5. The rights of the data subject
Data subjects have the right to:
- Prevent processing if it is likely to cause them unwarranted damage or distress.
- Have any inaccuracies in their data corrected or erased.
If they can show damage they may:
- Receive compensation for loss of data or unauthorised disclosure.
- Receive compensation for inaccuracy.
5.1 Subject access rights
Under Section 7 of the Act data subjects have a right of access to any personal data held about them by a data controller. This includes:
- Electronic and paper documents
- Data held in a database
- Email correspondence
- Any expression of opinion about the data subject
5.1.1 Informal requests from an individual
A School / Unit may choose to comply with an informal verbal request from an individual to see his or her files. This procedure is not without risk, however, and the School / Unit should bear in mind that:
- Such disclosures would be subject to obligations of confidentiality owed to third parties who may be mentioned in the documents.
- Units electing to respond independently to a request for 'All the information you have about me' run the risk of disclosing too little or too much information.
- The Act requires that data be kept secure. The School / Unit must ensure that the person requesting the information is in fact entitled to receive it.
It can be difficult to distinguish between an informal and a formal request for personal data. If, for instance, an individual simply asks to see his marks, then ideally the Department in question will give him a copy and he will be satisfied.
What can happen, however, is that the data subject may be dissatisfied, and will then ask for 'all the information you have about me.' At this point, the individual must be referred to the University's Data Protection Co-ordinator.
5.1.2 Formal requests from an individual
As soon as a request is made in writing (including by email) it must be referred to the University's Data Protection Co-ordinator in order to ensure that:
- The University complies with the requirement to reveal all the information (with very limited exceptions) that it holds about the data subject. The only way to achieve this is by a co-ordinated response.
- The University responds within the time constraints imposed by the Act.
- The University discloses the information only to the person entitled to receive it.
- The University does not breach the confidentiality it may owe to third parties.
- The University is aware of, and documents, any instance of a Subject Access Request.
A Subject Access Request form is available from University's Data Protection Co-ordinator. This should be completed by the data subject and returned to:
Data Protection Co-ordinator
University of St Andrews, Butts Wynd Building, St Andrews, KY16 9AL
so that she can co-ordinate the response from the appropriate Schools / Units.
It is important to remember that emails contain personal data in just the same way that a letter would. Moreover, an email does not have to be addressed to or received by the individual in question to be personal data about that individual - an email discussing a person constitutes personal data about him or her.