Under data protection law, individuals have the right of access to any of their personal data that UCL holds on them and further information as to how that data is used. This is commonly known as a Subject Access Request (SAR). When someone makes a SAR UCL has a statutory obligation to fulfil that request. Data protection law stipulates that UCL respond to these requests within one month of receipt of the request.
What do SARs look like?
A SAR can take a very simple form, e.g:
‘Please provide any of my personal data found in emails from the following members of staff [list of staff] between these dates [date parameters]. Attached is my staff ID card.’
Requesters can submit a SAR verbally or in writing and do not need to use the term ‘Subject Access Request’ as long as it is clear the individual is asking for their own personal data.
What to do if you receive a SAR
A SAR can be submitted to any area of the organisation, so you may receive one directly while working at UCL. If you receive a SAR directly, please contact the Data Protection Office (DPO) immediately, as the clock starts to tick as soon as the request is received. Do not try to deal with it yourself without assistance from the DPO as there are statutory requirements that need to be met.
As soon as a request is received by UCL, the response must be received within one calendar month, including closure days. If we do not meet this deadline we are likely to breach data protection legislation.
Searching for personal data
Information held in email
Many SARs will involve searches for personal data in emails. UCL’s recommended policy for material held in UCL staff email mailboxes is for the DPO to organise searches centrally using search tools provided by the Information Services Division (ISD). This allows the DPO to locate the requested correspondence objectively and efficiently, using specific searches. The process also provides us with an audit trail of the searches undertaken. For emails held on UCL servers, this means you do not have to undertake searches.
Information held other than in email
SARs will often involve information other than UCL emails. Depending on the exact wording and date range of the request we would expect you to undertake searches of the following:
· Any potentially relevant files stored on your personal computers, including non-UCL devices if used for work purposes
· Any potentially relevant files stored on shared drives (e.g. ‘S’ drives or departmental drives) to which you have access
· Any potentially relevant files in your recycle bin that have not yet been permanently deleted
· Any potentially relevant manual records such as filing cabinets or diaries
For electronic search terms, you should include first and last name of requester, and any known nicknames or abbreviations. Microsoft has produced .
Personal data of the requester must not be deleted or amended after a request has been received.
If you have no relevant personal data
If you do not hold any personal data relating to the requester, please let the DPO know as soon as possible. If you think that data may be held elsewhere or by someone else, please let the DPO know as soon as possible.
If you find relevant personal data
For electronic files of less than 5mb, send via UCL Outlook to , send via UCL Dropbox or OneDrive.
N.B. If the material is classed as Confidential or Highly Confidential (according to UCL’s Information Management policy), encrypt the information using 7zip and share the decryption key (the password) with the DPO by an alternative channel of communication (SMS, email, Instant Messenger, telephone). If in doubt, encrypt the information.
If sending via Outlook, email messages should be attached to a cover email as separate .msg files. Do not use a non-UCL email account to transfer unencrypted personal data. If you intend to send data using a memory stick or disc these should be encrypted. See for details on how to do this. Paper files can be collected in person by the DPO, or hand-delivered Legal Services, 6th Floor, Bidborough House, London, WC1H 9BF.
If the personal data also contains information about people other than the requester (including you)
Under UK data protection law, an individual has a right of access only to his or her own personal data. Very often, the personal information gathered in response to a SAR also contains the personal data of other people (known as third parties). For example email correspondence can involve several people and contain the personal data of each person, as well as the requester. The DPO will exclude information that is out of scope of the request, but invariably some third party personal data will remain, particularly if it is not sensitive, e.g. other staff member’s names or UCL email addresses. The DPO will, by default, redact (remove) third party data that is sensitive or confidential, but where redaction is not possible (for example, the context of a document means the third party is inevitably identifiable) the team may contact the third parties involved, to establish if they consent to their personal data being disclosed. If the team cannot obtain consent (either because it is refused or because they can’t contact the third party) they will make a decision on whether it is fair and reasonable to release the third party information to the requester without consent. You may receive a ‘third party notification’ email from the team in relation to a SAR. If you do, please respond promptly by the date indicated in the message. If you have concerns about the release of your personal data please discuss these with the member of the Data Protection team responsible for the request.
Responding to Subject Access Requests at UCL checklist
Have you acknowledged the email asking for your help?
Have you notified the DPO of receipt of an SAR?
Conducting the searches
Have you checked for paper documents – personal and/or departmental?
Have you searched your own computer files?
Have you searched relevant shared drives?
Have you checked your computer recycle bin?
Sending relevant data to the Data Protection team:
Are you sending data from outside the UCL network? If so, are the files encrypted?
If sending files by memory stick or disk, have you encrypted these?
If you undertook your own searches, have you informed the Data Protection team of search terms used?
Information that identifies you
If the files contain your personal data and it is sensitive or confidential in some way, have you told the team if you consent or object to the release of the information that relates to you?
If you would like further assistance on anything relating to a SAR please
Further SAR information can be found on the .