Right of Access information
-
What is a Subject Access Request (SAR)?
The UK General Data Protection Regulation ("UK GDPR") Article 15 gives individuals the right of access to any of their personal data that the University holds about them.
This is known as a Subject Access Request ("SAR").
-
What is personal data?
Personal data is information that relates to a living individual. The individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.
-
What should a member of staff do upon receiving a SAR?
If a SAR is received by any member of staff it should be forwarded immediately via email to gdpr@ulster.ac.uk or in hard copy to Mr Eoin Coyle, Data Protection & Information Compliance Manager, Ulster University, Cromore Road, Coleraine BT52 1SA
-
What is the time limit for responding to a SAR?
The University must respond to a SAR as quickly as possible and no later than one calendar month.
A calendar month starts on the day the University receives the request even if that day is a weekend or a public holiday. It ends on the corresponding calendar date of the following month. However, if the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day. Also, if the corresponding calendar date does not exist because the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the following month.
The clock starts to tick as soon as a request is received and it is important that all requests are forwarded without delay to the Data Protection & Information Compliance Manager, Mr Eoin Coyle, as detailed above.
If the request is complex the response time can be extended to a maximum of 3 calendar months starting from the day after receipt of the request.
-
Does a SAR have to be in a particular format?
A SAR does not have to be submitted in any particular format and can be made verbally or in writing. A request does not have to include the phrase 'subject access request' or refer to data protection legislation. It must however be clear that the requester is asking for their personal data.
If an individual makes a verbal request that is then passed to the Data Protection & Information Compliance Unit, a follow up in writing will be issued asking for the individual to confirm that our understanding of the request is correct.
If the requester is not known to the University, the University will require sufficient information to verify their identity.
THIRD PARTY REQUESTS
SARs can be submitted via a third party usually by a solicitor acting on behalf of a client but sometimes an individual simply wants someone else to act for them. The University needs to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this entitlement.
There may be occassions where staff will be approached by the PSNI for information such as personal data or CCTV footage. The University will not release the personal data of individuals unless the appropriate Form 81 has been received by the Data Protection & Information Compliance Unit.
-
Is there a fee for processing SARs?
The University cannot usually charge a fee for processing SARs except in limited circumstances, where the request is manifestly unfounded or excessive, or if an individual requests further copies for their data, in which cases a 'reasonable fee' for the administrative costs of complying with a request may be charged.
-
What information is an individual entitled to? What information is an individual entitled to?
Subject access is often used by individuals who want to see a copy of the personal data the University holds about them. Under subject access an individual is also entitled to the following information:
- the purposes for processing personal data
- the categories of personal data concerned
- the recipients or categories of recipient the University discloses the personal data to
- the retention period for storing the personal data
- the individual’s right to request rectification, erasure or restriction or to object to such processing
- the right to lodge a complaint with the ICO or another supervisory authority
- where personal data is not collected from the individual, any available information as to its source
- the existence of automated decision-making (including profiling)
- the safeguards the University provides if the data is transferred to a third country or international organisation
-
Is there any information exempt from subject access?
There are some restrictions on disclosing information in response to a SAR e.g. where this would involve disclosing information about another individual. The University considers the application of exemptions on a case by case basis.
-
Is there an appeal process to a response?
If an applicant is not satisfied with how the University has dealt with the request, the matter can be raised under the University's internal review process for Subject Access Requests. Please submit written details of your appeal to Clare Jamison, Ulster University, Coleraine BT52 1SA, email at university secretary@ulster.ac.uk
The University will normally undertake to issue a decision on an appeal within 20 working days of receipt.
Staff training
Completion of the University’s online data protection training programme in Blackboard Learn is compulsory for all members of staff and some students. Uptake of the training is monitored by the Office of the University Secretary. There is a test with a pass mark at the end of the training.
The training includes an overview of individual’s rights and guidance on how to exercise these rights.
If you have any queries in relation to the processing of SARs please contact the Data Protection & Information Compliance Unit at gdpr@ulster.ac.uk