Foundation Year Network
What is a subject access request?
Under data protection legislation, individuals (data subjects) have the right to request that a data controller provides them with the following:
- Confirmation that their personal data is being processed
- Access to their personal data
- Other supplementary information about the processing of their personal data.
A subject access request is simply a written request made by, or on behalf of, an individual.
Making a subject access request
How do I make a subject access request?
A subject access request must be made in writing and must describe the personal data required. If making a third party request for personal data, please note the special conditions noted below. Using the Network’s Subject Access Request form (available on the Network’s website) will aid you in providing as much detail as possible relating to the request and will reduce the potential for delays pending clarification.
Proof of identification must also be provided, comprising a ‘certified copy’ of an official document containing photographic identification, e.g. passport or driving licence. Information on how to obtain a ‘certified copy’ is available from www.gov.uk/certifying-a-document.
Send the completed form and proof of ID to the following address:
Foundation Year Network
C/O Dr Doug Ingram
University of Nottingham
Room B02, Humanities Building
Nottingham, NG7 2RD
You can submit the form and/or certified proof of identification by email to email@example.com, but note that the Network will only begin to process a request once it is in receipt of all required items.
What if I am unable to make a request in writing?
If you are unable to make a request in writing please telephone the Secretary to the Network (+44 (0) 115 74 84992) and we will make arrangements to help you submit a request.
We may need to provide the response in an accessible format and will work with you to establish what is appropriate.
What happens once I have submitted a request?
The Network will send you an acknowledgement of the request. If we need any clarification or proof of ID, we will contact you as soon as possible. Once we are in receipt of a clear request and certified proof of ID we will begin to locate and collate the relevant personal data.
What information will I receive?
The subject access right allows individuals the right to access personal data of which they are the subject. It does not provide the right to access entire documents if the documents do not fully comprise the personal data of the individual. Therefore, in response to a subject access request, an individual may receive partial or redacted documents.
Can I access the personal data of other individuals?
An individual only has the right to access personal data of which they are the subject and there is no right of access to the personal data of friends or family. However, there are some instances in which a request made on behalf of another individual or for a specific purpose (such as the detection or prevention of crime) will be considered. Please refer to the “Making a third party request for personal data” section, below, for further information.
When will I receive a response to my request?
Under data protection legislation, the Network must respond within 40 calendar days of receiving a request and proof of ID unless the request is particularly complex, in which case the deadline may be extended by a further two months. Where the Network needs to extend a deadline we will write to inform the requestor of this.
How will I receive copies of personal data in response to my request?
Copies of personal data will normally be sent either electronically (by email attachment, using password protection and encryption) or in hard copy (by the Royal Mail’s ‘Signed For’ service). If you prefer, you can request that we provide personal data to you orally, but we will only do so if we are able to verify your identity first.
What if I am dissatisfied with the Network’s response to my request?
If you are dissatisfied with the way in which your subject access request has been processed or dissatisfied with the response that you have been given, please write to the Chair of Executive Committee in the first instance (firstname.lastname@example.org) so that the Network is provided with the opportunity to review the matter and respond to your concerns.
You can also ask the Information Commissioner’s Office (ICO) to carry out an assessment to see whether it is likely or unlikely that the Network has responded properly. The ICO can be contacted at:
Information Commissioner’s Office
Tel: 0303 1231113
Making a third party request for personal data
There are some circumstances under which the Network will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. These are:
- The requestor is the parent of a child under the age of 12
- The requestor has the written permission to make a request on behalf of another individual
- The requestor has Power of Attorney or an order from the Court of Protection to act on behalf of another individual
- The Network believes that it is in the best interests of an individual who does not have the capacity to make a request themselves
- The Network deems that release can be justified under crime and taxation provisions.
In these circumstances the Network may seek further information from the requestor in order to help determine whether we are willing to release any personal data.
A request for access to personal made on behalf of a child
Children aged 12 and above are generally deemed mature enough to make decisions about the processing of their personal data and would normally be expected to submit a subject access request themselves. Where a parent of a child over the age of 12 submits a subject access request on the child’s behalf, the Network may contact the child to request their consent to the release of the personal data, or require the parent to provide written consent from the child.
A parent has the right to request access to their child’s personal data, where the child is under 12 years old. The Network will decide whether it is in the best interests of the child to make the disclosure. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and your child.
A request for access to personal data made on behalf of an adult
A request for access to personal data made on behalf of an adult will need to be accompanied by a signed letter from the data subject which contains consent to the release of all or specific personal data to the requestor. Such requests are typically made by solicitors acting on behalf of a client.
A request for access to personal data made on behalf of an adult who does not have the capacity to make a request themselves will need to be accompanied by proof that the requestor has the authority to act on behalf of the data subject, such as through Power of Attorney or an order from the Court of Protection. Where authority is not provided, the Network will consider on a case by case basis whether release of the personal data requested is in the best interests of the data subject. Please follow the subject access request process above, submitting a copy of a form of ID for yourself and the data subject and proof of your authority to act on behalf of the data subject.
A request for personal data for the purpose of law enforcement
The Data Protection Act 1998 contains some exemptions (sections 28 and 29) that permit the Network to release personal data for the purpose of law enforcement:
- Safeguarding national security (section 28)
- The prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or of any imposition of a similar nature (section 29).
A request for the release of personal data under section 28 or 29 would be typically made by a police force, the Department for Work and Pensions, a local authority or the Border and Immigration Agency. The Network is not obliged to release personal data unless is it satisfied that it is reasonable to do so. Under these exemptions, personal data may be released without the consent of the data subject and outside of the purpose for which the personal data was originally collected.
A request for release of personal data for the purpose of law enforcement should be submitted using the requesting organisation’s own form for that purpose. Police forces, for example, use standard forms as per guidance issued by the Association of Chief Police Officers (ACPO). The form should give full details of the personal data requested, a full explanation of the reason for the request and should be counter-signed by a senior officer of the organisation. Completed forms should be emailed to email@example.com. Requests will be acknowledged and a full response sent as soon as possible.