Subject access request
1. What are your individual rights?
2. Subject access requests: What information can an individual have access to?
- you can only have access to your own personal data - you are not entitled to ask for other peoples' personal data
- the data must be personal. General information about the University is available via the University's Publication Scheme and by request under the provisions of the Freedom of Information Act 2000.
What is "personal data"?
Personal Data - information relating to an identifiable living person (somebody who can be identified either directly or indirectly from the data), including any expression of opinion or intent relating to the individual.
Whilst personal data is usually linked to an individual's name, it could also be:
- data linked to a unique identifier such as a national insurance number, staff or student number/code;
- a description of an individual from which an individual could be identified;
- a set of characteristics in a small statistical data set from which an individual could be identified;
- a photograph, digital image, CCTV, video or audio recording from which an individual or individuals could be identified;
- data which in combination with other data held by us or held by any third party to whom we disclose the data, could identify an individual.
In most cases it will be obvious whether the data relates to an individual, but where it isn't, we ask:
Is the data being processed, or could it easily be processed, to:
- record; or
something about an identifiable individual, or; as an incidental consequence of the processing, either:
- could you learn or record something about an identifiable individual; or
- could the processing have an impact on, or affect, an identifiable individual?
From ICO Guidance: Determining what is personal data (page 11)
Where and how is personal data held?
Personal data may be contained in:
- paper records and files
- electronic files and documents, e.g. spreadsheets, Word documents, pdfs and digital images held in individual staff folders, shared drives and folders or held on portable devices.
- corporate systems and databases
- cctv and other film recordings
Retention of Data
It should be noted that the Data Protection Act requires that organisations do not retain personal data for longer than necessary and therefore documents and correspondence may be destroyed after a given period of time in line with the requirements of the Act and the University's Document Retention Schedule. The University only retains a limited number of records relating to individuals permanently.
3. Making a subject access request
Individual's requests for access to their personal data must be made in writing to:
Data Protection Officer
Telephone: 0114 225 5555
- when requesting information, proof of identity should be enclosed.
- requests for information will be answered within one month of or receipt (in the case of exam results 5 months) and completion of any checks to confirm the identity of the requester.
- in cases where requests are deemed to be complex or numerous we may extend the period of compliance by a further 2 months
4. Exemptions to the right of subject access:
Current data protection law specifies a number of exemptions to the right of subject access. If we believe that an exemption applies, we will explain what we have withheld and why.
Third party data
In some cases, documents and records contain personal data relating to third parties as well as the requester's personal data. The Act only gives a requester a right of access to information relating to themselves.
The University is not obliged to disclose personal data relating to another individual unless that individual has consented and/or it is reasonable in all the circumstances to do so and will need to balance the rights of these third parties with the access rights of the requester.
The University takes into account whether consent for disclosure has been given, withheld, or expressly refused by the other individuals and also whether any duty of confidence is owed to the third parties. Consent is not the only factor which influences a decision to disclose third party personal data. As the data controller, however, the University has to be satisfied that it is reasonable in all the circumstances to disclose third party personal data in a subject access request without the consent of the third party. Usually we will contact the third parties to discuss the potential disclosure.
In such cases the University will consider the following options:
- disclosure of whole documents;
- disclosure of a redacted document (to remove third party personal data and other information which is not the personal data of the requester);
- disclosure of selected excerpts only;
- withholding the document entirely.
5. Further information
For queries and complaints relating to data protection issues and freedom of information at Sheffield Hallam University please contact:
Data Protection Officer
Governance and Sector Regulation
Telephone: 0114 225 5555
Members of the public may contact the Information Commissioner for advice or to make a complaint. See https://www.ico.org.uk/Global/contact_us for further information.
Sheffield Hallam University is not responsible for the content of external websites