The following guidance is intended for data protection coordinators who have received a request from the Data Protection team to conduct a search for any information that may be held about an individual within their own business areas.
- What is a subject access request?
Data protection legislation gives individuals (data subjects) the right of access to their personal data. Personal data is defined as information about a living, identifiable individual. The legislation does not apply to information about deceased people, but you may still owe a duty of confidentiality after death.
Subject access requests must be made in writing, by completing the relevant form and are handled by the UCL Data Protection team. Copies should be provided promptly and in any event within 40 days. Data subjects must prove their identity.
- What do I do if I am asked to provide data in relation to a subject access request?
You will need to locate and identify the information requested and provide it within ten working days. If you envisage any problems with meeting this deadline you should notify the Data Protection team promptly.
- How do I start looking for the information requested?
You should begin by identifying the information being requested. This should provide details of where this information would be located. Search all relevant computer and manual files.
- How should the information be provided?
Before the information is provided you should ensure that all copies are clearly legible, copied single-sided, and provided without paperclips or staples removed.
- What if I have concerns with the disclosure of the information I have been asked to provide?
If you have any concerns, you should still provide the information to the Data Protection team including a brief explanation. We will take your views into account and discuss with you before any documentation is disclosed.
- Where do I send the information once I have completed the search?
The material should be delivered by hand wherever possible. Alternatively send by internal mail marked private and confidential to the following address:
Data Protection Officer,
University College London,
38–50 Bidborough Street,
London, WC1H 9BF
You should avoid sending memory sticks with personal data on them in the internal mail unless the contents are encrypted.
If you send an email containing personal data you should be aware that it is not a secure means of communication. You should therefore ensure that adequate security (taking into account the nature of the information contained within the email) is in place to protect it.
The data protection email address is the only one that should be used.
You should also check that the information you are going to send is correct. It is easy to attach the wrong document or send to the wrong recipient.
- Further Information
For further information and support please email firstname.lastname@example.org