Requests for Personal Data
Requests for Personal Data from the Individual
Under Data Protection Legislation (GDPR and UK Data Protection Act 2018) an individual has the right of access to their personal data (Article 15 of the GDPR).
This states that an individual is entitled to obtain from the University:
confirmation that the University is processing their personal data;
a copy of their personal data;and
other supplementary information - this largely corresponds to the data set out in the University's Privacy Notices.
When an individual makes a request for access to their data (sometimes referred to as a Data Subject Access Request) the University is required to provide the information the individual is entitled to, in writing, without undue delay and in the majority of cases within 1 calendar month. It is therefore important that any such requests are identified promptly and referred without delay to the University's Data Protection Officer.
GDPR does not specify how an individual should make a request. Therefore, an individual can make a subject access request to the University verbally or in writing. It can be made to any part of the organisation (including by social media) and it doesn't have to be made to a special person or contact point. Therefore it is important that staff are aware that they may receive such requests, which may not explicitly state they are a Subject Access Request, and that they should forward them to the Data Protection Officer without delay.
However, there is a recommendation that organisations 'provide means for requests to be made electronically' and the University has published a Subject Access Request form which is intended to make the requesting of personal data easier for individuals.
We may ask an individual making a subject access request to provide proof of identity before we process their request.
Requests for Personal Data from Parents, Friends or Relatives
Requests for Personal Data from the Police or law enforcement officials
However, the University may choose to release information where the police, or other law enforcement agencies, can demonstrate to our satisfaction that non-release would be likely to prejudice the prevention/detection of crime or apprehension/prosecution of offenders.
However, the University is obliged to manage personal information in accordance with GDPR.
All such requests MUST be referred to the Data Protection Officer
Requests for Personal Data from other Third Parties
The University receives requests for personal data from a range of third parties. Some of these requests are based on a legal requirement to provide the information e.g. to HMRC re employees pay or the individual has provided their explicit consent. If the request is not part of the normal reporting of the University then it should be forwarded to the Data Protection Officer.