Corporate Governance

Subject Access Requests

SubjectAccessRequestThe General Data Protection Regulation (GDPR) gives individuals the right to request (and receive) a permanent copy of any personal data that an organisation – in this case, the University – holds about that individual. This is called a Subject Access Request.

If you are considering making a Subject Access Request to the University, you may find it helpful to read the following information before completing the Subject Access Request form.

Subject Access Request Process

Do you need to make a Subject Access Request?

If you only want information about a specific incident you may find that you can get that information by asking for it directly from the department holding it, without having to go through the Subject Access Request procedure. It is possible that the department may have to check whether the data can be released, but that shouldn’t take too long. If the department is happy to release your data to you in this way, it will be a much shorter and less formal process than the Subject Access Request process. However, if you want information from a number of areas of the University the best way is still to use the Subject Access Request.

How to make a request

All Subject Access Requests must be made in writing to the University. The University provides a form for such requests that is designed to collect the information needed to identify the data you are requesting. Download and complete the form and then send it, with the appropriate identification documents, either to the postal address given in the link above, or by email to You may wish to consider the use of encryption software for scans of any identification documents you are submitting electronically with your request.

What information do we need to start the search?

In order to find the data you are requesting we will need the following information:


  • name
  • address
  • date of birth
  • staff payroll number (if a member of staff)
  • student ID number (if a student)
  • area of the University in which you study / work
  • copy of the photograph page of your passport or driving licence 

This information is required to confirm that you are the data subject – that is, the individual to whom the data refers – so that the University does not disclose any data to someone who is not entitled to receive it.

If you are making a request on behalf of the data subject e.g. you are a solicitor acting on your client’s behalf, you will need to provide the information detailed above for the data subject, plus proof that you have your client’s consent to request and receive their personal data. This may be a signed form of authority from the individual.

If you are searching for specific information, it would be helpful to provide some contextual information about the required data e.g. dates that the information may have been produced, or whether it refers to your time as a student or a member of staff.

What type of search will be carried out for the information requested?

The vast majority of searches for personal data carried out by the University are general searches in relation to students and members of staff.

If you are, or were, a student, the University will routinely search the following areas for your data as these are the areas where most student data is held:

  • Department of Student and Academic Administration – for information relating to applications and admissions, visa information, tuition fee data, information relating to any disciplinary cases and graduation details
  • Financial Services – for details of fee payments, hall payments and any disputes over payments
  • Student Finance Centre – for details of any loans or bursaries paid to you
  • The University Library – for details of borrowing and / or fines
  • the academic School or Department in which you are studying / or studied your course

If you would like other areas of the University searched for your data, you can indicate these department(s) on the Subject Access Request form.

If you are, or were, a member of staff, the University will routinely search the following areas for your data as this is where the majority of staff data is held:

  • Human Resources – for your central HR file containing details of your initial application, any subsequent applications within the University, job changes, communications to and from HR
  • Financial Services – payroll data, payments details (e.g. expenses, travel claims) pension details
  • the academic department , school or service department in which you are / were employed –for any locally held HR records and Personal Development records.

If you would like other areas of the University searched for your data, you can indicate these department(s) on the Subject Access Request form.

You may however, only want to receive information relating to a specific incident or issue. If that is the case, please provide as much detail as possible regarding the information you require e.g. dates of events, when the information may have been recorded or where you think the information may be held, to help identify the data you require.

How long will it be before you receive your data?

The University has a month (30 days) in which to provide the data you have requested. The 30 days start on the date that the University receives all of the information it needs to confirm firstly, your identity, or your right to request a third party’s data, and secondly, the type of search you want carried out (either a general search or a search for specific information). The date on which you will receive your requested information will be confirmed once the University has received all the required information.

How will your data be provided to you?

The GDPR requires that you receive a permanent copy of any personal data held about you. Therefore, you will receive either an electronic or paper copy of the personal data found about you, depending on the preference you selected on the Subject Access Request form.

If you wish to receive your data in paper form, this will be sent to you using first class recorded delivery post. The University uses recorded delivery post to ensure an audit trail exists to show where the parcel was sent, who signed for it and when. In the event that no-one is available to sign for your parcel, it will be held at a local office until it is collected or finally returned to the University. This ensures your data is held as securely as possible until you receive it.

If you wish to receive your data electronically, it will be sent to you by email, as an encrypted attachment. Once your information is ready, you will receive an email from the University with the encrypted attachment(s) and you will need to contact the University for the password in order to decrypt the attachment. More details on how to do this will be included in the email that sends your data to you.

What data will be provided to you?

You will receive copies of the personal data relating to you. Personal data is defined as data that identifies a living individual and relates to that individual. Therefore, the data you receive will not only name you but also have some reference to you. As the University still holds some paper files as well as electronic records, a search will be carried out initially for files / folders that are named using your name in any format. After that, electronic searches will be carried out for any electronic records that contain your name in the body of the data – not just the title. It is not always possible to carry out this search in University paper files without any background information on the type of record you are looking for.

In the case of emails, you may receive a copy of an email if your email address identifies you, for instance,, but you will not necessarily receive a copy of the email if you cannot be recognised by your email address, for example, or It would then be necessary to see if you are identified in the body of the email.

However, whether you are sent a copy of an email will also depend on whether the data may relate to you. So, for example, you will not receive copies of emails that have been sent to a list of email addresses including yours, where the information in the email does not relate to you, e.g. it is a reminder of a student and graduate employment fair open to everyone. However, you will receive a copy of an email that has been sent to a list of email addresses including yours, where the information in the email does relate to you, e.g. details of a meeting between several people, including yourself, relating to supervision of a dissertation.

Your personal data may be held in a document or database that contains personal data relating to other individuals. To avoid providing you with a third party’s personal data, it will be necessary either to redact the other person’s data (that is, blank it out or obscure it in other ways) or to extract your data from the larger document / database. Therefore, you may receive copies of documents with blank spaces in the text, or with only one line of information under column headings. These are examples of redacted documents or where your data has been extracted.

Will you receive all of the data that relates to you?

It is important to note that it is not always possible to know exactly what information is held about an individual when a search is made. It may not always be possible for the University to provide every piece of information about your employment or studies, as there may have been some discussions relating to a final decision made at a meeting or over the telephone, which will not always be recorded. Emails are often seen as an informal method of communication and staff are encouraged to retain emails in line with their subject matter, but that does mean that not all emails will be kept for the same length of time. Therefore, an email in which someone agrees to attend a meeting does not need to be kept for as long as one that includes a decision on a particular subject that has ramifications for others or over a length of time.

There may be occasions where the final data is provided to you but information which led to that data is not provided. An example of this is the data given to a Board of Examiners, which shows the marks you have received as a student. Unless there is any information other than your name and marks, this information will not routinely be sent to you because you will be provided it in a transcript of your marks.

There may be times when the University holds personal data about you which it does not / cannot disclose to you. This may be because it is not possible to disclose your personal data without disclosing a third party’s data, and either the third party has refused to give consent for their data to be disclosed or the third party’s data is awarded a degree of confidentiality which means the data cannot be disclosed.

There are other exemptions in the GDPR which mean that personal data can be withheld. If it is necessary to withhold any data, you will be informed of the reasons for the non-disclosure, but the University endeavours to release as much of your data as possible.

What can you do if you are unhappy with the response to your request?

You may first contact the University to clarify any queries about the information you have received or to point out any omissions in the data that you expected to receive – although if you are looking for anything particular, it is best to stipulate this in your original request. We will look again at the information held within the University to see if any new information can be sourced with the extra detail provided by you.

If you remain dissatisfied with the response to your request, you may submit a complaint to the Information Commissioner’s Office (ICO). More advice on how to do this is available by contacting the ICO on its helpline number of 0303 123 1113.