Skip navigation

Right to Be Informed

The first principles of the GDPR requires that the University must be fair, lawful and transparent about the personal data we collect, use and generally process about people (Data Subjects).

This requirement to be ’transparent’ means that we are required to communicate to data subjects enough relevant information about our processing of their personal data for them to understand exactly what we do with it, provide them with more choice about providing it,  and if necessary, allow them to use this knowledge to challenge or raise concerns about our processing.

What must the University do

The University must provide ‘privacy notices’ to individuals describing the information the University collects about them.

In principle, the information must be provided in writing (e.g. via a privacy notice) and where appropriate by electronic means (for example through our website).

The privacy notice must be made available either when we collect information about them (if collected directly) or at the earliest opportunity (if collected via a third party).

What information must be provided and when?

A privacy notice must contain the following information:

  Where Data is obtained directly from data subject Where data is not obtained directly from data subject
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer. Yes  

Yes
Purpose of the processing and the lawful basis for the processing.  

Yes

  

Yes
The legitimate interests of the controller or third party, where applicable.  

Yes

  

Yes
Categories of personal data.    

Yes
Any recipient or categories of recipients of the personal data.  

Yes

  

Yes
Details of transfers to third country and safeguards.  

Yes

  

Yes
Retention period or criteria used to determine the retention period.  

Yes

  

Yes
The existence of each of data subject’s rights.  

Yes

  

Yes
The right to withdraw consent at any time, where relevant.  

Yes

  

Yes
The right to lodge a complaint with a supervisory authority.  

Yes

  

Yes
The source the personal data originates from and whether it came from publicly accessible sources.    

Yes
Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.  

Yes

  
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.  

Yes

  

Yes

 

Additional Information

If the University envisages to further process personal data for a purpose other than the purposes for which it is initially collected, the University must provide the data subject information on such purpose(s) together with any other relevant information, prior to the further processing takes place.

Are there any exemptions to providing notices?

If personal data is collected directly from the data subject, the information obligations do not apply if the data subject already has the information – privacy notice only has to be provided once).

If personal data is not collected directly from the data subject, the information obligations do not apply if:

a) the data subject already has the information;

b) the provision of information is impossible or requires a disproportionate effort, provided that the controller takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including by making the information publicly available;

c) if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject’s legitimate interests; or

d) if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

 

 

How long does the University have to comply?

There are statutory timescales for providing privacy notices to individuals:

Information to be provided when personal data are collected from the data subject

The information should be given to the data subject at the time of collection from the data subject.

Information to be provided when personal data are not collected directly from the data subject

The information must be given to the data subject:

  • within a reasonable period of having obtained the personal data (maximum one month);
  • if the data is to be used to communicate with the data subject, at the latest when the first communication takes place; or
  • if disclosure to another recipient is envisaged, at the latest, before the personal data is disclosed.

What must the University do?

  • The University must identify all personal data processing activates that we conduct and identify the legal basis for processing data for those activities.
  • We must then ensure that appropriate Privacy Notices are in place to inform the relevant data subjects (Staff. Students, business contacts etc) as these will be used fulfil the requirement to inform.
  • This may require new privacy notices to be created for new processing areas or data subjects
  • The University must review on an annual basis (or sooner if required) to ensure that privacy notices remain accurate and up to date.

Are there any exemptions to providing notices?

If personal data is collected directly from the data subject, the information obligations do not apply if the data subject already has the information – privacy notice only has to be provided once).

If personal data is not collected directly from the data subject, the information obligations do not apply if:

a) the data subject already has the information;

b) the provision of information is impossible or requires a disproportionate effort, provided that the controller takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including by making the information publicly available;

c) if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject’s legitimate interests; or

d) if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

What if the University does not comply?

Failure to provide accurate privacy notices to individuals would mean that the individuals can request the ICO to undertake the judicial review of our actions:

  • If the ICO finds again the University, this may result in a fine or a requirement to undertake corrective actions.

GDPR - Rights of the Individual

a sign in front of a crowd
+

Northumbria Open Days

Open Days are a great way for you to get a feel of the University, the city of Newcastle upon Tyne and the course(s) you are interested in.

Research at Northumbria
+

Research at Northumbria

Research is the life blood of a University and at Northumbria University we pride ourselves on research that makes a difference; research that has application and affects people's lives.

NU World
+

Explore NU World

Find out what life here is all about. From studying to socialising, term time to downtime, we’ve got it covered.


Latest News and Features

View all news
Roisin Currie
Jack Gooday with the Chief Constable of Humberside Police receivng an award.
Vera Selby MBE.
Image of earth in space. Shutterstock/ixpert
image of a mobile phone with the instagram app logo on the screen
100 Faces Campaign - Andy Long
Creative Gateshead
NORTHUMBRIA CELEBRATES 100TH NURSING DEGREE APPRENTICESHIP GRADUATE
More events

Upcoming events

Why are so many problems worse in more unequal societies?
Virtual Event - Your Wellbeing
MoLegal Professional Privilege in the 21st Century: Adversarialism, Confidentiality and Justice
Virtual Event - LLM Space Law & Cyber Law Taster

Back to top