Guidance

Data Protection: rights for data subjects

Updated 21 January 2021

© Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/data-protection-rights-for-data-subjects/data-protection-rights-for-data-subjects

Under the Data Protection legislation, data subjects have the following rights with regards to their personal information:

  • the right to be informed about the collection and the use of their personal data
  • the right to access personal data and supplementary information
  • the right to have inaccurate personal data rectified, or completed if it is incomplete
  • the right to erasure (to be forgotten) in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
  • the right to object to processing in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant)
  • the right to complain to the Information Commissioner

The right to be informed

The Ministry of Defence (MOD) must issue certain information about the processing activities that affect you. This information is usually provided in a Privacy Notice or Privacy Statement that is made available at the point the data is collected. The MOD also published its Personal Information Charter on the internet.

The right of access

The MOD, as the data controller, must provide you with:

  • confirmation that your data is being processed
  • access to your personal data
  • other supplementary information

For further information on how to make a Subject Access Request application see our guide on Requests for personal data and service records.

The right to rectification

You can ask the MOD to correct any personal information it holds about you to ensure your data is accurate. You may also ask the MOD to complete incomplete data held about yourself.

The right to erasure/be forgotten

You have the right to (under certain circumstances) ask for your personal data to be erased where:

  • your personal data is no longer necessary in relation to the purpose for which it was collected/processed
  • you withdraw your consent or object to the processing and there is no overriding legitimate interest to continue processing
  • you object to the processing and there are no overriding legitimate grounds for the processing
  • you object to the processing and your personal data was processed for direct marketing purposes
  • your personal data was unlawfully processed or should be erased to comply with a legal obligation
  • your personal data is processed in relation to the offer of information society services to a child

The MOD can refuse to erase your personal data where it is processed:

  • to comply with a legal obligation or for the performance of a task of public interest
  • for the exercise or defence of legal claims
  • for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics

If your data has been disclosed to a third party, the MOD will ask them to erase that data, unless this proves impossible or involves disproportionate effort. You may ask who those third parties are and the MOD will inform you accordingly.

The right to restrict processing

You have the right to restrict the processing of personal data held by the MOD where:

  • you have contested its accuracy
  • you have objected to the processing and the MOD is considering whether they have a legitimate ground which overrides this
  • processing is unlawful
  • the MOD no longer needs the data but you require it to establish, exercise or defend a legal claim

The right to data portability

The right to data portability allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This enables you to obtain and reuse your personal data across different services.

The right to data portability only applies:

  • to personal data that an individual has personally provided to MOD
  • where the processing is based on consent or the performance of a contract
  • where processing is carried by automated means (i.e. excluding paper files)

The right to object

You have the right to object to processing of your personal data in certain circumstances and have an absolute right to stop your data being used for direct marketing.

You can also object if the processing is for:

  • a task carried out in the public interest
  • the exercise of official authority vested in the MOD
  • MOD’s legitimate interests (or those of a third party)

However, in these circumstances the right to object is not absolute and you must give specific reasons why you are objecting to the processing of your data.

Please be aware that the MOD would be able to continue processing your personal data if:

  • we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
  • the processing is for the establishment, exercise or defence of legal claims

Rights relating to automated decision making and profiling

Automated decision-making takes place when an electronic system uses personal information to make decisions without human intervention.

The MOD could use automated decision-making in the following circumstances:

  • where we have notified you of the decision and given you 21 days to request a reconsideration
  • where it is necessary to perform the contract and appropriate measures are in place to safeguard your rights

At present, there are no fully automated decision making or profiling systems in use within MOD. This means that this right does not currently apply to any processing activities.

How to contact MOD about your rights

You may submit your request to the MOD verbally or in writing, however to assist you in making your request you can use the Individual Rights: MOD Form 7779.

How to make a complaint to MOD

If you are dissatisfied with the way we have handled your application and want to make a complaint, please write to:

MOD Information Rights Team Ground floor, Zone D Main Building Whitehall London SW1A 2HB Email: cio-dpa@mod.gov.uk

We will acknowledge your complaint within 5 working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.

Complaints to the Information Commissioner

If you are dissatisfied with the way we have handled your complaint or request and want to make a complaint, you may write to the Information Commissioner, who is an independent regulator. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

The Information Commissioner can be contacted at:

Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire, SK9 5AF Tel: 08456 30 60 60 or 01625 54 57 45 Fax: 01625 524510

Website: https://ico.org.uk

Back to top