Error message

Deprecated function: The each() function is deprecated. This message will be suppressed on further calls in menu_set_active_trail() (line 2405 of /homepages/3/d274688683/htdocs/devdrupalseven/includes/menu.inc).

Rights of the data subject

Part II of the DPA contains a set of rights for data subjects, most of which can be exercised against data controllers. However, as a researcher you must also be broadly aware of these rights in case a data subject tries to exercise their rights over their data during the course of your research project.

The rights of the data subject found in the DPA are:

  1. The right to subject access (sections 7 to 9),
  2. The right to prevent processing likely to cause damage or distress (section 10),
  3. The right to prevent processing for the purposes of direct marketing (section 11),
  4. Rights in relation to automated decision taking (section 12)
  5. The right to take action to rectify, block, erase or destroy inaccurate data (sections 12A, 14 and 62),
  6. The right to compensation (section 13).

Any failure by a data controller to comply with the rights of the data subject is a breach of the sixth data protection principle. If there is a failure to comply, then the rights of the data subject can be enforced by the Court of Session or a Sheriff Court (the High Court or a county court in England and Wales).

In practice, the right to subject access is the most important right of the data subject, and in the context of research involving the secondary use of data it is probably the only right that you are likely to encounter being exercised.

The right to subject access

The right entitles the data subject, in making a request in writing, to be informed by the data controller whether they, or someone else on their behalf, are processing the individual’s personal data. It includes the right to be given a description of the personal data which is being processed, the purposes for which they are being processed, and to be informed of whom the data has been or may be disclosed to.

While in theory the right to subject access seems relatively straightforward, in practice it there can be some practical difficulties. For example, if the data requested relates to people other than that the individual making the request, then the data controller will be unable to comply with the request without necessarily disclosing the personal data of another. The DPA sets out two circumstances in which the data controller must comply with such a request, namely where the other individual has consented to the disclosure, and where it is reasonable in all the circumstances to proceed without the consent of the other person. When determining what is ‘reasonable’ regard should be had to the duties of confidentiality owed to the other individual. If the data can be provided in such a way that the other individual can be rendered unidentifiable, then the information should be given in this way.

However, importantly in s33 of the DPA there is an exemption to the right to subject access where personal data are processed only for research purposes, so long as the data is processed in compliance with the relevant conditions and the results of the research of any resulting statistics are not made available in a form which identifies any data subjects.  This means that you as a researcher will only have to comply with a subject access request in the very limited circumstances where the results of your research project are made available in a form which identifies data subjects. More information on the research exemption can be found here.

For additional guidance on how to satisfy a subject access request, please click here.

Return to top of page