Dealing with subject access requests
Under Section 7 of the Act data subjects have a right of access to any personal data held about them by a data controller.
- Electronic and paper documents.
- Email correspondence.
- Any expression of opinion about the data subject.
Informal requests from an individual
A School / Unit may choose to comply with an informal request by an individual to see his or her files, bearing in mind that:
- Such disclosures would be subject to obligations of confidentiality owed to third parties who may be mentioned in the documents.
- Units electing to respond independently to a request for 'All the information you have about me' run the risk of disclosing too little or too much information.
- The Act requires that data be kept secure. The School / Unit must ensure that the person requesting the information is in fact entitled to receive it.
Formal requests from an individual
Any written (this includes email) subject access request must be referred to the University's Data Protection Co-ordinator in order to ensure that:
- The University complies with the requirement to reveal all the information (with very limited exceptions) that it holds about the data subject. The only way to achieve this is by a co-ordinated response.
- The University responds within the time constraints imposed by the Act.
- The University discloses the information only to the person entitled to receive it.
- The University does not breach the confidentiality it may owe to third parties.
- The University is aware of, and documents, any instance of a Subject Access Request.
A Subject Access Request form (PDF, 174 KB) is available from University's Data Protection Co-ordinator. This should be completed by the data subject and returned to:
Data Protection Co-ordinator
IT Services - Butts Wynd Building, St Andrews, KY16 9AL
so that the response can be co-ordinated from the appropriate Schools / Units.