UK data protection law entitles individuals - or those acting on their behalf - to request access to personal information the University may hold about them, and to find out how the University uses and shares their data. This is known as a Subject Access Request.
Before you submit a request it may help to read the guidance on requesting personal data from the Information Commissioner's Office.
Subject Access Requests received by the University are handled by the Information Compliance team.
When you are ready to submit your request, remember to include:
- A clear explanation of the data you require. Please submit your request in writing (email or, if you prefer, a letter), as it helps both you and us keep a record of your exact request. Where possible, include dates and names of individuals or departments who you think may hold your personal data.
- Scanned copies of two documents as proof of identity (e.g. passport, birth certificate, driving licence or campus card). Make sure one of the forms of ID has your current postal address.
- If you are submitting the request on behalf of someone else, a signed form of authority so we can establish that you are entitled to access their data.
Requests can be emailed to firstname.lastname@example.org or posted to: the Data Protection Officer, Information Compliance team, The Library, UEA, Norwich, NR4 7TJ.
On receipt of the required documentation the Information Compliance team will contact the appropriate departments or individual members of staff to obtain the data you have requested. In order to locate the correct information we may ask you to give further details of the types of data, or where you believe the data is being stored.
Once we have gathered all the information, we will review it to check that it is in scope of your request, and to find out if it contains information about other people (third parties).
We will consider the rights of third parties whose information is included in the material you have requested. Where possible, third party personal data will be removed prior to the information being released. If this is not possible, we will seek consent of the third party to release the information to you. On occasion, this may necessarily involve disclosing to them that you have made this request. Where consent cannot be obtained or is refused, we will consider whether it is reasonable to release the information to you.
You will receive a copy of the personal data you have requested, if it is held by the University. Under the GDPR, which comes into effect on 25 May 2018, people making a subject access request are also entitled to the following information:
- The purposes of the processing
- The categories of personal data concerned
- The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- The existence of the right to request from the controller (The University) rectification or erasure of personal data or restriction of processing of personal data concerning them, or to object to such processing
- The right to lodge a complaint with a supervisory authority
- Where the personal data are not collected from the individual, any available information as to their source
- The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
Much of this information will be in our privacy notices, however we will provide this further detail in our response.
Our response can be provided in digital or paper copy. Where we have received the request electronically, we will provide our response in the same way, unless otherwise requested.
Where our response is sent via email, we will password protect your data before sending it to you. Please ensure that you have given us your current postal address so we have a secure means of sending you the password to access our response.
Under the Data Protection Act, our response will be provided within 40 calendar days of receipt of the written request, fee, ID and all information required to locate your data.