Requests for Personal Data
Under Data Protection Legislation (UK GDPR and UK Data Protection Act 2018) an individual has the right of access to their personal data (Article 15 of the UK GDPR).
This states that an individual is entitled to obtain from the University:
When an individual makes a request for access to their data (sometimes referred to as a Data Subject Access Request) the University is required to provide the information the individual is entitled to, in writing, without undue delay and in the majority of cases within 1 calendar month. It is therefore important that any such requests are identified promptly and referred without delay to the Information Governance Officer.
UK GDPR does not specify how an individual should make a request. Therefore, an individual can make a subject access request to the University verbally or in writing. It can be made to any part of the organisation (including by social media) and it doesn’t have to be made to a special person or contact point. Therefore it is important that staff are aware that they may receive such requests, which may not explicitly state they are a Subject Access Request, and that they should forward them to the Information Governance Officer without delay.
However, there is a recommendation that organisations ‘provide means for requests to be made electronically’ and the University has published a Subject Access Request form which is intended to make the requesting of personal data easier for individuals. Subject Access Form is available to download here.
We may ask an individual making a subject access request to provide proof of identity before we process their request.
The University will not release personal data about an individual to a parent, friend or relative without the individual’s explicit consent.
The University is not legally obliged to provide information to the police, unless presented with a court order.
However, the University may choose to release information where the police, or other law enforcement agencies, can demonstrate to our satisfaction that non-release would be likely to prejudice the prevention/detection of crime or apprehension/prosecution of offenders.
The University will aim to support police investigations where possible.
However, the University is obliged to manage personal information in accordance with UK GDPR.
All such requests MUST be referred to the Information Governance Officer
The University receives requests for personal data from a range of third parties. Some of these requests are based on a legal requirement to provide the information e.g. to HMRC re employees pay or the individual has provided their explicit consent. If the request is not part of the normal reporting of the University then it should be forwarded to the Information Governance Officer.
Staff can access additional information about requests for personal data from third parties in the Data Protection Policy.