Data Protection Rights and Subject Access Requests

Before making a request, please note: Information recorded by candidates during examinations is exempt from subject access provisions. Data Protection law requires that data is held only as long as is necessary, and that data held is not excessive.

How to make a Subject Access Request

To assist you, your request can be made via our Contact form or via email to but you can also make verbal requests if preferred.

The personal data requested should be clearly stipulated (e.g. student records held in the Department, UCAS forms, personnel file, etc.).  Any requests made verbally to staff should be passed to the Assurance and Data Protection team as soon as possible.

The University will respond to requests within one month of receipt (provided sufficient information has been given to enable the University to verify the data subject's identity and to process the request).

What are my Subject Access Rights?

Article 15 of the UK GDPR gives you as the data subject, the right to find out what personal data is being processed about you by any organisation and where that is the case, access to the personal data and the following information:

a)    the purposes of the processing

b)    the categories of personal data concerned

c)     the recipients or categories of recipients to whom the personal data have been or will be disclosed (in particular to any recipients outside the UK)

d)    the period for which the personal data will be stored (or the criteria to determine the period)

e)    the existence of rights of rectification, erasure or restriction of processing about you, or to object (in certain circumstances)

f)      the right to lodge a complaint with the Information Commissioner’s Office

g)    the source of the data

h)    if we are carrying out automated decision-making, including profiling, and in those cases, to give you meaningful information about the logic involved as well as the significance of any consequences of such processing for you.

If we transfer your data outside the UK you have the right to be informed of the appropriate safeguards we have used in relation to the transfer.

The records may be electronic or held as hard copies in structured records, such as relevant filing systems.  A relevant filing system is any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

This right also extends to unstructured manual information processed by public authorities, who may have to search for such information to comply with a subject access request. However, we do not have to comply with the request if it does not include a description of the unstructured data; or the cost of complying with the request would exceed the appropriate maximum.

If your request is complex, we can extend the time to respond by a further two months. We will write to you within a month of your receipt to inform you of this if we believe this to be the case.

What is Personal Data?

Data is personal if it is information that identifies you directly or indirectly, either by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity, whether in your personal or family life, business or professional capacity.

What information can I ask for?

You can ask to be provided with any personal data that you consider the University may hold about you on computer or in paper records accessible under the terms of Data Protection law.

If you are able to provide a description of the data (including dates and locations) this will help to speed up the process of collating your data.

It should be noted that confidential references are exempt from the UK GDPR’s provisions on the right of access. The exemption applies to the reference regardless of whether it is held by the provider or the recipient.

What other rights do I have?

The right under UK GDPR What it means Limitations
Articles 13 and 14 Right to information A privacy notice must be given to you when personal data is collected from you or others. There are some exemptions in the Data Protection Act 2018, for example if your personal data has to be shared for crime and taxation purposes.
Article 16 Right to rectification To have inaccurate data rectified and incomplete data completed (including by way of a supplementary statement) As long as a record shows that a record is an opinion, it is unlikely to be deemed to be inaccurate. 
Article 17 Right to erasure The right to be forgotten. The right applies in certain circumstances (for example where personal data are no longer necessary in relation to the purposes for which they were collected).  There are also some exceptions, for example where the lawful basis of the processing is to comply with a legal obligation or for a public task.
Article 18 Right to restriction The right to request the restriction of processing of contested data while its accuracy is verified.   
Article 19 Right to have others notified of rectified data Any recipients of data must be notified that the data has been rectified. Communication may not be required if it is impossible or involve disproportionate effort.
Article 20 Right to data portability To receive your personal data from one organisation in a structured, commonly used and machine readable format.   It only applies to information given directly by the data subject (not to information given by third parties) and only to processing carried out under the lawful basis of consent or contract with the data subject.
Article 21 Right to object The organisation must stop using your data It applies in limited situations including when processing is based on the public task basis (unless there are legitimate grounds to continue processing that override your interests) and where it is carried out for direct marketing purposes.
Article 22 Right not to be subjected to automated processing (including profiling) The right not to have important decisions taken about you by a computer or AI without human oversight and control.  You have a right to obtain human intervention, express your point of view and contest the decision. It applies where it is solely automated processing (including profiling) and where the decision has legal or similarly significant effects on you. It doesn’t apply if you have given explicit consent, or the decision is authorised by law or a contract with you.
Articles 77 – 82 Rights to redress Various rights to complain and obtain a remedy (including in a Court) against an organisation or the ICO.  Organisations will be exempt from liability if they prove that they are not in any way responsible for an event that caused damage.

Last updated