Handling Subject Access Requests

These guidance notes cover the procedures for handling “Subject Access Requests” and should be read in conjunction with the University's Data Protection Policy. This document is Appendix I to the policy.

Section 1: General - What is a Subject Access Request?

The Data Protection Act 1998 gives individuals (data subjects) a number of rights including the right to access personal data that an organisation holds about them. This right of access extends to all information held on an individual and includes personnel files, student record files, data-bases, interview notes and emails referring to the individual. If an individual makes a request to view their information, it is known as a “Subject Access Request”. It is permissible for the University to charge a fee of up to £10 for responding to Subject Access Requests (see Section 6 for more detail).

The Act stipulates that the data subject must:

  • make the request in writing
  • supply information to prove who they are (to eliminate risk of unauthorised disclosure)
  • supply appropriate information to help the University to locate the information they require.

Upon receipt of a request, the University must provide:

  • information on whether or not the personal data are processed
  • a description of the data, purposes and recipients
  • a copy of the data
  • an explanation of any codes/jargon contained within the data.

The University must respond to Subject Access Requests within 40 days.

For further information, see the University procedure to be followed when submitting a Subject Access Request.

Section 2: Responding to "Simple" Requests

Whilst data subjects are entitled to request ALL the information that an organisation holds on them, experience shows that they are usually looking for something specific. Therefore, the majority of requests received by the University are likely to be from staff and students asking for copies of a specific document(s). These will usually be located from a single source - typically the departmental staff/student files - and will not involve the disclosure of information relating to a third party (see Section 4 for more detail). In such cases, University policy is to be open and transparent and wherever possible to let the individual have a copy of the information with minimum fuss. Such requests should be handled directly by the relevant department or section and there should be no need to involve the University Data Protection Officer. When responding to such requests, take care to ensure that you do not inadvertently release third party information without their consent (see Section 4 for further detail). No fee should be charged (see Section 6 for more detail).

Section 3: Responding to "Complex" Requests

There may be some instances when a request for information is more complex and will need to involve the University Data Protection Officer to ensure a co-ordinated response. It is hoped that such requests will be infrequent.

Examples of situations where more complex requests might arise include:

  • request involves locating information from multiple sources
  • request involves the release of contentious information
  • request is one in a series of requests from the same individual
  • request involves the release of third party data for which consent has been refused or cannot be obtained (see Section 4 for further information)
  • the data subject does not want to ask for the information from the department/section that holds it.

In such cases, the request should be referred to the University Data Protection Officer who will ensure that a co-ordinated approach is adopted and will determine whether or not it is appropriate to charge a fee. When responding to Subject Access Requests, the Data Protection Officer will liaise with staff in the department/section as appropriate.

Section 4: Third Party Data

It will sometimes be the case that responding to a Subject Access Request will lead to incidental disclosure of details relating to some other third party (for example, a referee or another student). Such third party information should not be disclosed without first seeking the consent of the third party.

If consent cannot be obtained (eg the third party cannot be contacted) or is refused, then the institution needs to consider whether or not disclosure is reasonable, taking into account:

  • any duty of confidentiality owed to the third party
  • the steps taken to seek consent
  • whether the third party is capable of giving consent
  • any express refusal of consent

If you are unable to obtain consent, you are advised to contact the University Data Protection Officer who will have to consider/balance the impact on the third party of the disclosure, and the impact on the data subject of the disclosure being withheld. Where third parties have been acting in an official capacity it may be argued that the duty of confidence is lower than is otherwise the case. However decisions will be made on a case by case basis.

If the Data Protection Officer decides that disclosure cannot be made, only that information which could identify the third party should be withheld (eg third party details are blanked out). Wherever possible, the University will follow good practice by explaining to the data subject that some information has been withheld, and why.

Third parties who regularly supply information on students/staff in a professional capacity (external examiners, referees, etc) should be informed that anything they submit may become available to the data subject through a Subject Access Request. Departments/sections are advised to seek consent to disclose at the collection stage (e.g. when requesting references/appointing external examiners) to avoid delay upon receipt of a Subject Access Request. Where professionals request that information supplied by then be kept confidential, they must supply details of the exceptional reasons for making the request. The University will consider those reasons in order to decide whether they are valid.

Section 5: Records Management

The maintenance of appropriate records is extremely important in the event of a Subject Access Request. Knowing who keeps what and where is central to the effective and efficient retrieval of information. The following guidance notes on records management have been produced to help departments and sections:

  • Student Records Management in Academic Departments
  • Student Records Management in Support Services

The other important aspect of records management is ensuring that only appropriate information is retained. This will reduce the amount of information which must be disclosed (thereby saving time and administrative costs associating with locating and supplying the information) but will also avoid embarrassment and potential damage to the University’s reputation by ensuring that inappropriate information is not being retained on individuals.

All staff are advised:

  • to be careful about what personal information they keep (including emails)
  • to try to only record factual information
  • where it is necessary to record an opinion about an individual, to make sure it is justified and wherever possible backed up with factual evidence
  • NOT to record anything that they would not wish the data subject to see.

There are many long-term aims of rationalising the information held by the University. It will certainly help us to respond effectively to Subject Access Requests. The fewer data sources the University has, the easier it will be to search these on receipt of a Subject Access Request. Wherever possible, we should be aiming to manage data on a single central database. All staff are encouraged not to hold files on individual students or staff members, but to lodge any such information with “designated individuals” (see Records Management documents referred to earlier in this section for further information). Personal data of departed staff and students should be reclaimed from any remote sources and stored in a single location or on a single database, with appropriate security and back-up.

Section 6: University Position on charging for Subject Access Requests

The Act permits organisations to charge up to £10 for responding to Subject Access Requests. However, this is unlikely to cover the costs of responding to requests, particularly when it involves locating information from numerous sources or where large volumes of information need to be photocopied and posted. There is no scope within the Act to charge more than £10 and wherever possible, the University aims to waive this fee. Experience shows that this tends to limit requests to certain documents rather than a University-wide search and therefore reduces the workload associated with Subject Access Requests. If the University were to receive numerous requests from one individual, it may consider introducing the charge and is well within its rights to do so.

There may be other circumstances when a charge is made such as:

  • the data is difficult to locate or is held in multiple locations
  • there are large volumes of data to be supplied
  • consent from several third parties is required

If you receive a request for which you feel a charge should be made, please contact the Data Protection Officer for advice in the first instance.

Section 7: Exemptions

There are certain situations where the University may not be obliged to release information in response to a Subject Access Request.

Examples include:

  • Data containing information relating to a third party for which consent to release the information cannot be obtained (see Section 4 for more detail)
  • Examination scripts (although examiner comments MUST be released - see University Guidance on Examinations and Assessment for further information)
  • Management forecasts such as plans for redeployment, restructuring, promotions (if they would prejudice conduct of business/activity)
  • Information relating to legal proceedings being taken by the University against an individual.

Exemptions are an extremely complex part of the Act and must be treated with caution. If you think that an exemption might apply to a Subject Access Request received by your department or section, you should contact the Data Protection Officer in the first instance.

For further guidance, please contact the Data Protection Advisor in your department/section or the University's Data Protection Officer.