How to make an individual rights request, including subject access rights
Under the new Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) 2016, all individuals (data subjects) have a right to access or challenge the processing of their personal data being held and managed by an organisation. You exercise these rights by submitting an individual rights request to the College under one of the rights listed below:
- The right to be Informed - e.g. fair processing/privacy notices and information
- The right of Access - e.g. subject access requests (SARs)
- The right to Rectification - e.g. correcting your data
- The right to Erasure – e.g. deleting or removing your data
- The right to Restrict Processing – e.g. stopping your data being used
- The right to Data Portability – e.g. transferring your data easily
- The right to Object – e.g. challenging what we’re doing with your data
- Rights in Relation to Automated Decision Making and Profiling – e.g. ensuring safeguards are in place so we don’t make potentially damaging decisions about you without any human involvement.
Your data is important to us so at the Royal College of Obstetricians and Gynaecologists (the College), we want to make it straightforward for you to access it.
How do I request access to my information or exercise any of my other Individual Rights?
The simplest way to make your request is to complete the College’s Individual Rights Request form (Word document).
UK citizens and Fellows and Members of the RCOG
Please email your request and a copy of your photo ID to dataprotection@rcog.org.uk or post it to:
Information Governance (IG) Team
Research and Information Services
Royal College of Obstetricians and Gynaecologists
10-18 Union Street
London
SE1 1SZ
UK
EU citizens
We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our Representative at eurep@itgovernance.eu. Please ensure to include our organisation’s name in any correspondence you send to our Representative:
By email: eurep@itgovernance.eu
By post: IT Governance Europe Ltd, Third Floor, The Boyne Tower, Bull Ring, Lagavooren, Drogheda, Co. Louth, A92 F682.
What do I need to include in my request?
- State clearly what you want - You might not need all of the personal data that we hold about you. Helping us identify what you need will enable us to obtain this more quickly and accurately
- Include the following information:
- Your name and contact details
- College number (if you have one)
- Any details or relevant dates that will help us identify what you want, e.g. you may want to ask for:
Your personnel file
- Emails between ‘person A’ and ‘person B’ (e.g. from 1 June 2020 to 1 Sept 2020).
- Personal data to be updated with new details.
- Contact details to be removed from fundraising and marketing lists.
- Emails between ‘person A’ and ‘person B’ (e.g. from 1 June 2020 to 1 Sept 2020).
- The simplest way to make your request is to complete the College Individual Rights Request form (Word document)
- Please send the completed form and a copy of your photo ID to:
Email: dataprotection@rcog.org.uk or post it to:
Information Governance (IG) Team
Research and Information Services
Royal College of Obstetricians and Gynaecologists
10-18 Union Street
London
SE1 1SZ
UK
Do I need to pay for my request?
Under the DPA and GDPR, all subject access and individual rights requests are processed free of charge unless they are clearly baseless or excessive.
How long does the College have to respond?
The College has one calendar month to respond, from the date we have verified your identity.
If your request is complex, we can extend the processing time up to a total of three calendar months from the date of receipt.
Who do I contact if I need further information, advice or to make a complaint about my request?
If you have any further queries, a complaint or want to request an internal review, please contact the IG Team using the above email and postal address or call us between 9:00am – 4:30pm (UK time) Monday to Friday on (+44)20 7772 6200.
EU citizens can also direct any queries or complaints to our EU Representative, using the above email and postal address.
If you are unhappy with how we handled your request, your internal review or how we are processing your data, you can complain to the RCOG directly using our Complaints Policy and Procedure or contact the Information Commissioner’s Office (ICO). Please see the ICO website for details https://ico.org.uk/make-a-complaint/your-personal-information-concerns or contact them directly by email to casework@ico.org.uk or by post:
Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Your right to be informed
The right to be informed gives you the right to find out how your data is being collected and used. This right ensures transparency on how your data is processed.
The College is obliged to inform you in our privacy information at the point of collection or in our privacy policy of:
- Why we need to process your data
- How long we intend to keep it
- Who we plan to share it with.
If your data has been obtained from another place or organisation and the College is a controller of this information, we must provide you with privacy information no later than one month from the date of collection.
This is not necessary if you already have the privacy information or it involves a disproportionate effort to provide it to you.
You can find further information on the Information Commissioners website: https://ico.org.uk/your-data-matters/your-right-to-be-informed-if-your-personal-data-is-being-used/
If you would like to make a request to receive the privacy information for data we have collected from you, please complete our Individual Rights Request form (Word document) and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk
You can read the College privacy policy on the RCOG website.
Your right to access
The right to access is also known as a “Subject Access Request” (SAR).
A SAR is a written or verbal request received from you to request a copy of your personal data.
You have the right to request all information held about you by the College. This includes your:
- Paper records
- Electronic records
- CCTV footage.
You can find further information on the Information Commissioner’s website.
If you would like to make a subject access request, please complete our Individual Rights Request form (Word document) and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk.
Your right to rectification
The right to rectification gives you the right to have your information corrected.
This might be because the data:
- Is inaccurate or
- Incomplete.
This right depends on the purpose of the data processing and it may be more appropriate to add a supplementary statement to data that cannot be rectified to ensure its future processing is correct.
You can find further information on the Information Commissioner’s website: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected/.
If you would like to request rectification to your data please complete our Individual Rights Request form (Word document) and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk.
Your right to erasure
The right to erasure gives you the right to have your personal data deleted. This is also known as the ‘right to be forgotten’.
The right is not absolute and only applies in certain circumstances. You can request to have your personal data erased if:
- Your personal data is no longer needed for the purpose it was collected or processed
- You withdraw your consent (where “consent” is the lawful basis for processing)
- The College is legitimately processing your data as part of the business function, but your right overrides this
- You do not wish to receive marketing and fundraising correspondence
- Your personal data has been processed unlawfully
- The erasure is required as a legal obligation.
You can find further information on the Information Commissioner’s website:
https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/.
If you would like to request erasure of your data please complete our Individual Rights Request form (Word document) and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk.
Your right to restrict processing
The right to restricted processing gives you the right to limit the way the College processes your personal data (in certain circumstances). This applies when you have a particular reason for the restriction. The College may still store your data, but cannot use it while the restriction is in place.
You can request to restrict the processing of your data if:
- You contest the accuracy of your personal data and would like this verified
- The data has been unlawfully processed
- The College no longer needs your personal data for processing, but you need us to keep for a particular purpose, e.g. a legal claim.
The College can lift the restriction when:
- Your request is being investigated
- The processing is necessary for our legitimate interests, and it overrides your right to restriction.
The College will investigate your request and where no grounds for restriction are found, notify you that the restriction will be lifted and advise you of your rights to request an internal review or make a complaint.
You can find further information on the Information Commissioner’s website:
https://ico.org.uk/your-data-matters/your-right-to-limit-how-organisations-use-your-data/.
If you would like to request erasure of your data please complete our Individual Rights Request form (Word document) and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk.
Your right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to:
- Move data
- Copy data
- Transfer data.
It ensures this is done in a safe and secure way, without affecting its usability. The right will only apply to the information you have provided and where it is held electronically.
This includes data such as:
- Username
- Email address
- Website or search usage history
- Traffic and location data.
You can make a data portability request when the College is processing your information:
- By automated means and relies on your consent to use your personal data, or
- Uses your data as part of a contract you have with us.
You can find further information on the Information Commissioner’s website: https://ico.org.uk/your-data-matters/your-right-to-data-portability/.
If you would like to make a data portability request please complete our Individual Rights Request form (Word document) and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk.
Your right to object
The right to object, gives you the right to challenge the processing of your personal data in certain circumstances.
You have an absolute right to stop your data being processed where it is being used for:
- Direct marketing
- For the College’s legitimate interests (unless we can prove a compelling reason to continue processing)
- For scientific or historical research, or statistical purposes.
You can find further information on the Information Commissioner’s website: https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/.
If you would like to enforce your right to object to the processing of your data please complete our Individual Rights Request form (Word document) and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk.
Your Rights in Relation to Automated Decision Making and Profiling
Your rights in relation to automated decision making give you the right to ensure safeguards are in place so we don’t make potentially damaging decisions about you without any human involvement.
This is split into two sections, automated decision making and profiling.
Automated decision making refers to a decision made without any human involvement.
For example:
- Online decision for credit applications
- Recruitment aptitude tests using pre-programmed algorithms and criteria.
Profiling means your personal data is used for analytical purposes or to predict things, for example:
- Performance at work
- Economic Situation
- Health, personal preferences and interests.
Profiling can occur in some automated decision making.
You have the right:
- Not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights for example
- To understand the reasons behind decisions made about you by automated processing and the possible consequences of the decisions
- To object to profiling in certain situations, including for direct marketing.
You can find further information on the Information Commissioner’s website: https://ico.org.uk/your-data-matters/your-rights-relating-to-decisions-being-made-about-you-without-human-involvement/.
If you would like to enforce your right to object to automated decision making and profiling of your data please complete our Individual Rights Request form and email it back to us with a copy of your photo ID to dataprotection@rcog.org.uk.