What is a subject access request?
Under data protection legislation, individuals (data subjects) have the right to request that a data controller provides them with the following:
A Subject Access Request (SAR) is simply a request made by, or on behalf of, an individual. Some requests are directly outside the scope of the subject access request regime and are handled by other processes:
Please direct requests for replacement degree parchments to Student Registry at email@example.com.
Please direct requests for verification of attendance/qualifications to Student Registry at firstname.lastname@example.org.
A specific exemption exists in data protection legislation for access to information recorded by students during academic, professional or other exams. A SAR would not result in the provision of the work that the student submitted, however a copy of the comments recorded by examiners when marking scripts would be made available.
There is a specific exemption regarding confidential references that are sent and received by the University. Therefor these would not be provided.
A subject access request can be submitted verbally or in writing, but must describe the personal data required. If making a third party request for personal data, please note the special conditions below. Using the University's Data Subject Access Request Application Form will aid you in providing as much detail as possible relating to the request and will reduce the potential for delays pending clarification. If you are unable to make a request in writing, telephone the University's Information Governance Unit on + 44 (0)191 334 6103 or +44 (0) 191 334 6246 and we will make arrangements to help you submit a request.
Proof of identification must be provided, comprising a copy of an official document containing photographic identification, e.g. passport or driving licence.
You can submit the form and/or proof of identification by email to email@example.com, but note that the University will only begin to process a request once it is in receipt of all items.
We may need to provide the response in an accessible format and will work with you to establish what is appropriate.
The University will send you an acknowledgement of the request. If we need any clarification, or if proof of ID, we will contact you as soon as possible. Once we are in receipt of a clear request and proof of ID we will begin to locate and collate the relevant personal data.
The subject access right allows individuals the right to access personal data of which they are the subject. It does not provide the right to access entire documents if the documents do not fully comprise the personal data of the individual. Therefore, in response to a subject access request, an individual may receive partial or redacted documents.
An individual only has the right to access personal data of which they are the subject and there is no right of access to the personal data of friends or family. However, there are some instances in which a request made on behalf of another individual or for a specific purpose (such as the detection or prevention of crime) will be considered. Please refer to Making a third-party request for personal data for further information.
Under data protection legislation, the University must respond within one calendar month of receiving a request and proof of ID, unless the request is particularly complex, in which case the deadline may be extended by a further two months. Where the University needs to extend a deadline we will write to inform the requestor of this.
Copies of personal data will normally be sent either electronically (by email attachment, using password protection and encryption). If you prefer, you can request that we provide personal data to you orally, but we will only do so if we are able to verify your identity first.
If you are dissatisfied with the way in which your subject access request has been processed or dissatisfied with the response that you have been given, please write to the Data Protection Officer in the first instance at firstname.lastname@example.org so that the University is provided with the opportunity to review the matter and respond to your concerns.
You can also ask the Information Commissioner's Office (ICO) to carry out an assessment to see whether it is likely or unlikely that the University has responded properly.
The ICO can be contacted at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
There are some circumstances under which the University will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. These are:
In these circumstances the University may seek further information from the requestor in order to help determine whether we are willing to release any personal data.
Children aged 13 and above are generally deemed mature enough to make decisions about the processing of their personal data and would normally be expected to submit a subject access request themselves. Where a parent of a child over the age of 13 submits a subject access request on the child's behalf, the University may contact the child to request their consent to the release of the personal data, or require the parent to provide written consent from the child.
A parent or guardian has the right to request access to their child's personal data, where the child is under 13 years old. The University will decide whether it is in the best interests of the child to make the disclosure. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the child.
A request for access to personal data made on behalf of an adult will need to be accompanied by a signed letter from the data subject which contains consent to the release of all or specific personal data to the requestor. Such requests are typically made by solicitors acting on behalf of a client.
A request for access to personal data made on behalf of an adult who does not have the capacity to make a request themselves will need to be accompanied by proof that the requestor has the authority to act on behalf of the data subject, such as through Power of Attorney or an order from the Court of Protection. Where authority is not provided, the University will consider on a case by case basis whether release of the personal data requested is in the best interests of the data subject. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the data subject and proof of your authority to act on behalf of the data subject.
The Data Protection Act 2018 contains some exemptions that permit the University to release personal data for the purpose of law enforcement:
A request for the release of personal data under these provisions would be typically made by a police force, the Department for Work and Pensions, a local authority or the Border and Immigration Agency. The University is not obliged to release personal data unless is it satisfied that it is reasonable to do so. Under these exemptions, personal data may be released without the consent of the data subject and outside of the purpose for which the personal data was originally collected.
A request for release of personal data for the purpose of law enforcement should be submitted using the requesting organisation's own form for that purpose. Police forces, for example, use standard forms as per guidance issued by the Association of Chief Police Officers (ACPO). The form should give full details of the personal data requested, a full explanation of the reason for the request and should be counter-signed by a senior officer of the organisation. Completed forms should be emailed to email@example.com. Requests will be acknowledged and a full response sent as soon as possible.