Under both freedom of information and data protection legislation individuals have rights to information. On receipt of such requests, UCL must respond within tight time frames to comply with the law.
Under both freedom of information and data protection legislation individuals have rights to information. On receipt of such requests, UCL must respond within tight timeframes to comply with the law. Requests that involve personal data are handled under the General Data Protection Regulations 2016 and Data Protection Act 2018 (‘data protection legislation’). Examples of such requests include:
i. (‘I want to see a copy of my HR file’) - the right of access
ii. (‘My details are wrong. Please correct them’) - the right to rectification
iii. (‘Please remove my personal information from SITS’) - the right to erasure
iv. (‘Do not disclose my personal data to the Mr Jones’) - the right to restrict processing
v. (‘Please provide information held in the application system in electronic form’) - the right to data portability
vi. (‘I object to UCL using my personal data for marketing purposes’) - the right to object
All other information requests that do not involve personal data are dealt with under the Freedom of Information Act 2000 (FOI). Examples include:
i. (‘Please send me the expenses of the Provost for the past five years’)
ii. (‘Under FOI, I would like you to provide me with details of donations over £1m’)
Collectively, these requests/rights are known as ‘information rights requests’. The Data Protection Office (DPO) in Legal Services is the central team that coordinates UCL’s response to either type of request.
Information rights requests can come in at any point in the organisation so any member of UCL staff can receive one. And such requests can arrive in any form, i.e. manual (letter) or electronic (email), but mostly commonly they come in the form of email.
As soon as UCL receives an information rights request, the time limit for response imposed by either FOI or data protection legislation begins to run down. For FOI requests, UCL has 20 working days to respond from the date of receipt; for requests involving personal data, it has one month the day after receipt. Failure to meet these deadlines will be a breach of the law.
If staff receive either type of request, they should contact the DPO as soon as possible to ensure we have sufficient time to respond.
There have been several instances of information in the form of emails ‘sitting’ in the inboxes of members of staff without being actioned; this usually occurs when members of staff have not checked their email because they are on annual leave. By the time such requests have become noticed and actioned, i.e. sent to the DPO, the time to respond has run out and UCL will be in breach of the law.
Guidance from the Information Commissioner suggests that where an email address is not being monitored an appropriate OOO message explaining that information rights requests should be sent to another email address will, in effect, stop the clock from running down.
The implication of this is that staff should set OOO messages when they are not checking their mailboxes, e.g. they are away on annual leave and have no access to email.
An appropriate OOO message would be:
‘I will be away from 31 January to 8 February 2018 with no access to email.
If you would like to submit a request for information under freedom of information or use any of your individual rights under data protection legislation (e.g. the right of access to your personal data), please contact firstname.lastname@example.org or email@example.com respectively. Correspondence sent to this address will not be seen until I return’