Rights and Access to Personal Information
Data Protection Legislation gives individuals certain rights over the use/processing of their personal data and a general right of access to their personal data. This is called making a Subject Access Request.
For further information about data subject rights please see our guide:
ENU GDPR Rights Guide
and
Data Subject Rights Request Privacy Notice
Please note: We will not respond to any requests from third party SAR platforms (ICO guidance April 2019 refers)
Subject Access Request (SAR): For Personal Information
Please read these SAR Guidance Notes before you make your SAR. A request must be in writing, preferably on this
Subject Access Request form and submitted with a copy/photo of the required identification documentation to:
Information Governance Manager
Governance & Compliance Services
6th Floor Sighthill Campus
Edinburgh
EH11 4BN
or emailed to dataprotection@napier.ac.uk
SAR Procedure
Please note that we will not respond to requests from 3rd party online platforms/apps/websites as advised by the ICO Scotland Office.
Subject Access Request (SAR): For CCTV Images
Please read these Guidance Notes before you make your SAR. A request must be in writing, preferably on this
request form and submitted with the required documentation to:
Head, Campus Services
Room 6.B.24
Sighthill Campus
Edinburgh
EH11 4BN
Request for the personal data of a deceased individual
We would only deal with requests of this type from the deceased individual's next of kin or their legal representative or Executor. If the request is from the deceased individual's next of kin they must provide proof of ID and proof that they are the next of kin. If the request is from the deceased individual's legal representative or Executor they must put their request in writing on headed paper with proof of their identity and a copy of the HMRC form confirming their status. Requests should be sent to:
Information Governance Manager
Governance & Compliance Services
6th Floor Sighthill Campus
Edinburgh
EH11 4BN
Request for rectification of personal data
Under Article 16 Of the GDPR, EU Citizens have the right to have inaccurate personal data rectified by Data Controllers (in this case the University). This also includes the right to have incomplete personal data completed where relevant. Students and Staff Members have the ability to update their own personal data by using the portals provided by the University:
If you are unable to make the updates yourself then please submit the form below to dataprotection@napier.ac.uk
Data Rectification Form
Request for the erasure of personal data ("Right to be Forgotten")
Under Article 17 of the GDPR EU citizens have the right to request the erasure of their personal data. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. The Information Commissioner’s (ICO) guidance refers: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
We ask you to complete the form below to enable us to find the relevant information in order to make a decision about erasure.
Erasure Request Form
Students/Graduates/Previous Students:
In relation to processing done by the
University, this right does not apply as student personal data is processed
under GDPR Article 6(1)(e): “processing is necessary for the performance of a
task carried out in the public interest or in the exercise of official
authority vested in the controller”, which is the Statutory Instrument 1993
Number 557 (S.76). GDPR Article 17(3)(b) refers.
If
the course you studied is regulated there will also requirements under other
legislation (e.g. health legislation for student nurses and midwives) for the
University to keep certain records relating to students. We are also required
to keep records to verify qualifications e.g. for crime and fraud purposes.
Therefore,
whilst it is not possible to delete your personal data from the University’s records we can remove you from contact lists .g. the Alumni database, to stop youreceiving communications from the University.
For
more information please see the University’s Privacy Notice/s (appropriate to
yourself) – they detail the purposes, legal bases, etc. for processing.
Employees:
The
University processes your personal data under GDPR Article 6(1)(b): “processing
is necessary for the performance of a contract”, etc. which refers to your employment
contract. There is also no automatic right under the legislation to have your
personal data deleted where this is the legal basis for processing, as the
University is required to keep certain records as evidence of your employment.
Requests
for deletion will be considered on a case by case basis, dependent on the
circumstances, but ‘core’ information is required to be kept permanently,
although there may be other information which can be deleted, if requested.
For
more information please see the University’s Privacy Notice/s (appropriate to
yourself) – they detail the purposes, legal bases, etc. for processing.
Communications:
Please note that where you ask us not to contact
you we are required to keep a record of this to ensure that we adhere to your
wishes and you are not re-added to our databases by another means and contacted again.
Page last updated 02 November 2020