Under data protection legislation, individuals (data subjects) have the right to request that a data controller provides them with the following:
Confirmation that their personal data is being processed
Access to their personal data
Other supplementary information about the processing of their personal data.
A Subject Access Request (SAR) is simply a request made by, or on behalf of, an individual. Some requests are directly outside the scope of the subject access request regime and are handled by other processes:
A specific exemption exists in data protection legislation for access to information recorded by students during academic, professional or other exams. A SAR would not result in the provision of the work that the student submitted, however a copy of the comments recorded by examiners when marking scripts would be made available.
There is a specific exemption regarding confidential references that are sent and received by the University. Therefor these would not be provided.
Making a subject access request
A subject access request can be submitted verbally or in writing, but must describe the personal data required. If making a third party request for personal data, please note the special conditions below. Using the University's Data Subject Access Request Application Form will aid you in providing as much detail as possible relating to the request and will reduce the potential for delays pending clarification.
Proof of identification must be provided, comprising a copy of an official document containing photographic identification, e.g. passport or driving licence.
You can submit the form and/or proof of identification by email to firstname.lastname@example.org, but note that the University will only begin to process a request once it is in receipt of all items.
We may need to provide the response in an accessible format and will work with you to establish what is appropriate.
What happens once I have submitted a request?
The University will send you an acknowledgement of the request. If we need any clarification, or if proof of ID, we will contact you as soon as possible. Once we are in receipt of a clear request and proof of ID we will begin to locate and collate the relevant personal data.
What information will I receive?
The subject access right allows individuals the right to access personal data of which they are the subject. It does not provide the right to access entire documents if the documents do not fully comprise the personal data of the individual. Therefore, in response to a subject access request, an individual may receive partial or redacted documents.
Can I access the personal data of other individuals?
An individual only has the right to access personal data of which they are the subject and there is no right of access to the personal data of friends or family. However, there are some instances in which a request made on behalf of another individual or for a specific purpose (such as the detection or prevention of crime) will be considered. Please refer to Making a third-party request for personal data for further information.
When will I receive a response to my request?
Under data protection legislation, the University must respond within one calendar month of receiving a request and proof of ID, unless the request is particularly complex, in which case the deadline may be extended by a further two months. Where the University needs to extend a deadline we will write to inform the requestor of this.
How will I receive copies of personal data in response to my request?
Copies of personal data will normally be sent either electronically (by email attachment, using password protection and encryption). If you prefer, you can request that we provide personal data to you orally, but we will only do so if we are able to verify your identity first.
What if I am dissatisfied with the University's response to my request?
If you are dissatisfied with the way in which your subject access request has been processed or dissatisfied with the response that you have been given, please write to the Data Protection Officer in the first instance at email@example.com so that the University is provided with the opportunity to review the matter and respond to your concerns.
You can also ask the Information Commissioner's Office (ICO) to carry out an assessment to see whether it is likely or unlikely that the University has responded properly.
The ICO can be contacted at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
There are some circumstances under which the University will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. These are:
The requestor is the parent of a child aged 12 years or under
The requestor has the written permission to make a request on behalf of another individual
The requestor has Power of Attorney or an order from the Court of Protection to act on behalf of another individual
The University believes that it is in the best interests of an individual who does not have the capacity to make a request themselves
The University deems that release can be justified under crime and taxation provisions.
In these circumstances the University may seek further information from the requestor in order to help determine whether we are willing to release any personal data.
A request for access to personal data made on behalf of a child
Children aged 13 and above are generally deemed mature enough to make decisions about the processing of their personal data and would normally be expected to submit a subject access request themselves. Where a parent of a child over the age of 13 submits a subject access request on the child's behalf, the University may contact the child to request their consent to the release of the personal data, or require the parent to provide written consent from the child.
A parent or guardian has the right to request access to their child's personal data, where the child is under 13 years old. The University will decide whether it is in the best interests of the child to make the disclosure. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the child.
A request for access to personal data made on behalf of an adult
A request for access to personal data made on behalf of an adult will need to be accompanied by a signed letter from the data subject which contains consent to the release of all or specific personal data to the requestor. Such requests are typically made by solicitors acting on behalf of a client.
A request for access to personal data made on behalf of an adult who does not have the capacity to make a request themselves will need to be accompanied by proof that the requestor has the authority to act on behalf of the data subject, such as through Power of Attorney or an order from the Court of Protection. Where authority is not provided, the University will consider on a case by case basis whether release of the personal data requested is in the best interests of the data subject. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the data subject and proof of your authority to act on behalf of the data subject.
A request for personal data for the purpose of law enforcement
The Data Protection Act 2018 contains some exemptions that permit the University to release personal data for the purpose of law enforcement:
Safeguarding national security (section 110)
The prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or of any imposition of a similar nature (schedule 2).
A request for the release of personal data under these provisions would be typically made by a police force, the Department for Work and Pensions, a local authority or the Border and Immigration Agency. The University is not obliged to release personal data unless is it satisfied that it is reasonable to do so. Under these exemptions, personal data may be released without the consent of the data subject and outside of the purpose for which the personal data was originally collected.
A request for release of personal data for the purpose of law enforcement should be submitted using the requesting organisation's own form for that purpose. Police forces, for example, use standard forms as per guidance issued by the Association of Chief Police Officers (ACPO). The form should give full details of the personal data requested, a full explanation of the reason for the request and should be counter-signed by a senior officer of the organisation. Completed forms should be emailed to firstname.lastname@example.org. Requests will be acknowledged and a full response sent as soon as possible.