• What is a Subject Access Request (SAR)?

    The UK General Data Protection Regulation ("UK GDPR") Article 15 gives individuals the right of access to any of their personal data that the University holds about them.

    This is known as a Subject Access Request ("SAR").

  • What is personal data?

    Personal data is information that relates to a living individual.  The individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.

  • What should a member of staff do upon receiving a SAR?

    If a SAR is received by any member of staff it hsould be forwarded immediately to Mrs Clare Jamison, University Secretary and Data Protection Officer, via email to gdpr@ulster.ac.uk or in hard copy to Mrs Clare Jamison, University Secretary, Ulster University, Cromore Road, Coleraine BT52 1SA

  • What is the time limit for responding to a SAR?

    The University must respond to a SAR as quickly as possible and no later than one calendar month.

    A calendar month starts on the day the University receives the request even if that day is a weekend or a public holiday. It ends on the corresponding calendar date of the following month.  However, if the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day.  Also, if the corresponding calendar date does not exist because the following month is shorter and there is no corrresponding calendar date, the date for response is the last day of the following month.

    The clock starts to tick as soon as a request is received and it is important that all requests are forwarded without delay to the University Secretary and Data Protection Officer, Mrs Clare Jamison, as detailed above.

    If the request is complex the response time can be extended to a maximum of 3 calendar months starting from the day after receipt of the request.

  • Does a SAR have to be in a particular format?

    A SAR does not have to be submitted in any particular format and can be made verbally or in writing. A request does not have to include the phrase 'subject access request' or refer to data protection legislation. It must however be clear that the requester is asking for their personal data.

    If the requester is not known to the University, the University will require sufficient information to verify their identity.

    SARs can be submitted via a third party usually by a solicitor acting on behalf of a client but sometimes an individual simply wants someone else to act for them.  The University needs to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this entitlement.

  • Is there a fee for processing SARs?

    The University cannot usually charge a fee for processing SARs except in limited circumstances, where the request is manifestly unfounded or excessive, or if an individual requests further copies fo their data, in which cases a 'reasonable fee' for the administrative costs of complying with a request may be charged.

  • What information is an individual entitled to?What information is an individual entitled to?

    Subject access is often used by individuals who want to see a copy of the personal data the University holds about them.  Under subject access an individual is also entitled to the following information:

    • the purposes for processing personal data
    • the categories of personal data concerned
    • the recipients or categories of recipient the University discloses the personal data to
    • the retention period for storing the personal data
    • the individual’s right to request rectification, erasure or restriction or to object to such processing
    • the right to lodge a complaint with the ICO or another supervisory authority
    • where personal data is not collected from the individual, any available information as to its source
    • the existence of automated decision-making (including profiling)
    • the safeguards the University provides if the data is transferred to a third country or international organisation
  • Is there any information exempt from subject access?

    There are some restrictions on disclosing information in response to a SAR e.g. where this would involve disclosing information about another individual. The University considers the applicaiton of exemptions on a case by case basis.

Staff training

Completion of the University’s online data protection training programme in Blackboard Learn is compulsory for all members of staff and some students.  Uptake of the training is monitored by the Office of the University Secretary. There is a test with a pass mark at the end of the training.

The training includes an overview of individual’s rights and guidance on how to exercise these rights.

If you have any queries in relation to the processing of SARs please contact the Office of the University Secretary at gdpr@ulster.ac.uk

Further information

Find out more about exercising your rights