Data Protection: Individual Rights and Subject Access

1.  Definitions

• Data subject – the living identifiable person to whom the data relates.
• Data controller – the natural or legal person/body/organisation/agency which alone or jointly with others determines the purposes and means of processing the personal data – Sheffield Hallam University is registered as a data controller.  Members of staff are considered to be acting on behalf of the data controller when they process personal data.

2.  What are your individual rights?

The Data Protection Act 1998 gives all data subjects the following rights:

• to find out what information a data controller holds about you – the right of subject access – see below
• to prevent the data controller from using your personal data for the purposes of direct marketing
• to notify the data controller that information held about you is inaccurate
• to have inaccurate information about you amended or destroyed
• to object to your data being processed if the processing is likely to cause you or someone else to suffer substantial damage or distress which is unjustified
• to claim compensation if you have suffered damage or distress as a result of the data controller failing to comply with the Act
• to ask the Information Commissioner to assess whether your personal data has been processed lawfully

3.  Subject access requests: what information can an inidvidual have access to?

• You can only have access to your own personal data – you are not entitled to ask for other peoples’ personal data
• The data must be personal.  General information about the University is available via the University’s Publication Scheme and by request under the provisions of the Freedom of Information Act 2000.

What is "personal data"?

Personal Data - information relating to an identifiable living person (somebody who can be identified either directly or indirectly from the data), including any expression of opinion or intent relating to the individual. NB: An individual does not have to be named – it may be possible to identify someone from a description or a set of characteristics.

In many cases it will be obvious whether the data relates to an individual. Where there is uncertainty, however, the Information Commissioner advises that the following question may help in determining whether data is 'personal data':

Is the data being processed, or could it easily be processed to learn, record, or decide something about an identifiable individual, or as an accidental consequence of the processing, either: Could you learn or record something about an identifiable individual; or - could the processing have an impact on, or affect, an identifiable individual?

Where is personal data held?

Accessible personal data may be contained in:

• Paper files which are contained in a "relevant filing system", i.e. any set of information relating to individuals which is "structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible."  NB:  The Freedom of Information Act 2000 will extend the right of subject access to all paper files from 1 January 2005.
• Computer files, i.e. databases, electronic documents
• Emails, however, individuals must supply sufficient information for the data controller to locate the relevant emails. 
• CCTV and other film recordings

Retention of Data

It should be noted that the Data Protection Act requires that organisations do not retain personal data for longer than necessary and therefore documents and correspondence may be destroyed after a given period of time in line with the requirements of the Act and the University’s Document Retention Schedule.  The University only retains a limited number of records relating to individuals permanently.

4.  Making a subject access request

Individual's requests for access to their personal data must be made in writing to the University Secretariat at the address below. Requests for information will be answered within 40 days (in the case of exam results 5 months). AA fee of £10 is payable per request and proof of identity should be enclosed with the initial request.

In order to help the University locate personal data, applicants are asked to submit a Subject Access Request form [30k PDF]

5.  Exemptions to the right of subject access:

The Act specifies a number of exemptions to the right of subject access.  These include:

Crime and Taxation (Section 29) – i.e. where personal data is processed:

• for the prevention or detection of crime
• for the apprehension or prosecution of offenders
• for the assessment or collection of any tax or duty or of any imposition of a similar nature.

Research, history and statistics (Section 33) - the exemption applies only if:

• the results of the research or any resulting statistics do not identify data subjects
• the data is not processed to support measures or decisions with respect to particular individuals
• the processing of data for research will not cause substantial damage and distress to any individual
• the data is otherwise processed in accordance with the Act.

Confidential references given by the data controller (Schedule 7 Paragraph 1) – although references received by Sheffield Hallam University should be disclosed in the event of a subject access request.

Management forecasts/management planning (Schedule 7 Paragraph 5) – where personal data is processed for the purposes of management forecasting or management planning and where subject access would be likely to prejudice the conduct of the business or other activity of the data controller.

Negotiations (Schedule 7 Paragraph 7) – where personal data consist of records of the intentions of the data controller in relation to any negotiations with the data subject to the extent that disclosure would be likely to prejudice those negotiations.

Examination Marks (Schedule 7 Paragraph 8) - students cannot find out their exam mark before the results day by making a subject access request.  Exam marks are exempt from the usual 40 day timescale, but data controllers must disclose this data either five months from the day on which they receive the request or 40 days from the announcement of the exam results, whichever is earlier.

Examination Scripts (Schedule 7 Paragraph 9) - these are exempt from subject access, but examiners’ comments are not exempt and students have a right of access to these.

Self-incrimination (Schedule 7 Paragraph 11) – where complying with a subject access request would reveal evidence of the commission of any offence, other than an offence under the DPA 98, exposing them to proceedings for that offence

Third party data

Some data, especially emails, may contain personal data relating to third parties.  When responding to subject access requests, the University will need to consider the rights of third parties and ensure that they are not compromised.  This may mean that consent from third parties to release data is sought or that relevant sections of documents are deleted.  The University will also consider Article 8 of the Human Rights Convention which specifies that “everyone has the right to respect for his private and family life, his home and his correspondence.”  Emails written in a private rather than an official capacity are therefore unlikely to be released without the consent of the third party. 

6.  Further information

For queries and complaints relating to data protection issues and freedom of information at Sheffield Hallam University please contact:

University Secretariat
Sheffield Hallam University
City Campus
Howard Street
Sheffield
S1 1WB

Telephone: 0114 225 3361
Email: foi@shu.ac.uk
Fax: 0114 225 3498
ICO Register of data controllers: SHU entry [Please note that the entry is listed as 'Sheffield Hallam University Higher Education Corporation']

Further data protection information and advice may be obtained from:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 01625 545 745
Fax: 01625 524 510
Web:  http://www.dataprotection.gov.uk/