Data Protection: Individual Rights and Subject Access

1.  Definitions

2.  What are your individual rights?

The Data Protection Act 1998 gives all data subjects the following rights:

3.  Subject access requests: what information can an inidvidual have access to?

What is "personal data"?

Personal Data - information relating to an identifiable living person (somebody who can be identified either directly or indirectly from the data), including any expression of opinion or intent relating to the individual. NB: An individual does not have to be named – it may be possible to identify someone from a description or a set of characteristics.

In many cases it will be obvious whether the data relates to an individual. Where there is uncertainty, however, the Information Commissioner advises that the following question may help in determining whether data is 'personal data':

Is the data being processed, or could it easily be processed to learn, record, or decide something about an identifiable individual, or as an accidental consequence of the processing, either: Could you learn or record something about an identifiable individual; or - could the processing have an impact on, or affect, an identifiable individual?

Where is personal data held?

Accessible personal data may be contained in:

Retention of Data

It should be noted that the Data Protection Act requires that organisations do not retain personal data for longer than necessary and therefore documents and correspondence may be destroyed after a given period of time in line with the requirements of the Act and the University’s Document Retention Schedule.  The University only retains a limited number of records relating to individuals permanently.

4.  Making a subject access request

Individual's requests for access to their personal data must be made in writing to the University Secretariat at the address below. Requests for information will be answered within 40 days (in the case of exam results 5 months). AA fee of £10 is payable per request and proof of identity should be enclosed with the initial request.

In order to help the University locate personal data, applicants are asked to submit a Subject Access Request form [30k PDF]

5.  Exemptions to the right of subject access:

The Act specifies a number of exemptions to the right of subject access.  These include:

Crime and Taxation (Section 29) – i.e. where personal data is processed:

Research, history and statistics (Section 33) - the exemption applies only if:

Confidential references given by the data controller (Schedule 7 Paragraph 1) – although references received by Sheffield Hallam University should be disclosed in the event of a subject access request.

Management forecasts/management planning (Schedule 7 Paragraph 5) – where personal data is processed for the purposes of management forecasting or management planning and where subject access would be likely to prejudice the conduct of the business or other activity of the data controller.

Negotiations (Schedule 7 Paragraph 7) – where personal data consist of records of the intentions of the data controller in relation to any negotiations with the data subject to the extent that disclosure would be likely to prejudice those negotiations.

Examination Marks (Schedule 7 Paragraph 8) - students cannot find out their exam mark before the results day by making a subject access request.  Exam marks are exempt from the usual 40 day timescale, but data controllers must disclose this data either five months from the day on which they receive the request or 40 days from the announcement of the exam results, whichever is earlier.

Examination Scripts (Schedule 7 Paragraph 9) - these are exempt from subject access, but examiners’ comments are not exempt and students have a right of access to these.

Self-incrimination (Schedule 7 Paragraph 11) – where complying with a subject access request would reveal evidence of the commission of any offence, other than an offence under the DPA 98, exposing them to proceedings for that offence

Third party data

Some data, especially emails, may contain personal data relating to third parties.  When responding to subject access requests, the University will need to consider the rights of third parties and ensure that they are not compromised.  This may mean that consent from third parties to release data is sought or that relevant sections of documents are deleted.  The University will also consider Article 8 of the Human Rights Convention which specifies that “everyone has the right to respect for his private and family life, his home and his correspondence.”  Emails written in a private rather than an official capacity are therefore unlikely to be released without the consent of the third party. 

6.  Further information

For queries and complaints relating to data protection issues and freedom of information at Sheffield Hallam University please contact:

University Secretariat
Sheffield Hallam University
City Campus
Howard Street
S1 1WB

Telephone: 0114 225 3361
Fax: 0114 225 3498
ICO Register of data controllers: SHU entry [Please note that the entry is listed as 'Sheffield Hallam University Higher Education Corporation']

Further data protection information and advice may be obtained from:

The Information Commissioner
Wycliffe House
Water Lane
Telephone: 01625 545 745
Fax: 01625 524 510

Academic Regulations and student policies