This guide is to help Heriot-Watt University Group staff identify and process Data Subject Requests (DSRs) accurately, fairly, and in line with the University Data Protection Policy, procedures and relevant legislation.
All individuals have the right to know what information an institution holds about them, and to make requests relating to accessing, correcting, restricting use of and deleting this information. We are legally required to respond to DSRs, even if they appear vexatious or complex. These guidelines will provide you with a basic understanding of what you will have to do if you receive a request. In the event that you receive a DSR and you are uncertain about how best to handle it or you have any underlying concerns about releasing the information, then contact the Heritage and Information Governance team at HIG@hw.ac.uk or 0131 451 3218 before you do anything else, we are here to help.
What does a DSR look like?
DSRs are quite simply a request for information relating to an individual and are usually submitted by the individuals themselves. There are some key points to remember when handling DSRs:
- The requester does not have to use the phrase ‘data subject/subject access request’
- The requester does not have to cite any law or policy for it to be considered a subject access request
- The request for information may be couched in another query or request, such as Freedom of Information (Scotland) Request, e.g. ‘under FOISA, I want to see my staff file’
- There are some routine requests, such as students or graduates asking for transcripts… and there are some extremely complex requests, such as all correspondence with multiple recipients over a number of years
- Someone can make a DSR for the University to take other actions such as correct, delete, restrict use of their personal data
The following list provides an overview of the actions that will be required to process and respond to a data subject request. If you are unsure, contact HIG@hw.ac.uk for advice.
Who co-ordinates DSRs?
Some requests for information need to be dealt with as “business as usual” e.g. academic transcript requests, or under other University policies and procedures: e.g. appeals against marks or grades or complaints about services. If you receive a request from someone about their own personal data that you cannot answer in as a matter of routine business, please forward their request promptly to the relevant team.
For requests to the University, the key points of contact are:
Employees and casual staff: contact Human Resources HRHelp@hw.ac.uk
Students: contact Student Service Centre, StudentCentre@hw.ac.uk
Edinburgh Business School: contact Student Compliance Manager firstname.lastname@example.org
For all other data subjects, or for complex requests: contact HIG, HIG@hw.ac.uk
Identify, validate and verify
- Identify and validate the request – it must be in writing (electronic or paper)
- If a request is made over the phone, ask the requester to submit a written version
- If someone asks for help in making a request, you can write down their request and ask them to affirm that the details are correct, sign and return it
- Remember to verify the identity of the requester. If you don’t recognise the requester; they must provide identifying information (e.g. a matriculation number and date of birth or driving licence). If someone is making a request on behalf of a data subject, check with the data subject that they have consented to this. If you feel uncertain or are not completely satisfied with the evidence provided, please contact the HIG team immediately
- Make sure you understand exactly what it is that is being requested.
- If it is a straightforward request, start the clock – one calendar month from the request being sent (NOT one month from you receiving it)
- If it is unclear, seek clarification from the requester. In these circumstances, the clock only starts upon receipt of the clarification – again, one month
- Inform HIG of the request, even if it is a straightforward one
- The HIG Team can provide advice
- If it is a complex case, the HIG Team will advise on the information gathering and assist in providing a response to the applicant on behalf of the University
If you receive a request that appears complex or particularly time-consuming, please contact HIG immediately so that we can assess how best to manage the request. If the request asks the University to take one or more of the following actions, again, please contact HIG straight away so that we can consider the right legal basis for responding.
- Correct inaccuracies in their data
- Delete or destroy their data
- Restrict use of and access to their data or put a hold on destroying their data
- Provide their data in an electronic format that can be imported into another IT system
- Stop processing their data
- Not to make a decision about them based on automated processing or profiling
Most complex cases revolve around the release of correspondence where the applicant/ requester has been the subject of email correspondence between several colleagues. Below are guides on how to manage these requests.
If an applicant requests email correspondence:
Discuss with the applicant specifically what it is that they are looking for. Is it in relation to specific exam? A particular grievance? Mitigating circumstance? The outcome of a Viva or Exam Board? – This provides the request with focus and reduces the impact on workloads
Contact colleagues and advise them that they will have to comply, go through records, and provide any email exchanges relevant to the request. Provide them with a deadline that will allow sufficient time for compiling and redacting (e.g. 10 days for gathering, and another 10 days for collation):
Staff must not delete any email correspondence once they are aware of the request. If emails have been inadvertently deleted, HIG can arrange for these to be recovered. Please note that by wilfully destroying any documents after a DSR has been submitted is illegal and subject to Court Action, fines or imprisonment
Managers should make sure that arrangements are in place to cover staff absences. Annual leave is not a valid justification for late responses.
Make sure to read through, and remove any references to third parties, or other individuals not relevant to the case
Where subjective comments have been made about the applicant, you must notify HIG immediately. A member of the HIG team will advise accordingly
If an applicant requests an explanation, e.g. why did I not get a specific mark or what allegations were made against me:
- Identify the people involved in the case (staff and students) and seek their permission to release the information. Make sure that they are aware of the specific deadlines.
If they do not wish to have that information released, you must seek advice from HIG. It is not acceptable to decline a DSR on the grounds that involved parties do not wish to get involved.
We must balance the wishes of the applicant with our legal requirements and with our responsibilities to staff and students.
Information storage and release
How should I store the information requested?
Once the information has been gathered, it must be stored securely on your S Drive, in a folder that has been password protected. The password should only be shared with a minimum of colleagues. We would advise that only a maximum of 2 colleagues should know the password.
How should we release the information?
You must ask the applicant how they would prefer the information – hard copy or electronic?
If hard copy, ask the applicant to provide you with the address and send the information via tracked postal delivery or courier. Confirm by email that the information requested has been sent. Sometimes, the applicant will offer to come and collect the information. This is perfectly acceptable as long as the applicant provides I.D such as their matriculation card or passport.
If electronically, pdf the information and password protect it. Ask the applicant for details of the email account they want it sent to, and send a test email to make sure that the details are correct. Send the pdf document, and in the covering email confirm that the password will be sent separately.
REMEMBER – ALWAYS KEEP A COPY OF WHAT WE RELEASE
In the unlikely event of us being reported to the UK Information Commissioner for non-compliance with the request, or subsequent legal actions, the copies will be our evidence.
How long should I keep the information for?
We are required to keep a record of DSRs and the information requested for audit and compliance purposes. We need to keep DSR information for ‘date of last action + 6 years’. This means that we must keep it from the date of the last piece of correspondence to the end of the academic year, and then 6 years longer. This will ensure we comply with our retention schedules and minimise the risk of over-retention.
Information on providing transcripts and certificates can be found at the Student Service Centre
More information and guidance about Data Protection can be found at the Heritage and Information Governance pages. There is also further information on GDPR for managers available here, and a guide to secure passwords and encryption.