Subject access request
1. What are your individual rights?
2. Subject access requests: What information can an individual have access to?
- you can only have access to your own personal data - you are not entitled to ask for other peoples' personal data
- the data must be personal. General information about the University is available via the University's Publication Scheme and by request under the provisions of the Freedom of Information Act 2000. See here for further information.
What is "personal data"?
Personal Data - information relating to an identifiable living person (somebody who can be identified either directly or indirectly from the data), including any expression of opinion or intent relating to the individual.
Whilst personal data is usually linked to an individual's name, it could also be:
- data linked to a unique identifier such as a national insurance number, staff or student number/code;
- a description of an individual from which an individual could be identified;
- a set of characteristics in a small statistical data set from which an individual could be identified;
- a photograph, digital image, CCTV, video or audio recording from which an individual or individuals could be identified;
- data which in combination with other data held by us or held by any third party to whom we disclose the data, could identify an individual.
Where and how is personal data held?
Personal data may be contained in:
- paper records and files
- electronic files and documents, e.g. spreadsheets, Word documents, pdfs and digital images held in individual staff folders, shared drives and folders or held on portable devices.
- corporate systems and databases
- cctv and other film recordings
Retention of Data
It should be noted that the General Data Protection Regulation (GDPR) requires that organisations do not retain personal data for longer than necessary and therefore documents and correspondence may be destroyed after a given period of time in line with the requirements of data protection legislation and the University's Document Retention Schedule. The University only retains a limited number of records relating to individuals permanently.
3. Making a subject access request
Individual's requests for access to their personal data must be made in writing to:
Data Protection Officer
Telephone: 0114 225 5555
- when requesting information, proof of identity should be enclosed.
- requests for information will be answered within one month or receipt (in the case of exam results 5 months) and completion of any checks to confirm the identity of the requester.
- In cases where requests are deemed to be complex or numerous we may extend the period of compliance by a further 2 months
Applicants are asked to submit a Subject Access Request Form (doc, 65kb) (DOCX, 65KB). This is not mandatory, but will assist the University to locate the personal data and to focus the searches for data.
4. Exemptions to the right of subject access:
Current data protection law specifies a number of exemptions to the right of subject access. If we believe that an exemption applies, we will explain what we have withheld and why.
Third party data
In some cases, documents and records contain personal data relating to third parties as well as the requester's personal data. Data Protection legislation only gives a requester a right of access to information relating to themselves.
The University is not obliged to disclose personal data relating to another individual unless that individual has consented and/or it is reasonable in all the circumstances to do so and will need to balance the rights of these third parties with the access rights of the requester.
The University takes into account whether consent for disclosure has been given, withheld, or expressly refused by the other individuals and also whether any duty of confidence is owed to the third parties. Consent is not the only factor which influences a decision to disclose third party personal data. As the data controller, however, the University has to be satisfied that it is reasonable in all the circumstances to disclose third party personal data in a subject access request without the consent of the third party. Usually we will contact the third parties to discuss the potential disclosure.
In such cases the University will consider the following options:
- disclosure of whole documents;
- disclosure of a redacted document (to remove third party personal data and other information which is not the personal data of the requester);
- disclosure of selected excerpts only;
- withholding the document entirely.
5. Further information
For queries and complaints relating to data protection issues at Sheffield Hallam University please contact:
Data Protection Officer
Telephone: 0114 225 5555
Members of the public may contact the Information Commissioner for advice or to make a complaint. See https://ico.org.uk for further information.
Sheffield Hallam University is not responsible for the content of external websites