Data Protection Policy - Requests For Personal Information
Requests from the data subject (students and staff)
Although students and staff can be assumed to have a general entitlement to access the records the University holds about them, they have no right to demand to see the records immediately, without having first made a proper application (see section on 'Access to Personal Data').
The Data Protection Act 1998 recognises that in some circumstances the University might have a legitimate reason for not complying with a subject access request, so it provides a number of exemptions from the duty to do so including:-
- Confidential References - Personal Data is exempt from an individual’s right of subject access if it comprises a confidential reference that the University gives (or is to give) in connection with education, training or employment, appointing office holders, or providing services. The exemption only applies to references the University gives, and not to references received.
- Management Information - Personal Data that is processed for management forecasting or management planning is exempt from an individual’s right of subject access to the extent that providing access to such data would be likely to prejudice the business or other activity of the University.
- Negotiation - Personal Data that consists of a record of the University's intentions in negotiations with an individual is exempt from the subject information provisions to the extent that applying those provisions would be likely to prejudice the negotiations.
- Crime and Taxation - Personal data processed for certain purposes related to crime and taxation is exempt from the right of subject access.
- Legal Advice and Proceedings - Personal data is also exempt from the right of subject access if it consists of information for which legal professional privilege.
In order to have access to personal data, the data subject must complete the request form ( Subject access request form ), stating specifically what information is required. The form should then be passed to the departmental Data Protection contact to be dealt with. A charge of £10 applies to each request (The University reserves the right to review this fee at any time). The data subject must have proof of identity, in the case of a student they must produce their library/ I.D card.
The University must provide the information in the specified time limit of 40 days. A reasonable time lapse must have occurred between each request, depending on how often the data is updated.
The Subject Access Request Forms must be passed to the Information Compliance Officer (FOI/DP) who will manage the request centrally.
Staff must be aware that all information held about a data subject is disclosable including emails, CCTV images and opinions.
Individuals are entitled to know the purposes for which data is held, where it came from and those to whom it may be sent.