Subject Access Requests
Here is the process detailing how we handle your request:
Step 1: We Receive Your Subject Access Request
Step 2: We Collate The Information
Once the information you have requested has been confirmed the Data Protection Team will begin the process of contacting colleagues across the University and collating the information.
Step 3: We Review Your Information
Before we release your information to you, it is very important that we review it to ensure that it does not contain the personal data of other individuals (third parties). All personal information of other individuals will be redacted (removed or blocked out), as it is not relevant to you. If we have had to redact information, then this will be drawn to your attention in the covering letter.
If your request contains a substantial amount of information (from various sources), then reviewing it can be time consuming. We review information as we receive it and aim to release it to you within one calendar month of the request being received.
Step 4: We Release Your Information
Once the information has been reviewed we will contact you and confirm the details for releasing it to you. If you have requested that we provide your information electronically, this will be encrypted with a password. If you have requested that we send your information to you by post, then we will do so using Royal Mail ‘Signed For’ delivery.
If you have any queries regarding your requested information, then you will be able to raise these with us via firstname.lastname@example.org.
Step 5: We Delete Your Information
It is important that we do not retain your personal data for any longer than is necessary. Therefore, all of the information collated as part of your SAR will be deleted either 12 months after the release date, or 12 months after the last query you made regarding the request has been resolved; whichever is the later. Original copies of the requested information will remain where they were located and will be retained as per the University Data Retention Schedule.
All queries should be directed to the University’s Data Protection Officer in the first instance.