Subject access requests

‌Subject access request form

Individuals wishing to have access to personal data held by the University under the Data Protection Act ("the Act") can send a completed Subject access request form (Office document, 36kB) ("form") to:

Information Governance Manager
Office of the University Secretary
Beacon House
Queens Road
Bristol BS8 1QU

or by email to: data-protection@bristol.ac.uk

Subject access requests can be made verbally, though use of the request form is encouraged to ensure the required detail about the personal data being requested is provided. A verbal request should be made to the Information Governance Manager if possible.

Information required and procedure for responding to subject access requests

The personal data requested should be clearly identified. The payment of the £10 fee is no longer required but it may be necessary to confirm the identity of the data subject and/or the person making the request. The University will respond to requests within 30 calendar days of receipt of the completed form (provided sufficient information has been given to the University to enable the University to process the request), or, in the case of exam marks, up to five months from the time when the University has sufficient information to process the form.

General guidance when requesting subject access to emails

Data subjects are entitled to have access to their personal data held in the form of emails under the Act. However, data subjects must supply enough information to enable the University to locate the relevant emails. As a minimum, the following information must be provided to the Information Governance Team when completing the form:

  • The fact that the data may be held in the form of emails;
  • The names of the authors or recipients of the messages;
  • The dates or ranges of dates upon which the messages have been sent;
  • Any other information that might assist the University in locating the data.

Please note that failure to provide information reasonably required to narrow down the search could result in the University being unable to comply with a subject access request.

Information containing personal data about other people (third parties)

Some information may contain personal data relating to third parties. The request may therefore lead to a conflict between the data subject's rights of access and the third party's rights over their own personal information. In responding to subject access requests the University will need to ensure that the rights of those third parties are not compromised by releasing the information. As the obligation on the University is to provide information rather than documents, redaction or editing may be used so that the third party information does not form part of the requested information.

The University may also ask for consent from the third party. Where consent is not given, in line guidance from the Information Commissioner's Office, the University will consider whether it is reasonable in all the circumstances to disclose the email without the third party's consent.

Retention

Subject access requests will normally be held by the University for three years after the final action.