3 Overview of current UK General Data Protection Regulation (UK GDPR)
General Data Protection Regulation (GDPR) governs how personal data is managed and processed by organisations. In the UK, the relevant laws are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These laws specify principles relating to how personal data should be managed, which include ensuring that this data is:
“used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage”
(UK Government. Data protection. The UK’s data protection legislation. https://
As part of GDPR, individuals have the right to request data that an organisation holds about them, via a subject access request.
It is also possible to request information about other individuals via a Freedom of Information (FOI) request, although organisations must balance these requests with the requirements of GDPR. For example, information about how an FOI request can be made to the University of York can be found on our Freedom of Information webpages.
In some cases, individuals can request that their personal data be deleted by a particular organisation. This is known as the right to erasure, or the “right to be forgotten”.
There are, however, some exemptions from this specification, which can be found on the Information Commissioner’s Office (ICO) website. In particular, exemptions can apply when archiving in the public interest. These exemptions only apply when they would impair archiving goals, when strict protocols have already been implemented to prevent individual distress, including data minimisation where possible, and when the data is not being used to make decisions about individuals.