Guidance for practitioners who have received a subject-access request
Step by step instructions on how to respond to a subject access request under data protection legislation.
Audience and scope
This guidance is for information practitioners responsible for responding to subject access requests for information held by their business areas.
What is a subject access request?
A subject access request applies to all personal data held by the University. If the information does not fulfil the definition of personal data then the University does not have to disclose it in response to a subject access request (although you may choose to do so at your discretion).
What to do
Obtain a valid subject access request
You must ensure the subject access request is valid.
A valid subject access request is one which:
- provides all the information you require to locate the information the person wants
- provides sufficient information to verify the data subject’s identity.
It is unlikely that the first contact from the data subject will provide all the relevant information, in which case you must write to the data subject. Use model letters 6, 7 or 8 depending on how much further information is required.
You have one month to provide the information requested once you have received all the necessary information.
Verify the data subject's identity
Before disclosing any personal information you must verify the identity of the data subject.
Whilst it is important that you do not send copies of personal information to people who are not the data subject, you must not appear obstructive.
Data Protection legislation requires you to take 'reasonable measures' to verify the identity of a data subject. You can often verify their identity from their circumstances, such as their address or signature.
For example, if the information being requested is a reference the application form can help you verify their identity: Is the signature or address on the application form the same as that given on the subject access request?
If you require further verification of the data subject's identity you have two options.
Verify identity by phone
Telephone the individual and ask them two questions based on the information you hold about them ask so as to confirm their identity.
Model letter 9 gives an example script for such a telephone conversation.
Verify identity in writing
Write to the individual and ask them to send you a photocopy of their passport or drivers licence (this option will take longer and it is also possible that the individual does not have a passport or drivers licence).
Calculate the target date
Make sure you know when you need to have responded by.
Find relevant information
You will need to search the records in your business area for information about the person who has made the request. This may require searching files, e-mails or personal computer drives. Follow the instructions on how to search your records.
Screen the information
Not all personal information may be liable for disclosure. Providers of the information will have done an initial screening but you will need to check it.
Once you have collected together the information we hold about a data subject you must examine it in detail to establish if it should be disclosed.
This must be done on a case-by-case basis for each individual piece of information. In some cases you might have to disclose only parts of particular documents.
How to blank out exempt and/or irrelevant information
When answering a subject access request you may have to blank out parts of a document which are not liable for disclosure.
Hard copy documents
- Print out the document or, if it is a paper record, make a photocopy.
- Using a black marker pen, blank out the exempt information.
- Make a photocopy of the blanked out version. This is the copy that will go to the person making the request.
- Using the highlighter tool, highlight the exempt information in black.
- Save the blanked out version as a separate copy.
- Print out the document and send to the data subject - do not send the document in electronic format as it is possible the highlighting could be removed.
Check the data subject
Check that the record is actually about the person concerned and not about someone else with the same name. For example, an email might carry the subject line 'Meeting about Tom Smith' but if the email only contains details about whether people can attend the meeting, the email is not about Tom Smith.
You should only print out documents or emails which are about the person making the subject access request.
Screen out duplicate records
For example, if you have had an email exchange with some colleagues you only need to print out the last email in the exchange if previous correspondence is included within it.
Obtain consent from staff acting in a private capacity
If a record was created by a member of staff acting in a private rather than an official capacity, only exceptional circumstances would justify its disclosure without their consent. If they are not prepared to disclose the record, do not disclose it. Please note that the University's computer regulations permit only limited personal use of the computing facilities.
Remove data about other individuals
You should only disclose information which is about the person making the subject access request. Where a document contains personal data about a number of individuals, including the data subject, you should not disclose the information about the third parties.
- If the record is primarily about the data subject, with incidental information about others, you should blank out the third party information (see above).
- If the record is primarily about third parties, withhold it if blanking out is not possible.
- Contact the third party to obtain consent to disclose the document if possible.
Letters 3-5 in the data protection model letters pack are for obtaining and acknowledging opinions of third parties.
The records may contain correspondence and comments about the data subject from a number of parties, including private individuals, external individuals acting in an official capacity, and University staff.
In these cases we are required to balance the interests of the third party against the interests of the data subject and often blank out third party information. If this situation arises, please contact the records management section for further guidance.
References which have been provided in confidence will usually be exempt from disclosure.
Preventing and detecting crime
Do not disclose information which would prejudice the prevention or detection of a crime.
For example, if the police informed us that a student is under investigation, but the student did not know this, then that information should not be provided to the student whilst the investigation is in progress.
However, if the investigation is closed or if the student has been informed that there is an investigation underway, then the information should be disclosed.
Do not disclose any records which:
- contain advice from our lawyers
- contain requests for legal advice
- were written as part of obtaining legal advice
Do not disclose information which is being used, or may be used in future, in negotiations with the data subject, if the information gives away our negotiating position and disclosing the information would weaken our negotiating position.
The exemptions above are those that are most likely to apply, but are not exhaustive. If you are concerned about disclosing any material, please get in touch.
You may discover material which does not reflect favourably on us. For example, you may find documents which show that standard procedures have not been followed, or documents which may cause offence to the data subject. These documents must be disclosed.
However, you should bring their contents to the attention of the relevant manager, and ensure that appropriate action is taken to address any issues they raise.
You must not destroy or refuse to disclose records because they would be embarrassing to disclose: this is a criminal offence if it is done after you know a subject access request has been made.
Keep a record
You need to keep a record for management purposes and log any queries in the request monitoring database.
Create a file for each subject access request and in it keep:
- Copies of the correspondence between yourself and the data subject, and between yourself and any other parties.
- A record of any telephone conversation used to verify the identity of the data subject.
- A record of your decisions and how you came to those decisions.
- Copies of the information sent to the data subject. For example, if the information was anonymised, keep a copy of the anonymised version that was sent to the data subject.
The file should be kept for one year and then securely destroyed.
Recording the request
If the Records Management Section are involved in dealing with the subject access request we will record the request on our system. We do this to monitor the number of information requests received and the staff time incurred.
If the Records Management Section are not involved, you need to keep a record of your handling of the request for management purposes. The record should be kept for five years from the date the response is sent.
Reply to the request
When you have satisfied all previous steps, write to the applicant.
Write to the applicant enclosing all information eligible for disclosure and/or an explanation as to why the information requested cannot be disclosed.
Our model letters pack provides some example text you can use.
Ensure you send the response out using a secure method. This usually means you should encrpyt it.