Close
Individual rights
The General Data Protection Regulation (GDPR) provides data subjects with a number of data rights aside from the right of access.The Information Commissioner’s Office has published further information on these rights, which is available here. You may find it useful to read their guidance before submitting a request. If you would like to submit an individual rights request, such as the right to erasure, you can send your request by email to data-protection@ucl.ac.uk.
Subject Access Requests (SARs)
Individuals have a right of access to any personal data held by a data contoller (in this case UCL).
What does it cost?
UCL does not charge a fee for Subject Access Requests.
Submit a SAR
To assist UCL in complying with the statutory timescales we will require such requests to made in writing and accompanied by formal identification.
If you wish to submit a request, you should do so by completing the form below:
Subject Access Request Form
This form will provide the university with the necessary information needed to deal with your request and should be sent by email to data-protection@ucl.ac.uk.
If you wish to complain
Please see UCL’s Data Protection Complaints Guidance and Procedure.
University College London Hospitals NHS Foundation Trust (UCLH)
Sometimes confused with UCL, UCLH is a seperate legal entity to UCL. If you wish to submit a subject access request to UCLH, please refer to the website below:
Requesting ID for DP requests:
Article 12 of the GDPR states that:
'the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.'
The underlined section above means there is an expectation on UCL to check the identities of data subjects, i.e. requesters. Indeed, we would be in breach of the GDPR if we deleted or provided access to personal data in response to a request without verifying the identity of the requester and then subsequently discovered the requester was not who they said they were. Therefore, we routinely check the identity of any requester in order to ensure compliance with data protection legislation.
If you are a current member of staff or student, your UCL staff / student ID card will be acceptable.
If you are not a current member of staff / student, please can you provide one item from each of the two lists below:
1. Photographic ID e.g. passport, driving licence, railcard, business ID card
2. Proof of address such as Council Tax bill, utility bill, bank or credit card statement from the last three months
Requesting proof of authority from third parties acting on behalf of data subjects:
Similarly to what is outlined above, UCL need to ensure that anyone making a request on behalf of someone else has the data subject’s authority to do so. Therefore, in these cases we ask for a form of authority that has been signed by the data subject to be shared with us, as well as their ID.
Data that can be requested
The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. Personal data may include but, is not limited to information held within staff files, student record files, databases, interview notes, and e-mail correspondance which refers to the individual.
If you are an internal UCL staff member who has been contacted because you may hold information with regard to a data subject access request, please note that you will not be breaching data protection law by either searches of your mailbox being conducted or the results of those searches being reviewed.
Our Case Management System
Managing Your Data Protection or Freedom of Information Request
UCL’s Data Protection and Freedom of Information team now uses MyServices, our new case management system, to handle statutory requests. This system helps us track requests securely and provide you with timely updates and responses.
What this means for you
- When we log your request, a MyServices account will automatically be created for you.
- You will receive an email inviting you to reset your password so you can access your MyServices account.
- Setting up the account is optional.
- If you choose to activate it, you will be able to view your request and our response directly within MyServices.
- If you prefer not to activate the account, you will still receive the full response by email.
Why you might want to use MyServices
- View your request and response in one secure place.
- Track progress more easily.
- Keep a record of your correspondence with the team.
If you have any questions about using MyServices or about your request, the Data Protection and Freedom of Information team will be happy to help.
Exemptions
There are some conditions under which a SAR can be refused:
Student Exam Feedback
Examination scripts, are specifically exempted from disclosure, under the subject access rights and it is UCL policy not to provide students with copies. This exemption, however, does not apply to any comments made by Examiners, which are included in the definition of “personal data”. Comments are the students' personal data, and they are entitled to view and receive copies of them. If the comments have been made directly onto the examination script, and the academic department decides not to make the full script available when requested, then the examiners' comments should be reproduced onto a separate sheet of paper. It is recommended that the examiners comments should be made on a separate sheet, rather than directly onto examination scripts.
There is nothing to prevent academic staff from meeting with students to provide feedback, including showing them the scripts, and, or providing the comments which they relate to. There is no restriction on providing copies of other kinds of written assessed work, and we strongly encourage academic departments to do this, rather than ask the student to make a formal subject access request for the information.
Students are therefore advised, in the first instance, to contact their academic department for this information.
Time-frame for compliance
UCL is normally required to respond to a DSAR within one month of receipt, starting from the day after the request is received, or the date on which proof of identification has been satisfactorily received. If we process a large amount of information about an individual, UCL may ask the individual to provide additional information to help clarify their request.
If your request is complex, or you have made a number of requests, UCL can extend the time to consider and respond to your request by an additional two months (therefore a maximum of three calendar months). When this happens, UCL will write to you to let you know more time is needed to process your request and explain the reasons why.