0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

Data protection and Cookies

Your Data Protection Rights at Edinburgh College

The Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) provide certain rights for individuals in relation to their personal data and what organisations may do with their data.

To make a request in relation to any of your rights, please email DataProtection@edinburghcollege.ac.uk

The Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) provide certain rights for individuals in relation to their personal data and what organisations may do with their data. Under the data protection law, you have;

The right to contact the college

If you have any queries regarding how Edinburgh College processes your personal data, or wish to make a request under data protection law, please contact the Data Protection Officer (DPO) by emailing DataProtection@edinburghcollege.ac.uk.

The right to be informed

The right to be informed is known as a “privacy notice” and organisations must communicate to you who they are, the name and contact information of their Data Protection Officer (DPO), why they collect your data, for what purpose, if they share it, and how long the information is held for.

ICO Guidance on your right to be informed

The right of access

The right of access means you can request access to view, or get copies of, the personal data that an organisation holds on you. You can make such a request for all information held about you, or you can be specific, for example, by asking for copies of your application and enrolment forms.

ICO guidance on your right to access

The right to rectification

The right to rectification means that you can request that inaccurate information held about you is corrected or deleted. If your information is incomplete, you can ask the organisation to complete it by adding further information.

ICO guidance on the right to rectification

The right to erasure

The right to erasure is commonly known as the ‘Right to be Forgotten’ (RTBF). This means you can request that an organisation delete the personal data it holds about you. This right only applies in certain circumstances, including:

  • The organisation doesn’t need your information anymore
  • If you had provided your consent but now withdraw it
  • You object to the use of your data, and your interests outweigh the organisation’s
  • If the data was collected or used unlawfully
  • If there is a legal obligation to erase your data.
  • Or if your data was collected from you as a child for an online service (e.g. Facebook).

ICO’s guidance on the right to erasure

The right to restrict processing

The right to restrict processing means that if you are concerned about the accuracy of your personal data, or how it is being used, you can limit how the organisation uses your data. You can also stop an organisation from deleting your data. This right also closely links with the rights to rectification and to object.

ICO Guidance on the right to restrict processing

The right to data portability

The right to data portability means you have the right to request that an organisation provide you with your personal data in an accessible, machine-readable format, e.g. a CSV file. You can also request that the organisation transfer your data to another organisation. They must do this if the transfer is technically feasible.

This right only applies in specific circumstances and is not absolute.

ICO Guidance on the right to data portability

The right to object

The right to object means you can request that an organisation stop using (processing) your data for specific purposes. There are limits to this right; you can only object if the organisation is using your data:

  • For a “task carried out in the public interest”
  • For “legitimate interests”
  • For “scientific or historical research or statistical purposes”
  • For direct marketing

If an organisation agrees to your objection, it must stop processing unless it can provide strong legitimate reasons for continuing to use your data. However, when the objection relates to direct marketing, the right to object is absolute and an organisation must stop using your data.

ICO Guidance on the right to object

Rights in relation to automated decision-making and profiling

Rights related to automated decision-making and profiling pertain to decisions made about you using computer algorithms, without human intervention.

This can include profiling, where your personal data is used to analyse or predict aspects of your life, including personal preferences and interests.

An example of this is when a company sends you information about particular books that are similar to ones you have already purchased from them. It can be a valuable process for organisations and individuals in many sectors, including education and marketing.

When automated processing, including profiling, is carried out with your personal data, you have the right:

  • Not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights
  • To understand the reasons behind decisions made and the potential consequences of the decisions
  • To object to profiling in certain situations, including direct marketing.

ICO Guidance relating to automated decision making

All of these rights require organisations to respond to a request within one month. There is no fee, although if a request is considered manifestly unfounded or excessive, a reasonable fee can be charged for the administrative costs associated with the request.

The UK Information Commissioner’s Office (ICO) is the regulator of data protection and has further information and guidance regarding your rights on the ICO website.

Data protection and cookies notices and policies

Edinburgh College has appointed a named Data Protection Officer (DPO), Lizi Bird, who can be contacted by emailing dataprotection@edinburghcollege.ac.uk.

Edinburgh College Data Protection Policy

Edinburgh College is committed to a policy of protecting data and respecting the rights and freedoms of individuals in relation to the processing of their personal data. 

Our Data Protection Policy sets out the legal framework and risks which govern the college’s use of data; the college’s commitment to protecting its data; and the obligations of users to protect all data (with particular reference to personal and special (previously called sensitive) categories of personal data).

Edinburgh College Data Breach Reporting Procedure

For information on how to report a suspected data breach involving personal data, please read our Data Breach Reporting Procedure.

Special Category and Criminal Convictions Personal Data Policy

The Data Protection Act 2018 requires the College, as a Public Authority, to have an appropriate policy document (and supporting procedures) in place which outline the College’s approach to the management of special category personal data and criminal convictions data (as required by the General Data Protection Regulation (GDPR), Article 9 and the Data Protection Act 2018, Schedule 1, Part 4).

Edinburgh College processes special category and criminal conviction data as part of its statutory duties under employment and social protection law, or processing for reasons of substantial public interest. Through this Policy, the College explains its procedures for compliance with the principles outlined in Articles 5 and 6 of the GDPR. It outlines its policies regarding the retention and erasure of this data.

Downloads

Data Breach Reporting Procedure (648KB, pdf)
Data Protection Policy (518KB, pdf)
Special Category And Criminal Convictions Personal Data Policy (647KB, pdf)