Right of Access (Subject Access Requests)
What is a Subject Access Request (SAR)?
The EU General Data Protection Regulation (GDPR) Article 15 gives individuals the right of access to any of their personal data that the University holds about them.
This is known as a Subject Access Request (SAR).
What is personal data?
Personal data is information that relates to a living individual. The individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.
What is the time limit for responding to a SAR?
The University must respond to a SAR as quickly as possible and no later than one calendar month.
A calendar month starts on the day the University receives the request even if that day is a weekend or a public holiday. It ends on the corresponding calendar date of the following month. If this is not possible because the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the following month.
The clock starts to tick as soon as a request is received and it is important that all requests are forwarded without delay to the University Secretary via email at email@example.com or in hard copy to University Secretary, Ulster University, Cromore Road, Coleraine BT52 1SA.
If the request is complex the response time can be extended to a maximum of 3 calendar months starting from the day after receipt of the request.
Does a SAR have to be in a particular format?
A SAR does not have to be submitted in any particular format and can be made verbally or in writing. A request does not have to include the phrase 'subject access request' or refer to data protection legislation. It must however be clear that the requester is asking for their personal data and has provided sufficient information to allow the University to locate the required information.
If the requester is not known to the University the University will require sufficient information to verify their identity.
SARs can be submitted via a third party usually by a solicitor acting on behalf of a client but sometimes an individual simply wants someone else to act for them. The University needs to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this entitlement.
Is there a fee for processing SARs?
There is no fee for processing SARs.
What information is an individual entitled to?
Subject access is often used by individuals who want to see a copy of the information the University holds about them. Under subject access an individual is also entitled to other information including:
- the purposes for processing personal data
- the categories of personal data concerned
- the recipients or categories of recipient the University discloses the personal data to
- the retention period for storing the personal data
- the individual’s right to request rectification, erasure or restriction or to object to such processing
- the right to lodge a complaint with the ICO or another supervisory authority
- the existence of automated decision-making (including profiling)
- the safeguards the University provides if the data is transferred to a third country or international organisation
Is there any information exempt from subject access?
There are some restrictions on disclosing information in response to a SAR i.e. where this would involve disclosing information about another individual. The University considers restrictions on a case by case basis.
Completion of the University’s online data protection training programme in Blackboard Learn is compulsory for all members of staff and some students. Uptake of the training is monitored by the Office of the University Secretary. There is a test with a pass mark at the end of the training.
The training includes an overview of individual’s rights and guidance on how to exercise these rights.
If you have any queries in relation to the processing of SARs please contact the Office of the University Secretary at firstname.lastname@example.org or by telephone on (028) 7012 4533.