Submit a Subject Access Request FAQs

You do not have to make a SAR in writing, this can be done verbally. However, it is recommended to make it in writing where possible to ensure clarity. 

The ICT will carry out a reasonable and proportionate search within the parts of the University likely to hold any relevant information for your request, including areas/individuals that are specifically identified by your request as likely to hold relevant information. 

In respect of individuals named in requests and information held within individual’s email accounts, the University’s normal procedure is to ask individuals to conduct their own searches and return the data to the ICT, or to give permission to the central IT team to perform a search of their inbox on their behalf. 

Should they opt for the former, we instruct them to return the data and how, providing them with any of your suggested terms to search by, and to forward any data that refers to your personal data to us without alteration. They do not take any decisions as to what should or should not be included in their return and decisions about what whether something is or is not your personal data lies with the ICT. Lastly, we make it clear when we write to them that it is an offence to alter or delete any information once it has been received. 
This approach aligns with the University’s IT Regulations and balances the rights of third parties to privacy. 

We will handle your request in confidence and on a need-to-know basis. As outlined above, we need to inform data sources or information ‘owners’ of the fact that you have made a SAR in order to obtain relevant data. We may also need to consult third parties on the disclosure of any ‘mixed’ personal data – that is, any information that relates to both you and the third party that cannot be separated - so that we do not infringe on their privacy rights. We may also consult Legal Services. 

We aim to respond to all requests within the statutory deadline of one month from the date of receipt. However, it may be necessary for us to extend that deadline by a further two months, in accordance with the legislation, if we consider it is sufficiently complex to necessitate doing so. If that is the case, we will let you know within one calendar month of receipt of your request. 

The following are the most commonly applied exemptions in a University context:

• Exam Scripts – i.e. your handwritten answers to exams/assessments are exempt from disclosure (see Schedule 2, Part 4, Paragraph 25(1) of the Data Protection Act 2018).
• Confidential academic or employment references - References given in confidence can be withheld if disclosure would breach the promise of confidentiality given to the referee. If the information you have requested includes references that are not marked as confidential, and therefore not exempt from disclosure, please note that we will need to consult the referee on the disclosure of the reference, as the information is their personal data, as well as yours. We will give you the opportunity to confirm whether you would like us to proceed with consultation. 
• Information that is subject to legal professional privilege – this can be withheld if it would prejudice legal proceedings (see Paragraph 19, part 4 of Schedule 2 of the DPA 2018). 
• Information relating to third parties – a subject access request entitles you to access a copy of your own information. Information that unreasonably reveals personal data about someone else, or infringes their rights is exempt (see paragraph 16 of Schedule 2, Part 3 of the DPA 2018.). In order to respect the rights of third parties, we will typically seek their consent to disclose the information, unless we consider it reasonable to disclose without their consent.  
• Management information - data that relates to management forecasting or business planning if disclosure could prejudice the business activity (see paragraph 22 of Schedule 2, Part 4 of the DPA 2018)
• Information used for scientific, historical research or statistical purposes – this information is exempt if disclosure would seriously impair the research and provided appropriate safeguards are in place.  (Paragraphs 27 and 28 of Schedule 2, Part 5 of the DPA 2018)
• Negotiations – information that would prejudice our negotiations with you is exempt under Paragraph 23, Schedule 2 Part 4 of the DPA 2018.

There are other exemptions from the right of access – further details can be found on the ICO’s website.
 

With the exception of St Cross College, Reuben College and Kellogg College, the Colleges are legally separate to the University and data controllers in their own right under the UK GDPR. 

A request to the University will cover personal data contained in correspondence between the University and a college but will not include information held by the college alone. If you wish to access data held only by a college, you will need to submit a separate subject access request to that college. Advice on how to submit a subject access request to a college may be found on its website. A list of college websites is available here.
 

After having made your request, if you are not satisfied by the response, you may seek review by writing to the Head of Information Compliance in the first instance.  You may also submit a complaint to the Information Commissioners Office.