Data subject requests
Who can make a data request?
Everyone has the right to know what information an institution holds about them, and to make requests relating to it. We are legally required to respond to data subject access requests (DSARs), even if they appear vexatious or complex.
A DSAR a request for information relating to a person and is usually made by that person.
- The requester does not have to use the phrase ‘data subject/subject access request’.
- The requester does not have to cite any law or policy for it to be considered a subject access request.
- The request may be given mistakenly as, for example, a Freedom of Information (FOI) request, but we must correctly identify and deal with it as a DSAR.
- DSARs can be simple – such as students or graduates asking for transcripts – or more complex, concerning correspondence with multiple recipients over several years.
- A DSAR may ask the University to correct, delete or restrict use of their personal data.
Dealing with DSARs
Who to contact
If you are unsure how to deal with a DSAR or have any concerns about releasing the information, contact the Information Governance (IG) team at firstname.lastname@example.org or 0131 451 3218 right away.
Some requests for information need to be dealt with as 'business as usual' (for example, academic transcript requests) or under other University policies and procedures (for example, appeals against marks or grades or complaints about services).
If you get a DSAR you cannot answer routinely, the main contacts are:
Employees and casual staff: contact Human Resources HRHelp@hw.ac.uk
Students: contact Student Service Centre, StudentCentre@hw.ac.uk
Edinburgh Business School: contact Student Compliance Manager email@example.com
For all other data subjects, or for complex requests: contact Information Governance, firstname.lastname@example.org
Identify, validate and verify
If you get a DSAR you can answer yourself:
Identify and validate the request – it must be in writing, either electronic or paper:
- If a request is made by phone, ask the requester to submit a written version.
- If someone asks for help in making a request, you can write down their request and ask them to affirm that the details are correct, sign and return it.
- Remember to verify the identity of the requester. If you don’t recognise the requester, they must provide identifying information (for example, a matriculation number and date of birth, or a driving licence).
- If someone is making a request on behalf of someone else, check that they have the consent of the other person. If you feel uncertain or are not completely satisfied with the evidence provided, please contact the Information Governance team right away.
Make sure you understand exactly what it is that is being requested:
- If it is a straightforward request, note the deadline for answering it – one calendar month from the request being sent, not one month from you receiving it.
- If it is unclear, seek clarification from the requester. In this case, the deadline is one calendar month after the clarification.
Inform Information Governance of the request, even if it is a straightforward one:
- The IG team can provide advice
- If it is a complex case, the team will advise on gathering the information and help you to give a response.
Please contact IG right away if you get a request that looks complex or time-consuming or if the requester asks the University to do any of the following:
- Correct inaccuracies in their data
- Delete or destroy their data
- Restrict use of and access to their data or put a hold on destroying their data
- Provide their data in an electronic format that can be imported into another IT system
- Stop processing their data
- Not to make a decision about them based on automated processing or profiling.
Requests for email correspondence
Most complex cases arise when the DSAR asks for email correspondence about the requester that will have involved several colleagues.
First, discuss with the applicant specifically what it is that they are looking for. For example, is it in relation to specific exam, grievance, or mitigating circumstance? This provides the request with focus and reduces the impact on workloads.
Then contact colleagues and advise them that they will have to comply, go through their records, and provide any email exchanges relevant to the request. Give them a deadline that will allow enough time for compiling and redacting, for example 10 days for gathering, and another 10 days for collation.
Staff must not delete any email correspondence once they are aware of the request. If emails have been inadvertently deleted, IG can arrange for these to be recovered. Wilfully destroying any documents after a DSAR has been submitted is illegal and subject to court action, fines or imprisonment.
Managers should make sure that arrangements are in place to cover staff absences. Annual leave is not a valid justification for late responses.
Make sure to read through, and remove any references to third parties, or other individuals not relevant to the case.
Where subjective comments have been made about the applicant, you must notify IG immediately, and we will advise accordingly.
Requests for explanations
A DSAR may ask for a specific reason for something, such as 'Why did I not get a specific mark?' or 'What allegations were made against me?'
In this case, identify the staff and students involved in the case and seek their permission to release the information. Make sure that they are aware of the specific deadlines. If they do not wish to have that information released, seek advice from IG.
We cannot decline a DSAR on the grounds that involved parties do not wish to get involved.
We must also balance the wishes of the applicant with our legal requirements and with our responsibilities to staff and students.
Storing the information
Once the information has been gathered, it must be stored securely on your S Drive, in a folder that has been password protected. The password should only be shared with at most two colleagues.
We must keep a record of DSARs for audit and compliance purposes for six academic years after the end of the academic year in which the request was made.
In the event of us being reported to the UK Information Commissioner for non-compliance with the request, or subsequent legal actions, the copies will be our evidence.
Releasing the information
You must ask the applicant how they would prefer the information – hard copy or electronic?
If hard copy, ask the applicant to give you the address and send the information via tracked postal delivery or courier. Confirm to the requester by email that the information has been sent to them. Sometimes, they will offer to come and collect the information. This is acceptable as long as they give proof of identity such as their matriculation card or passport.
If electronically, PDF the information and password-protect it. Ask the applicant for details of the email account they want it sent to, and send a test email to make sure that the details are correct. Send the PDF document, and in the covering email confirm that the password will be sent separately.
Information on providing transcripts and certificates can be found at the Student Service Centre.
For more about data protection, see the Information Governance pages. There is also further information on GDPR for managers available here, and a guide to secure passwords and encryption.