Data subject rights

Page Index:
Data Subject Rights and Access to Personal Information
Subject Access Request (SAR): For Personal Information
Subject Access Request (SAR): For CCTV Images
Request for rectification of personal data
Request for the erasure of personal data ("Right to be Forgotten")
Right to make a Data Protection Complaint
Rights for Research Participants
Information for Parents, Family Members and Other Enquirers
Request for the personal data of a deceased individual

Data Subject Rights and Access to Personal Information

Data Protection Legislation gives individuals certain rights over the use/processing of their personal data and a general right of access to their personal data, known as a Subject Access Request. Rights are conditional depending on the legal basis used for collecting and processing your personal data.

For further information about data subject rights please see the UK Information Commissioner’s Office guidance and Data Subject Rights Request Privacy Notice which is available here: Privacy Notices.

Please note: We will not respond to any requests from third party SAR platforms (ICO guidance April 2019 refers).

Subject Access Request (SAR): For Personal Information

Please read Edinburgh Napier's Guidance Notes before you make your SAR. A request must be in writing, preferably on a Subject Access Request Form and submitted with a copy/photo of the required identification documentation to:

Information Governance team
dataprotection@napier.ac.uk

We mainly work remotely and therefore there can be delays in post reaching us, so whilst we prefer to receive your request by email, you can also send it in writing to the address below. If you do so, please can you email us to advise that you have done so.

Information Governance Manager
Governance & Compliance Services
Edinburgh
EH11 4BN

SAR Procedure

Please note that we will not respond to requests from 3rd party online platforms/apps/websites as advised by the ICO Scotland Office.

Subject Access Request (SAR): For CCTV Images

Please read Edinburgh Napier's Guidance Notes before you make your SAR. A request must be in writing, preferably on a Subject Access Request Form and submitted with the required documentation to:

Head of Campus Services
Room 6.B.24
Sighthill Campus
Edinburgh
EH11 4BN

Request for Rectification of personal data

Under Article 16 Of the GDPR, EU Citizens have the right to have inaccurate personal data rectified by Data Controllers (in this case the University). This also includes the right to have incomplete personal data completed where relevant. Students and Staff Members have the ability to update their own personal data by using the portals provided by the University:

Students can use: https://evision.napier.ac.uk/si/sits.urd/run/siw_lgn
Staff can use HR Connect, which is found on the Staff Intranet when logged into the University network.

If you are unable to make the updates yourself then please contact dataprotection@napier.ac.uk to request a Data Rectification form.

Request for the erasure of personal data ("Right to be Forgotten")

Under Article 17 of the GDPR EU citizens have the right to request the erasure of their personal data. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. The Information Commissioner’s (ICO) guidance refers: https://ico.org.uk/for-the-public/your-right-to-get-your-data-deleted/

We ask you to complete the form below and send it to dataprotection@napier.ac.uk to enable us to find the relevant information in order to make a decision about erasure.

Erasure Request Form

Applicants/Students/Graduates/Previous Students:

In relation to processing done by the University, this right does not apply to applicants, students or previous students, as personal data is processed under GDPR Article 6(1)(e): “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”, which is the Statutory Instrument 1993 Number 557 (S.76). GDPR Article 17(3)(b) refers, and GDPR Article 6(1)(b): "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".

If the course you studied is regulated there will also requirements under other legislation (e.g. health legislation for student nurses and midwives) for the University to keep certain records relating to students. We are also required to keep records to verify qualifications e.g. for crime and fraud purposes.

Therefore, whilst it is not possible to delete your personal data from the University’s records, depending on the situation, we may be able to remove you from contact lists e.g. the Alumni database, to stop you receiving communications from the University. If you wish to unsubscribe from marketing communications specifically, please use the "unsubscribe" option offered in every communication.

For more information please see the University’s Privacy Notices (appropriate to yourself) – they detail the purposes, legal bases, etc. for processing.

Employees:

The University processes your personal data under GDPR Article 6(1)(b): “processing is necessary for the performance of a contract”, etc. which refers to your employment contract. There is also no automatic right under the legislation to have your personal data deleted where this is the legal basis for processing, as the University is required to keep certain records as evidence of your employment.

Requests for deletion will be considered on a case by case basis, dependent on the circumstances, but ‘core’ information is required to be kept permanently, although there may be other information which can be deleted, if requested.

For more information please see the University’s Privacy Notices (appropriate to yourself) – they detail the purposes, legal bases, etc. for processing.

Communications:

Please note that where you ask us not to contact you we are required to keep a record of this to ensure that we adhere to your wishes and you are not re-added to our databases by another means and contacted again.

Data Protection Complaints Procedure

1. Purpose
We are committed to protecting personal data and handling personal information fairly and lawfully. This procedure outlines how individuals can raise complaints regarding our data handling practices and how we resolve them.

2. Scope
This procedure applies to any complaint alleging that we have violated data protection legislation. This includes, but is not limited to:
• the way we have responded to or dealt with a rights request (e.g. Subject Access Requests)
• the security measures used to process personal data, including data security incidents or personal data breaches
• the way in which personal data has been collected or used

The regulator guidance notes the following:
“Sometimes people may complain about your service or other matters, whilst also exercising their data protection rights. This doesn’t count as a data protection complaint. For example:
• an employee may raise a grievance issue, and also request copies of their personal information; or
• a person may complain about a customer service issue and also request that you delete their information.”

3. How to Submit a Complaint
Individuals may submit a data protection complaint via any of our standard communication routes. To help us address the issue efficiently, we encourage using the following direct channels:
Microsoft Form: Complaint form
Email: dataprotection@napier.ac.uk
Using our MS Teams form or email is the best way to submit a complaint, as we work on a hybrid basis, and using these methods enables us to respond timeously.

Post: Governance & Compliance Team, Sighthill Campus, Edinburgh Napier University, Sighthill Court, Sighthill, Edinburgh, EH114 BN

If you send us a complaint by post, please email dataprotection@napier.ac.uk to advise us of this.

Please provide clear details, a timeline of events, and any supporting documentation. We may request proportionate proof of identity and, if someone is complaining on behalf of another person, their written consent and contact details in order for us to verify consent.

4. Our Handling Procedure & Timelines
We manage all received complaints in accordance with strict ICO statutory requirements:
• Acknowledgement: We will acknowledge receipt of the complaint within 30 days.
• Investigation: We will investigate the issue thoroughly and fairly without undue delay.
• Updates: If an investigation is complex and requires extra time, we will provide the complainant with an update advising of this.
• Outcome: We will communicate the final outcome in writing, explaining our findings and any corrective actions taken, without undue delay.

5. Escalation to the Regulator
If a complainant remains dissatisfied with our final response or how we handled their concern, they have a legal right to log a complaint with the UK regulator.
Regulator: Information Commission (was Information Commissioner’s Office (ICO))
Website: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113

6. Continuous Improvement
We formally log every complaint and regularly review the feedback. This insight helps us refine our processes, update staff training, and prevent future issues.

Rights for Research Participants

Some of the rights under the UK-GDPR contain built-in exceptions for research. If complying with a rights request would prevent or seriously impair the achievement of the purposes of processing for research, then the University may apply an exemption. However, exemptions are not applied in a 'blanket' fashion, and will be decided dependent on the circumstances.

For further information see the ICO guidance.

Information for Parents, Family Members and Other Enquirers

The University recognises that parents and families care deeply about students’ welfare. However, students have a legal right to privacy and independence, and the University has a legal obligation to protect their personal data in accordance with the UK-GDPR.

-Students are adults in law and have their own direct legal relationship with the University, irrespective of age, funding arrangements or parental involvement.
-Parents, guardians and family members have no automatic right to receive personal data about a student.
-Simply confirming or denying that someone is a student is personal data disclosure.

The University must only disclose personal data where there is a lawful basis, usually this is:
- the student’s explicit consent, or
- exceptional circumstances involving the student’s vital interests e.g. where there is serious and urgent concern for their welfare where they are at risk of harm.

What We Cannot Do

Without the student’s consent, the University cannot:
- confirm whether someone is a student,
- discuss academic progress, attendance, wellbeing or conduct,
- share contact details, timetable information or locations.
Funding arrangements or parental status do not change this position.

What We Can Do

- Provide general information about University policies and support services.
- Take a message to pass onto the student in the event that they are a student, ensuring that the requestor understands that we cannot confirm if the individual is a student, nor can we guarantee a response if they are.
- Take note of serious concerns and consider appropriate internal action, even if we cannot provide feedback directly.

Serious Welfare or Safety Concerns

If you believe there is an immediate risk to a student’s safety, contact emergency services first. Where appropriate, the University may share information without consent to protect a student from serious harm, but this is reserved for exceptional circumstances only, and disclosure will usually be to the emergency services, Police Scotland, etc.

Request for the personal data of a deceased individual

We would only deal with requests of this type from the deceased individual's next of kin, their legal representative or Executor. You must prove your relationship and legal standing. Be prepared to send the following:
- Death Certificate: A certified copy of the death certificate.
- Proof of Identity: Your own photo identification (e.g., passport or driving license).
- Proof of Authority: Documentation showing you are the next of kin, the executor of the will or hold a Grant of Probate/Letters of Administration/HMRC form confirming your status.

Specify the Records Needed:
Clearly state what information you are requesting, giving as much detail as possible to assist us with locating the information. We can typically provide:
Academic transcripts and confirmation of awards/degrees
Attendance dates

Accessing Medical Records (if applicable):
If the student used University health/counselling services, medical records are governed by the Access to Health Records Act 1990. Access to these records is only granted if you are a personal representative (executor) or if you have a claim resulting from the death. Appropriate evidence, as above, would be required.

Please send your request to:

Information Governance team
dataprotection@napier.ac.uk

As we mainly work remotely, please send your request by email wherever possible. If you post a request to us at the address below, please advise us by email that you have done so.

Information Governance team
Governance & Compliance Services
Sighthill Campus
Edinburgh
EH11 4BN