explain to you how to do so. Direct communications from the University may also provide additional details and opportunities to exercise your rights, such as unsubscribe features within emails which support the right to object.
If you would like to make a request in relation to one of the above Individual Rights, you should then complete the Individual Rights Application form.