Page Index:
Data Subject Rights and Access to Personal Information
Subject Access Request (SAR): For Personal Information
Subject Access Request (SAR): For CCTV Images
Request for rectification of personal data
Request for the erasure of personal data ("Right to be Forgotten")
Rights for Research Participants
Information for Parents, Family Members and Other Enquirers
Request for the personal data of a deceased individual
Data Subject Rights and Access to Personal Information
Data Protection Legislation gives individuals certain rights over the use/processing of their personal data and a general right of access to their personal data, known as a Subject Access Request. Rights are conditional depending on the legal basis used for collecting and processing your personal data.
Please note: We will not respond to any requests from third party SAR platforms (ICO guidance April 2019 refers).
Subject Access Request (SAR): For Personal Information
Please read Edinburgh Napier's Guidance Notes before you make your SAR. A request must be in writing, preferably on a Subject Access Request Form and submitted with a copy/photo of the required identification documentation to:
Information Governance team
dataprotection@napier.ac.uk
We mainly work remotely and therefore there can be delays in post reaching us, so whilst we prefer to receive your request by email, you can also send it in writing to the address below. If you do so, please can you email us to advise that you have done so.
Information Governance Manager
Governance & Compliance Services
Edinburgh
EH11 4BN
SAR Procedure
Please note that we will not respond to requests from 3rd party online platforms/apps/websites as advised by the ICO Scotland Office.
Subject Access Request (SAR): For CCTV Images
Please read Edinburgh Napier's Guidance Notes before you make your SAR. A request must be in writing, preferably on a Subject Access Request Form and submitted with the required documentation to:
Head of Campus Services
Room 6.B.24
Sighthill Campus
Edinburgh
EH11 4BN
Request for Rectification of personal data
Under Article 16 Of the GDPR, EU Citizens have the right to have inaccurate personal data rectified by Data Controllers (in this case the University). This also includes the right to have incomplete personal data completed where relevant. Students and Staff Members have the ability to update their own personal data by using the portals provided by the University:
If you are unable to make the updates yourself then please contact dataprotection@napier.ac.uk to request a Data Rectification form.
Request for the erasure of personal data ("Right to be Forgotten")
Under Article 17 of the GDPR EU citizens have the right to request the erasure of their personal data. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. The Information Commissioner’s (ICO) guidance refers: https://ico.org.uk/for-the-public/your-right-to-get-your-data-deleted/
We ask you to complete the form below and send it to dataprotection@napier.ac.uk to enable us to find the relevant information in order to make a decision about erasure.
Erasure Request Form
Applicants/Students/Graduates/Previous Students:
In relation to processing done by the University, this right does not apply to applicants, students or previous students, as personal data is processed under GDPR Article 6(1)(e): “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”, which is the Statutory Instrument 1993 Number 557 (S.76). GDPR Article 17(3)(b) refers, and GDPR Article 6(1)(b): "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
If the course you studied is regulated there will also requirements under other legislation (e.g. health legislation for student nurses and midwives) for the University to keep certain records relating to students. We are also required to keep records to verify qualifications e.g. for crime and fraud purposes.
Therefore, whilst it is not possible to delete your personal data from the University’s records, depending on the situation, we may be able to remove you from contact lists e.g. the Alumni database, to stop you receiving communications from the University. If you wish to unsubscribe from marketing communications specifically, please use the "unsubscribe" option offered in every communication.
For more information please see the University’s Privacy Notices (appropriate to yourself) – they detail the purposes, legal bases, etc. for processing.
Employees:
The University processes your personal data under GDPR Article 6(1)(b): “processing is necessary for the performance of a contract”, etc. which refers to your employment contract. There is also no automatic right under the legislation to have your personal data deleted where this is the legal basis for processing, as the University is required to keep certain records as evidence of your employment.
Requests for deletion will be considered on a case by case basis, dependent on the circumstances, but ‘core’ information is required to be kept permanently, although there may be other information which can be deleted, if requested.
For more information please see the University’s Privacy Notices (appropriate to yourself) – they detail the purposes, legal bases, etc. for processing.
Communications:
Please note that where you ask us not to contact you we are required to keep a record of this to ensure that we adhere to your wishes and you are not re-added to our databases by another means and contacted again.
Rights for Research Participants
Some of the rights under the UK-GDPR contain built-in exceptions for research. If complying with a rights request would prevent or seriously impair the achievement of the purposes of processing for research, then the University may apply an exemption. However, exemptions are not applied in a 'blanket' fashion, and will be decided dependent on the circumstances.
For further information see the ICO guidance.
Information for Parents, Family Members and Other Enquirers
The University recognises that parents and families care deeply about students’ welfare. However, students have a legal right to privacy and independence, and the University has a legal obligation to protect their personal data in accordance with the UK-GDPR.
-Students are adults in law and have their own direct legal relationship with the University, irrespective of age, funding arrangements or parental involvement.
-Parents, guardians and family members have no automatic right to receive personal data about a student.
-Simply confirming or denying that someone is a student is personal data disclosure.
The University must only disclose personal data where there is a lawful basis, most commonly:
- the student’s explicit consent, or
- exceptional circumstances involving the student’s vital interests e.g. where there is serious and urgent concern for their welfare where they are at risk of harm.
What We Cannot Do
Without the student’s consent, the University cannot:
- confirm whether someone is a student,
- discuss academic progress, attendance, wellbeing or conduct,
- share contact details, timetable information or locations.
Funding arrangements or parental status do not change this position.
What We Can Do
- Provide general information about University policies and support services.
- Take a message to pass onto the student in the event that they are a student, ensuring that the requestor understands that we cannot confirm if the individual is a student, nor can we guarantee a response if they are.
- Take note of serious concerns and consider appropriate internal action, even if we cannot provide feedback directly.
Serious Welfare or Safety Concerns
If you believe there is an immediate risk to a student’s safety, contact emergency services first. Where appropriate, the University may share information without consent to protect a student from serious harm, but this is reserved for exceptional circumstances only, and disclosure will usually be to the emergency services, Police Scotland, etc.
Request for the personal data of a deceased individual
We would only deal with requests of this type from the deceased individual's next of kin, their legal representative or Executor. You must prove your relationship and legal standing. Be prepared to send the following:
- Death Certificate: A certified copy of the death certificate.
- Proof of Identity: Your own photo identification (e.g., passport or driving license).
- Proof of Authority: Documentation showing you are the next of kin, the executor of the will or hold a Grant of Probate/Letters of Administration/HMRC form confirming your status.
Specify the Records Needed:
Clearly state what information you are requesting, giving as much detail as possible to assist us with locating the information. We can typically provide:
Academic transcripts and confirmation of awards/degrees
Attendance dates
Accessing Medical Records (if applicable):
If the student used University health/counselling services, medical records are governed by the Access to Health Records Act 1990. Access to these records is only granted if you are a personal representative (executor) or if you have a claim resulting from the death. Appropriate evidence, as above, would be required.
Please send your request to:
Information Governance team
dataprotection@napier.ac.uk
As we mainly work remotely, please send your request by email wherever possible. If you post a request to us at the address below, please advise us by email that you have done so.
Information Governance team
Governance & Compliance Services
Sighthill Campus
Edinburgh
EH11 4BN