** significant changes made 26/07/02
Subject access requests
Under section 7 of the Act data subjects have a right of access to any personal data held by a data controller. The data subject needs to make a request for subject access in writing, and should, if necessary, provide enough information to identify both themselves and any data held on them. The data controller has to communicate to the data subject the information held in an intelligible form within forty days, and can charge a maximum of £10 for doing so.
Universities tend to be made up of many sub-units, often working semi-autonomously. A typical University may have a central management structure, but with significant management responsibility devolved to Colleges, Faculties, Departments, Research Centres etc. There may be little communication between these various structures, and no commonality of record-keeping practices or electronic data storage systems. Additionally, most Universities will include a variety of specialist service providers with their own budgets and managerial autonomy, for example libraries, information systems departments, sports centres etc. Many Universities do not have a strong central management culture and there is often widespread distrust of the concept of central management, with many departments and sections operating autonomously. This autonomy is often prized, and many administrations find it impossible to enforce common practice within their institutions. Within academic departments in particular many individual staff may process the personal data of a given student, including heads of department, departmental officers, secretaries, lecturers, academic and pastoral tutors etc.
In this context, making an appropriate and complete response to a Subject Access Request made by a student (or, to a lesser extent, by a member of staff) can be extremely difficult, and potentially impossible. This situation is made worse by the increasing modularisation of current degree programmes, which can mean that some students will study with several different department or centres, and will have records held in each.
Items of particular relevance from the 1998 Data Protection Act
Section 7. Right to subject access.
Section 14. Right to rectify incorrect data.
Schedule 7 (1). References.
Schedule 7 (8 and 9). Examination marks and scripts.
Items of particular relevance from the 2000 Freedom of Information Act
Sections 68 69. Extension of the subject access provisions of the 1998 Data Protection Act.
(i) The process of responding appropriately to a Subject Access Request may be significantly eased by institutions ensuring that:
l Responsibility for Data Protection matters is apportioned to a network of staff who can provide a co-ordinated response to any Subject Access Request. The most practical model will usually be for a single staff member (the institutions Data Protection Officer, or his/her immediate nominee) to act as the institutions point of contact for any subject making an access request and to co-ordinate the response to that request. Additionally, each managerial unit should have a nominated staff member who has responsibility for keeping track of any data holdings within their section, and of searching those holdings in response to a Subject Access Request.
l Every member of academic, administrative and support staff should be issued with clear guidance on the need to streamline their record keeping wherever possible (for example, by not holding material that can be held by their departmental office) and on their responsibility to respond fully and promptly in the case of any Subject Access Request.
l Any subject who makes a Subject Access Request is issued with a form that will:
i) assist in confirming the identity of the enquirer, and
ii) will help the Data Protection Officer target their search for relevant data (Section 7(3)). It is not recommended that subjects be asked to identify all areas of search by themselves, as it is unfair to expect them to understand how an institutions data holdings may be managed and structured. However, it is reasonable, for example, to provide the subject with a core list of sections that will be searched automatically (usually, the central institution or faculty/college registry, the library, the residences office, plus any academic unit with whom the student has studied). Subjects may then be asked to identify, perhaps by means of a tick-list, any additional units/sections that they have been in contact with (for example, Counselling, sports centres etc) and whom they would wish to have searched for relevant data.
l Clear policy is formulated on cases in which a subject access request would lead to incidental disclosure of details relating to some other third party (for example, a referee or another student). Such third party information should not be disclosed without first seeking the consent of the third party (section 7(4)(a)). If consent cannot be obtained (eg the third party cannot be contacted) or is refused, then the institution needs to consider whether or not disclosure is reasonable (section 7(4)(b)), taking into account any duty of confidentiality owed to the third party, the steps taken to seek consent, whether the third party is capable of giving consent, and any express refusal of consent (section 7(6)).
The balance to be made in deciding whether or not to disclose third party information is one between the impact on the third party of the disclosure, and the impact on the data subject of the disclosure being withheld. Where third parties have been acting in an official capacity it can be argued that the duty of confidence is lower than is otherwise the case. However decisions need to be made on a case by case basis.
If it is decided that disclosure cannot be made, only that information which could identify the third party should be withheld (ie third party details are blanked out). In such circumstances it is good practice to explain to the data subject that some information has been withheld, and why.
l Third parties who regularly supply information on students (external examiners, referees, etc) are informed that anything they submit may become available to the subject through a Subject Access Request, and to thus seek consent to disclose at that stage.
(ii) Institutions may wish to consider the long-term aim of rationalising their data holdings. This can have any number of benefits in terms of security, accuracy of data and long-term resource savings, and it will certainly help institutions make effective responses to Subject Access Requests. Self-evidently, the fewer data sources an institution has, the easier it will be to search these on receipt of a subject access request. Institutions should consider, therefore, managing their data on a single central database. Additionally, staff should be encouraged not to hold files on individual students, but to lodge any such information with their departmental officer. Personal data of departed staff and students should be reclaimed from any remote source and stored in a single location or on a single database, with appropriate security and back-up.
(iii) The Freedom of Information Act, 2000 (Sections 68 and 69) extends the definition of personal data to which subjects have right of access. Once this Act is in force, subject access rights will cover all data processed by public authorities, rather than only data which is an accessible record, or processed by electronic means, or held in a relevant filing system. Thus papers held loose on a desk or randomly in a folder will now be subject to the subject access provisions of the Data Protection Act. Effectively, it will be impossible for institutions to hide from the implications of Subject Access Request rights by keeping sensitive data in an unordered form. Section 69(2) of the FOI Act, however, does temper this new requirement, noting that "a public authority is not obliged to comply in relation to any unstructured data unless the request contains a description of that data". Thus, institutions may need to adapt their Subject Access Request forms so that they specifically ask data subjects whether there are particular data items or documents (for example, an External Examiners report) that they wish to see.
Frequently Asked Questions
** 1. Should institutions send a copy of their notification to anyone making a subject access request?
It is not a requirement of the 1998 Act that those who make a subject access request must automatically be given a copy of the data controllers notification. However, it is recommended that institutions ensure that all staff and students are made aware, preferably on arrival, of where they might see and/or obtain a copy of their institutions notification. For example, an institution might place a copy on their web-site.
** 2. To what lengths must an HEI go to ensure that the person making an SAR is who they say they are?
The Act makes no attempt to define what represents "appropriate technical and organisational [security] measures", but it is advisable to run stringent identity checks on those making subject access requests because of the potential breadth of data that might be disclosed to them. It is recommended that the minimum requirement be the provision of proof of identity that includes a photograph (for current students, this will usually be the student registration or Students Union card). If a third party is managing the request on behalf of a subject, then the signed, written consent of the subject must be obtained. The signature should be verified for authenticity.
** 3. Must examination board minutes be included in an SAR response if they name/identify the individual subject?
Yes. Where minutes refer to an individual and are stored in a relevant filing system then they must be considered personal data (in due course, the Freedom of Information Act will mean that even minutes not stored in any structured way will be accessible under individuals subject access rights). In responding to any subject access request, care must be taken to ensure that the subject sees only the relevant material, with references to third parties being obscured/erased.
** 4. If an institution has to search through all email holdings to answer a students subject access request, must employees give their consent first?
There are several, possibly conflicting, issues raised here. Firstly, employees have a right to privacy (under Section 7(4) of the Act) and personal emails, for example, should not be looked at without good cause. Secondly, those making a subject access request have a right of access to their data, including emails between third parties about them. Also of relevance is Section 7(3) of the Act, which allows data controllers to get reasonable information from data subjects to enable them to trace an individuals personal data.
Balancing these issues suggests that where a subject access request is received and either the data subject indicates that, or the institution knows that, some personal data might be held in emails, rather than trawling through the personal data of many third parties (which is often technically difficult and time-consuming) the data subject should be asked to narrow down the search criteria to a level the institution considers reasonable: for example, emails sent between specified individuals and perhaps even only those sent on or around specific dates. The exact criteria depends on the size of system and ease of searching for references to an individual. If the data controller is to go any further than searching on email title (e.g. looking for references to the subject within the text of the emails) then, if such a general search is not technically easy to accomplish the detail the data subject provides to inform any search must be very high.
Even given the above considerations, however, institutions should ensure that employees and other email users are aware that the contents of their emails might be disclosed in certain circumstances, even if they do not give their consent.
SUBJECT ACCESS REQUEST FORM
Details of the person requesting the information.
Full name .
Telephone number . Fax Number
Are you the Data Subject?
YES if you are the Data Subject please supply evidence of your identity i.e. library card, driving licence birth certificate (or photocopy) and, if necessary, a stamped addressed envelope for returning the document (please go to question 5).
No are you acting on behalf of the Data Subject with their written authority? If so, that authority must be enclosed (please complete questions 3 and 4)
Details of the Data Subject (if different to 1.)
Full name .
Telephone number . Fax Number
4. Please describe your relationship with the Data Subject that leads you to make this request for information on their behalf.
If you wish to see only certain specific document(s), for example a particular examination report, a specific departmental file etc, please describe these below:
If you would like a more general search, please note that the University will normally automatically search the following sections for personal data:
Registry; Library, Residences Office Finance Office College Office Information Systems Services and any academic unit that you have studied with as part of your degree. Please tick below any other sections/departments that you have been in contact with which you would like to be searched for relevant data.
Other(s) Please specify below:
(1) Personal data processed if you have made an official complaint about e.g. standard of residence room, launderette etc.
(2) If CCTV search wanted please specify date(s) time(s) and location
I ., certify that the information given on this application form to Lancaster University is true. I understand that it is necessary for the University to confirm my/Data Subjects identity and it may be necessary to obtain more detailed information in order to locate the correct information.
Signed . Date
Please return the completed form to Andrew Okey, Data Protection Officer, University House, Lancaster University, LA1 4YW. Documents which must accompany this application are:
i evidence of your identity
ii evidence of the Data Subjects identity (if different from above)
iii evidence of Data Subjects consent to disclose to a third party (if required as indicated above).
iv where appropriate, a fee of £10 (cheques to be made payable to Lancaster University)
v stamped addressed envelope for return of proof of identity/authority documents, where appropriate
Please note that the University reserves the right to obscure or suppress information that relates to other third parties (under the terms of Section 7 of the Data Protection Act 1998).
Office use only
Request received: .
'The material contained on this site is intended as a guide to Higher Education Institutions (HEIs) in the UK in complying with the Data Protection Act 1998. As such, it may be reproduced or adapted for use by HEIs. It is not intended and should not be treated as legal advice. The University of Lancaster can accept no liability in negligence or otherwise to those who rely directly or indirectly on any statements contained on this site.'
Webmaster: Malcolm Baldwin