With data protection legislation having evolved rapidly, many people are unclear on their rights. There are several principles of which consumers need to be aware in order to be able to assert their rights under the legislation.
An organisation must tell you if it is using your data. It must tell you where it got your data from, what types of data it holds, all the purposes for which it is using your data, and, if any, all details of third-party transfers anywhere in the world. It must also tell you how to contact them and inform you of your right to complain to the Information Commissioner's Office (ICO).
You have the right to check if an organisation is using or storing your data - the "right of access". To exercise this right, you simply ask for a copy of the data you want. You exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request’. You can ask for as little or as much of it as you want but the more data you request, the longer it may take.
If an organisation holds inaccurate data about you, you have the right to have this corrected - the "right of rectification". In addition, if an organisation hold incomplete data about you, you also have the right for this data to be completed.
You can exercise your right to have your data deleted - the "right of erasure" or the "right to be forgotten". You can request to have your data deleted if you initially agreed to let an organisation keep your data but have changed your mind; if your data is no longer needed by them; or if it has got your data illegally.
You can limit how an organisation uses your data if you are worried about how the data is being used - the "right of restriction". For example, you may allow an organisation to keep your name, address, email and phone number, but you only allow them to contact you by post.
You have the right to get your data from an organisation in an easily accessible format, such as an Excel file or .csv - the "right to portability". You can also ask an organisation to transfer your data to another organisation.
You can object to how an organisation uses your data. If an organisation is using your data to try and sell you things, you can stop them by objecting.
Many decisions are made by organisations by computer profiling - your details are fed into a computer and a decision made without human involvement. You have the right to not be subject to a decision based on automated processing if the decision affects your legal rights (e.g. finance on credit decisions).
You have the right to access information from public bodies, such as local councils, schools or a government department. They do not have to give you information you ask for if it means creating new information.
You have the right to raise a concern to an organisation if you suspect it is mishandling your data. Examples of mishandling include a failure to keep your information secure; holding inaccurate information about you; holding data about you for longer than is needed; collecting data about you for one reason and using it for another; and disclosing information about you to a third party. If the organisation doesn't respond satisfactorily to your request, there may be a legal basis for a claim against them.