Rights of data subjects under the Data Protection Act
All University staff should be made aware of the fact that, under Principle 6 of the 8 Data Protection Principles, personal data must be processed by RGU in accordance with the rights of data subjects (i.e. students and staff whose personal information you are processing).
Data subjects have the following rights under the Data Protection Act:
- A right of Subject Access: a data subject has a right to be supplied by The Robert Gordon University with the personal information held about him or her. Please visit the following web page for further details on Subject Access Requests:
- A right of correction of their personal information held by RGU;
- A right to prevent processing likely to cause damage or distress;
- A right to prevent direct marketing: a data subject may stop their information being used to sell them University-related services;
- A right to prevent automatic decisions: a data subject may specify that they do not want staff to make 'automated' decisions, for example via a computer, about them;
- A right of complaint to the Information Commissioner: a data subject can ask for the use of their personal information by RGU to be reviewed by the Information Commissioner, if they think that RGU is not handling their personal data properly; and
- A right to compensation: the data subject is entitled to use the Act to receive compensation, if personal data about them is inaccurate, lost or disclosed without good reason.
The full list of the Data Protection Principles can be found at the following web page:
Failure to adhere to the University's Data Protection policies and guidance could be regarded as a disciplinary offence.
Please contact the University Records Manager for further information (262882).
UK Information Commissioner's Office (ICO)
The UK Information Commissioner's Office is an independent authority, which has been set up to promote access to official information and to protect personal information.
The legal powers of the Information Commissioner include:
- The right to conduct compliance checks on RGU,
- The right to service enforcement notices and 'stop now' orders, and
- The right to prosecute those who commit criminal offences under the Act.
The following are criminal offences under the Act:
- The destruction of information required for a Subject Access Request;
- Unauthorised disclosure of personal information;
- Failure to comply with the enforcement of an information notice; and
- Failure to notify the Information Commissioner of RGU's processing details in the Register of Notifications. Please visit the following web page for further information on the Register of Notifications:
In May 2008, the ICO was given the new power to impose substantial fines on organisations, including RGU, if they deliberately or recklessly commit serious breaches of the Data Protection Act.
Last updated: 04.06.08 (ALM)