Subject Access Requests
What is a subject access request?
Under data protection legislation, individuals (data subjects) have the right to request that a data controller provides them with the following:
- Confirmation that their personal data is being processed
- Access to their personal data
- Other supplementary information about the processing of their personal data.
A subject access request is simply a written request made by, or on behalf of, an individual.
Requests for replacement degree parchments or verification of attendance/qualifications fall outside of the scope of the subject access request regime. Please direct requests for replacement degree parchments to Student Registry at firstname.lastname@example.org and requests for verification of attendance/qualifications to Student Registry at email@example.com.
Please see below for further information on the following:
- Making a subject access request (a request relating to personal data of which you are the data subject)
- Making a third party request for personal data (a request relating to personal data of which someone else is the data subject)
Making a subject access request
How do I make a subject access request?
A subject access request must be made in writing and must describe the personal data required. Proof of identification must also be enclosed, comprising a copy of an official document containing photographic identification such as a copy of your passport or driving licence. The University also charges £10 to administer a subject access request, as permitted by data protection legislation.
Please complete the University's Subject Access Request form and send it along with your proof of ID and £10 payment to the following address:
The University will only begin to process a request once it is in receipt of all three items.
What if I am unable to make a request in writing?
If you are unable to make a request in writing please contact the University's Information Governance Unit using the contact details above (or by telephoning 0191 3346103 or 0191 3346246) and we will make arrangements to help you submit a request.
What happens once I have submitted a request?
The University will send you an acknowledgement of the request. If we need any clarification, or if proof of ID and/or the £10 fee are missing, we will contact you as soon as possible. Once we are in receipt of a clear request, proof of ID and the £10 fee we will begin to locate and collate the relevant personal data.
What information will I receive?
The subject access right allows individuals the right to access personal data of which they are the subject. It does not provide the right to access entire documents if the documents do not fully comprise the personal data of the individual. Therefore, in response to a subject access request, an individual may receive partial or redacted documents.
Can I access the personal data of other individuals?
An individual only has the right to access personal data of which they are the subject and there is no right of access to the personal data of friends or family. However, there are some instances in which a request made on behalf of another individual or for a specific purpose (such as the detection or prevention of crime) will be considered. Please see the section 'Making a third party request for personal data' below for further information.
When will I receive a response to my request?
Under data protection legislation, the University must respond within 40 calendar days of receiving a request and proof of ID and the £10 fee unless the request is particularly complex, in which case the deadline may be extended by a further two months. Where the University needs to extend a deadline we will write to inform the requestor of this.
How will I receive copies of personal data in response to my request?
Copies of personal data will normally be sent either electronically (by email attachment, using password protection and encryption) or in hard copy (by the Royal Mail's 'Signed For' service). If you prefer, you can request that we provide personal data to you orally, but we will only do so if we are able to verify your identity first.
What if I am dissatisfied with the University's response to my request?
If you are dissatisfied with the way in which your subject access request has been processed or dissatisfied with the response that you have been given, please write to the Information Governance Manager in the first instance c/o firstname.lastname@example.org so that the University is provided with the opportunity to review the matter and respond to your concerns.
You can also ask the Information Commissioner's Office (ICO) to carry out an assessment to see whether it is likely or unlikely that the University has responded properly. The ICO can be contacted at:
Making a third party request for personal data
There are some circumstances under which the University will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. These are:
- The requestor is the parent of a child under the age of 12
- The requestor has the written permission to make a request on behalf of another individual
- The requestor has Power of Attorney or an order from the Court of Protection to act on behalf of another individual
- The University believes that it is in the best interests of an individual who does not have the capacity to make a request themselves
- The University deems that release can be justified under crime and taxation provisions.
In these circumstances the University may seek further information from the requestor in order to help determine whether we are willing to release any personal data.
A request for access to personal made on behalf of a child
Children aged 12 and above are gererally deemed mature enough to make decsions about the processing of their personal data and would normally be expected to submit a subject access request themselves. Where a parent of a child over the age of 12 submits a subject access request on the child's behalf, the University may contact the child to request their consent to the release of the personal data, or require the parent to provide written consent from the child.
A parent has the right to request access to their child's personal data, where the child is under 12 years old. The University will decide whether it is in the best interests of the child to make the disclosure. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and your child.
A request for access to personal data made on behalf of an adult
A request for access to personal data made on behalf of an adult will need to be accompanied by a signed letter from the data subject which contains consent to the release of all or specific personal data to the requestor. Such requests are typically made by solicitors acting on behalf of a client.
A request for access to personal data made on behalf of an adult who does not have the capacity to make a request themselves will need to be accompanied by proof that the requestor has the authority to act on behalf of the data subject, such as through Power of Attorney or an order from the Court of Protection. Where authority is not provided, the University will consider on a case by case basis whether release of the personal data requested is in the best interests of the data subject. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the data subject and proof of your authority to act on behalf of the data subject.
A request for personal data for the purpose of law enforcement
The Data Protection Act 1998 contains some exemptions (sections 28 and 29) that permit the University to release personal data for the purpose of law enforcement:
- Safeguarding national security (section 28)
- The prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or of any imposition of a similar nature (section 29).
A request for the release of personal data under section 28 or 29 would be typically made by a police force, the Department for Work and Pensions, a local authority or the Border and Immigration Agency. The University is not obliged to release personal data unless is it satisfied that it is reasonable to do so. Under these exemptions, personal data may be released without the consent of the data subject and outside of the purpose for which the personal data was originally collected.
A request for release of personal data for the purpose of law enforcement should be submitted using the requesting organisation's own form for that purpose. Police forces, for example, use standard forms as per guidance issued by the Association of Chief Police Officers (ACPO). The form should give full details of the personal data requested, a full explanation of the reason for the request and should be counter-signed by a senior officer of the organisation. Completed forms should be emailed to email@example.com. Requests will be acknowledged and a full response sent as soon as possible.