Subject access request
Data subject - the living identifiable person to whom the data relates.
Data controller - the natural or legal person/body/organisation/agency which alone or jointly with others determines the purposes and means of processing the personal data - Sheffield Hallam University is registered as a data controller. Members of staff are considered to be acting on behalf of the data controller when they process personal data.
2. What are your individual rights?
The Data Protection Act 1998 gives all data subjects the following rights:
- to find out what information a data controller holds about you - the right of subject access - see below
- to prevent the data controller from using your personal data for the purposes of direct marketing
- to notify the data controller that information held about you is inaccurate
- to have inaccurate information about you amended or destroyed
- to object to your data being processed if the processing is likely to cause you or someone else to suffer substantial damage or distress which is unjustified
- to claim compensation if you have suffered damage or distress as a result of the data controller failing to comply with the Act
- to ask the Information Commissioner to assess whether your personal data has been processed lawfully
3. Subject access requests: What information can an individual have access to?
- you can only have access to your own personal data - you are not entitled to ask for other peoples' personal data
- the data must be personal. General information about the University is available via the University's Publication Scheme and by request under the provisions of the Freedom of Information Act 2000.
What is "personal data"?
Personal Data - information relating to an identifiable living person (somebody who can be identified either directly or indirectly from the data), including any expression of opinion or intent relating to the individual.
Whilst personal data is usually linked to an individual's name, it could also be:
- data linked to a unique identifier such as a national insurance number, staff or student number/code;
- a description of an individual from which an individual could be identified;
- a set of characteristics in a small statistical data set from which an individual could be identified;
- a photograph, digital image, CCTV, video or audio recording from which an individual or individuals could be identified;
- data which in combination with other data held by us or held by any third party to whom we disclose the data, could identify an individual.
In most cases it will be obvious whether the data relates to an individual, but where it isn't, we ask:
Is the data being processed, or could it easily be processed, to:
- record; or
something about an identifiable individual, or; as an incidental consequence of the processing, either:
- could you learn or record something about an identifiable individual; or
- could the processing have an impact on, or affect, an identifiable individual?
From ICO Guidance: Determining what is personal data (page 11)
Where and how is personal data held?
Personal data may be contained in:
- paper records and files
- electronic files and documents, e.g. spreadsheets, Word documents, pdfs and digital images held in individual staff folders, shared drives and folders or held on portable devices.
- corporate systems and databases
- cctv and other film recordings
Retention of Data
It should be noted that the Data Protection Act requires that organisations do not retain personal data for longer than necessary and therefore documents and correspondence may be destroyed after a given period of time in line with the requirements of the Act and the University's Document Retention Schedule. The University only retains a limited number of records relating to individuals permanently.
4. Making a subject access request
Individual's requests for access to their personal data must be made in writing to:
Information Governance Officer
Sheffield Hallam University
- a fee of £10 is payable per request
- when requesting information, proof of identity should be enclosed.
- requests for information will be answered within 40 days (in the case of exam results 5 months) of receipt of the fee and completion of any checks to confirm the identity of the requester.
Applicants are asked to submit a Subject Access Request Form. This is not mandatory, but will assist the University to locate the personal data and to focus the searches for data.
5. Exemptions to the righ of subject access:
The Act specifies a number of exemptions to the right of subject access. These include:
Crime and Taxation (Section 29) - i.e. where personal data is processed:
- for the prevention or detection of crime
- for the apprehension or prosecution of offenders
- for the assessment or collection of any tax or duty or of any imposition of a similar nature.
Research, history and statistics (Section 33) - the exemption applies only if:
- the results of the research or any resulting statistics do not identify data subjects;
- the data is not processed to support measures or decisions with respect to particular individuals;
- the processing of data for research will not cause substantial damage and distress to any individual; and,
- the data is otherwise processed in accordance with the Act.
- confidential references given by the data controller (Schedule 7 Paragraph 1) - although references received by Sheffield Hallam University should be disclosed in the event of a subject access request.
- management forecasts/management planning (Schedule 7 Paragraph 5) - where personal data is processed for the purposes of management forecasting or management planning and where subject access would be likely to prejudice the conduct of the business or other activity of the data controller.
- negotiations (Schedule 7 Paragraph 7) - where personal data consist of records of the intentions of the data controller in relation to any negotiations with the data subject to the extent that disclosure would be likely to prejudice those negotiations.
- examination Marks (Schedule 7 Paragraph 8) - students cannot find out their exam mark before the results day by making a subject access request. Exam marks are exempt from the usual 40 day timescale, but data controllers must disclose this data either five months from the day on which they receive the request or 40 days from the announcement of the exam results, whichever is earlier.
- examination Scripts (Schedule 7 Paragraph 9) - these are exempt from subject access, but examiners' comments are not exempt and students have a right of access to these.
- self-incrimination (Schedule 7 Paragraph 11) - where complying with a subject access request would reveal evidence of the commission of any offence, other than an offence under the DPA 98, exposing them to proceedings for that offence
Third party data
In some cases, documents and records contain personal data relating to third parties as well as the requester's personal data. The Act only gives a requester a right of access to information relating to themselves.
The University is not obliged to disclose personal data relating to another individual unless that individual has consented and/or it is reasonable in all the circumstances to do so and will need to balance the rights of these third parties with the access rights of the requester.
The University takes into account whether consent for disclosure has been given, withheld, or expressly refused by the other individuals and also whether any duty of confidence is owed to the third parties. Consent is not the only factor which influences a decision to disclose third party personal data. As the data controller, however, the University has to be satisfied that it is reasonable in all the circumstances to disclose third party personal data in a subject access request without the consent of the third party. Usually we will contact the third parties to discuss the potential disclosure.
In such cases the University will consider the following options:
- disclosure of whole documents;
- disclosure of a redacted document (to remove third party personal data and other information which is not the personal data of the requester);
- disclosure of selected excerpts only;
- withholding the document entirely.
6. Further information
For queries and complaints relating to data protection issues and freedom of information at Sheffield Hallam University please contact:
Information Governance Officer
Sheffield Hallam University
Telephone: 0114 225 3361
The University's entry in the public register of data controllers can be found at: http://www.ico.org.uk. Please note that the entry is listed as "Sheffield Hallam University Higher Education Corporation".
Members of the public may contact the Information Commissioner for advice or to make a complaint. See https://www.ico.org.uk/Global/contact_us for further information.
The Information Commissioner publishes guidance for members of the public on how to submit a subject access request. See Find out how to request your personal information.
Sheffield Hallam University is not responsible for the content of external websites