Under the Data Protection Act any individual has the right to make a Subject Access Request.
What is Subject Access?
Subject Access allows an individual to see almost any personal data held about them by the University. The University will seek to respond fully to any such request, subject to certain exemptions, as transparency in the use of an individual’s data is at the core of the University's Data Protection policy.
Who can request information?
- The individual whose information is held (the data subject) e.g. a student requesting access to their own information held by the University.
- A third party acting on behalf of the individual – evidence that they are acting on behalf of the data subject must be provided.
Students have the right to see their formal records, such as their LUSI record or any registry or departmental files and, will also, almost without exception, be able to gain access to other materials - such as comments on their exam scripts, the relevant minutes of examiners' meetings, emails concerning them and so on.
Staff as data subjects
Staff and other associates of the University also have the right to see their own personal information that is being held by the University.
Staff responding to Subject Access Requests
From students, former students, alumni or members of the public
Should you as a member of staff be approached by a student wishing to see particular information held in the course of regular business, or if the student has identified themselves, the request is easy to answer and relatively narrow in focus, you may, answer it directly. However, if the request is more extensive (e.g. it would involve retrieving information from more than one department/section), relates to all information held on an individual, or is unclear or controversial in any way, then it should be forwarded to the Information Governance team in the Division of Strategic Planning and Governance by emailing:
From staff or former staff
All staff requests for subject access should be directed to the Information Governance team in the Division of Strategic Planning and Governance by emailing: firstname.lastname@example.org
How to make a Subject Access Request
Anyone wishing to make a Subject Access Request can download a form and send to the Information Governance Team or contact the team directly. Email email@example.com.
Please note that proof of identity in the form of a driving licence, University card, or passport is required.
We aim to complete all Subject Access Requests within one calendar month of receiving the request having confirmed the identity of the requester and possessing all necessary information needed to answer the request. If the following month is shorter then the request deadline would be the last day of the month, or if the date falls on a weekend/bank holiday the request deadline would fall on the next working day. Deadlines can be extended by up to two months if the request is deemed complex, or if there has been numerous requests from one data subject simultaneously, however the data subject will be informed of this within one calendar month of receiving their request.
If you believe that some of the information that the University holds on you may be incorrect, please contact the Information Governance team by emailing firstname.lastname@example.org or by writing to the Information Governance Manager.
What can I do if I am unhappy with the response?
If you are unhappy with the University’s response to your Subject Access Request, please let us know by emailing email@example.com or by writing to the Information Governance Manager.
If you remain unhappy with the University’s response to your Subject Access Request, please contact the Information Commissioner:
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Or by visiting https://ico.org.uk/global/contact-us/.
Other rights of the Data Subject
Depending on the legal basis on which the University holds personal information, data subjects may have additional rights in relation to their own personal information.
An individual’s rights include:
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Rights related to automated decision making including profiling
Not all of these rights are absolute and may be judged on a case-by-case basis. Find out more about the Rights of the Data Subject in relation to their own data and how the University meets these rights.
Information Governance Manager
Please contact Lancaster University’s Information Governance Manager and designated Data Protection Officer if you have any queries or concerns, or if you would like further information regarding your rights in relation to your own personal data:
Information Governance Manager