Subject Access Request Guidance
1. Introduction
This procedure outlines the University of Suffolk’s steps for receiving, processing, and responding to Subject Access Requests (SARs) or the Right of Access made under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
The Data Governance Team, on behalf of the University, has responsibility for overseeing the processing of SARs received.
2. Receiving a Subject Access Request
2.1 Who Can Submit a Request
Any individual (data subject) has the right to request access to their personal data held by the University of Suffolk. SARs can be made by the data subject or by a third party acting on their behalf, with appropriate authorisation.
2.2 Submission Methods
Ways in which SARs can be submitted include:
- In writing via email to datagovernance@uos.ac.uk
- Through the University of Suffolk Subject Access Request Form
2.3 Information Required
When submitting a SAR, the data subject should provide:
- A subject line or header that says "Subject Access Request";
- The date of the request;
- A full name of the data subject (and any other names where relevant);
- An email address;
- A University of Suffolk student or staff number if relevant;
- Specific details of personal information being requested and where possible, words or names to search for[1] ;
- Details or dates that will help us to find the information;
- If known, the names of individuals, teams, Schools or Directorates to request the information from;
- The reason the information is needed (this does not have to be included but will help us to find what is needed);
- How to receive the information (e.g. electronically or printed and sent by post) and any accessibility requirements (e.g. large fonts).
- Proof of identity in the form of two forms of identification, such as a scan or clear photograph of a passport, driver's license or staff/student ID card, to verify identity;
- For third party requests, please contact the Data Governance team for more information about appropriate authorisation on datagovernance@uos.ac.uk.
2.4 Acknowledgment of Request
Upon receipt of a SAR, the University will acknowledge the request in writing, confirming the date of receipt and the deadline for response. We will also let the data subject know how to expect to receive the information. This will usually be a link to a secure Microsoft SharePoint folder containing the information requested unless they have indicated they wish to receive it in an alternative format.
3. Processing a Subject Access Request
3.1 Verifying Identity
Before processing a SAR, the Data Governance Team will verify the identity documents provided by the requester, particularly if sensitive data is involved. The response period begins once identity verification is complete.
3.2 Clarifying the Request
If the SAR is broad or unclear, the Data Governance team may seek clarification from the requester. The response time may be paused until clarification is received.
3.3 Searching for Information
The University will consult relevant departments and staff to conduct a thorough search of all records, including but not limited to email folders, any applications within the Microsoft Office 365 suite used by staff and students, computer drives and hard-copy records. All staff are provided with clear guidance on conducting a thorough search in response to a Subject Access Request.
In order to search the information, we will need to inform relevant departments and staff of the Subject Access Request and the name of the data subject. If this information needs to remain confidential, please inform the Data Governance team of this at the point of making the request.
3.4 Exemptions Under UK GDPR
Some personal data may be exempt from disclosure under the UK GDPR and DPA 2018, including but not limited to:
- Personal Data of Third Parties: Information identifying third parties will generally be redacted unless their consent is obtained, or it is reasonable to disclose without their consent.
- Confidential References: References given in confidence for education, training, or employment purposes may be exempt.
- Legal Professional Privilege: Communications protected by legal privilege are exempt.
Examinations Data: Exam scripts and some examination-related information may be exempt, although exam results are generally disclosable.
Full details about when an organisation can refuse to comply with a request or any exemptions to the Right of Access, can be found on the Information Commissioner’s Office (ICO) website.
3.5 Refusing a Request
A SAR may be refused or a fee may be charged if:
- The request is manifestly unfounded or excessive (e.g., repetitive requests).
- The data subject's rights are outweighed by the rights and freedoms of others.
Full details about when an organisation can refuse to comply with a request or charge a reasonable fee to cover their administrative costs, can be found on the Information Commissioner’s Office (ICO) website.
4. Responding to a Subject Access Request
4.1 Format of Response
The Data Governance Team on behalf of the University will provide the information in an easily accessible format. Unless advised otherwise, this will be by providing a link to a secure Microsoft SharePoint site containing the requested information.
4.2 Redaction of Information
Before disclosure any information that identifies third parties will be redacted, unless an exemption applies or consent has been given.
4.3 Explanation of Data
Where necessary, explanations or context for the data disclosed, especially if the data might be complex or subject to interpretation will be provided.
4.4 Timeline
The University will respond to the SAR within one month of receipt. If the request is complex or involves large amounts of data, the deadline may be extended by up to two further months in accordance with the ICO guidance. The requester will be informed of any extension within the initial one-month period by the Data Governance Team.
5. Record Keeping and Review
5.1 Record of SARs
The Data Governance Team on behalf of the University will maintain a log of all SARs received, including dates, nature of the request, and actions taken. This record will be reviewed periodically to ensure compliance and identify areas for improvement. The University Board and relevant sub-committees receive reports on requests received and responded to.
5.2 Complaints and Appeals
If a data subject is dissatisfied with the response to their SAR, they have the right to:
- Request an internal review by contacting the Data Protection Officer (DPO) on datagovernance@uos.ac.uk or by completing the University of Suffolk Internal Review Form.
- Lodge a complaint with the Information Commissioner’s Office (ICO).
6. Contact Information
The University is committed to protecting the privacy rights of individuals and handling SARs in accordance with UK GDPR. This procedure will be reviewed regularly to ensure continued compliance.
For further guidance or to submit a SAR, please contact:
The Data Governance Team
University of Suffolk
datagovernance@uos.ac.uk
01473 338240
[1] The data subject must be specific about the information being requested, as simply asking for all the information held by the University might mean that they get a lot of information back that is not needed, or it may take us longer to share the information.
Date of publication: 16 September 2024