XClose

Student and Registry Services

Menu

Subject Access Requests and setting your Out of Office 

9 May 2019

GDPR has been a hot topic for around a year now and this isn’t going to change! Each month, the SRS newsletter will contain some basic data protection information that we all need to be aware of as part of our day-to-day work.

This month, we will look at Subject Access Requests (SAR) and setting your Out of Office message.

If you have any questions, comments or if there is anything in particular that you would like to see covered, please let Lucy know by emailing srs-compliance@ucl.ac.uk or l.minks@ucl.ac.uk.

What is a Subject Access Request (SAR)

Under data protection laws, individuals (data subjects) have the right to request access to any personal data that an organisation holds about them. This is known as a Subject Access Request or SAR. As Student and Registry Services hold a massive amount personal data, it is likely that SAR’s will be received in our department. SAR’s are time sensitive, UCL must respond to requests within one month, so it is important that all colleagues recognise SAR’s and know what to do when one is received.

SAR’s can be received verbally or in writing and the words ‘Subject Access Request’ do not have to be used so long as it is clear that the individual is asking for a copy of their data. You should look out for questions such as:

  • Can you send me a copy of all of the information that UCL holds about me?
  • Can I have a copy of all of the personal data you hold on me?
  • Can you send me all of the personal information held on my student record?
  • Please provide any of my personal data found in emails from the following members of staff [list of staff] between these dates [date parameters].

What should I do if I receive a SAR?

If you receive an SAR, please contact the Data Protection Office (DPO) immediately by emailing data-protection@ucl.ac.uk. You should include the details of the request in your email. Please do not ignore or delay reporting the request, the one-month time limit begins as soon as UCL receives the request.

If you need further information to identify the student or to clarify the nature of the request, it is fine to ask for this, but please do not try to answer a SAR yourself. If you are ever in doubt, please contact the DPO for advice.

Out of office

The one-month time limit starts the moment a request is received, even if the college is closed or the person receiving the request is not in the office. Therefore, it is vital that all staff make use of the Microsoft Outlook out of office function for both personal and group inboxes. The out of office message must include details of how enquirers can submit requests under data protection (and Freedom of Information) legislation. It is recommended that the following text is used:

If you would like to submit a request for information under freedom of information or use any of your individual rights under data protection legislation (e.g. the right of access to your personal data), please contact foi@ucl.ac.uk or data-protection@ucl.ac.uk respectively.

For further information, please see the Guidance Note for out of office messages and information rights requests. 

Related News