果冻影院

XClose

Data Protection

Menu

Handling a Subject Access Requests (SARs) | Data protection guidance

Guidance for staff on how to identify and respond to SARs efficiently and responsibly.

Important:

  • SARs are the right for any individual to access personal data held听about them by 果冻影院. 听
  • SARs听must be responded to within set timeframes听or else 果冻影院 risks serious penalties.
  • Requests may come through to any staff member and do not have to state that it is a 'SAR'
  • It is a legal requirement that 果冻影院 responds to requests, DO NOT delay requests for information. Forward any SAR or sign post any requester to the Data Protection Office (DPO).

Contents

What is a SAR

A SAR听is when an individual exercises their right to find out what data is being held about them and how it is being used.听 Individuals may also ask for a copy of the data itself.

When such requests are made to听果冻影院,听果冻影院 must respond within one month of receipt of the request or 果冻影院 may听face legal proceedings and regutatory action.

Identifying a SAR听when it is received

A SAR does not need to state that it is a SAR听when it is submitted; it is, therefore,听important that we can identify a SAR when it is received.

A SAR can be made to any person in any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

The request may be made in writing but also verbally.

Examples of data that may be requested:
听 听 鈥 Emails between 鈥榩erson A鈥 and 鈥榩erson B鈥 听(from 1 June 2018 to 1 Sept 2018),
听 听 鈥 CCTV camera data situated at 鈥榣ocation E鈥 on听23 May 2017 from 11am to 5pm records detailing the transfer of your data to a third party,
听 听 鈥 Their personnel file,
听 听 鈥 HR records听related to the individual,听
听 听 鈥 Database records related to the individual,
听 听 鈥 Interview notes related to the individual

What a request might look like:

  • 鈥淲hat information do you hold on me?鈥
  • 鈥淚 want to know what personal data you have stored about me.鈥
  • 鈥淐an you please tell me what personal data you hold on me and why?鈥
  • 鈥淚鈥檇 like to know what personal data of mine you have.鈥
  • 鈥淧lease send me all the information you hold on me.鈥

Responding to a SAR

Act quickly and report it.听听As soon as a request is received by 果冻影院, the response must be received within one calendar month, including closure days. If we do not meet this deadline we are likely to breach data protection legislation.

  • If you receive a request for personal data, you should听refer the individual to the听SAR form听and request that they complete the form and submit it as per the instructions in the form.
  • If the individual does not wish to submit a form, you should forward their request to data-protection@ucl.ac.uk with the subject:听鈥楽ubject Access Request鈥.听
  • Do not try to deal with it yourself without assistance from the DPO听as there are statutory requirements that need to be met.

Searching for personal data

Information held in email

Many SARs will involve searches for personal data in emails. 果冻影院鈥檚 recommended policy for material held in 果冻影院 staff email mailboxes is for the DPO to organise searches centrally using search tools provided by the Information Services Division (ISD). This allows the DPO to locate the requested correspondence objectively and efficiently, using specific searches. The process also provides us with an audit trail of the searches undertaken. If however, you would not like ISD to conduct an automated search of your mailbox and you would like to conduct the search yourself, please let the DPO know.

Information held other than in email

SARs will often involve information other than 果冻影院 emails. Depending on the exact wording and date range of the request we would expect you to undertake searches of the following:

  • Any potentially relevant files stored on your personal computers, including non-果冻影院 devices if used for work purposes

  • Any potentially relevant files stored on shared drives (e.g. 鈥楽鈥 drives or departmental drives) to which you have access

  • Any potentially relevant files in your recycle bin that have not yet been permanently deleted

  • Any potentially relevant manual records such as filing cabinets or diaries

For electronic search terms, you should liaise with the DPO team who will inform you of what search terms will be appropriate for your search. Microsoft has produced听.

Personal data not found

If you do not hold any personal data relating to the requester, please let the DPO know as soon as possible. If you think that data may be held elsewhere or by someone else, please let the DPO know as soon as possible.

On finding听relevant personal data

For electronic files of less than 5mb, send via 果冻影院 Outlook to听data-protection@ucl.ac.uk. For electronic files bigger than 5mb, send via 果冻影院 Dropbox or OneDrive.

N.B. If the material is classed as Confidential or Highly Confidential (according to 果冻影院鈥檚 Information Management policy), encrypt the information using 7zip and share the decryption key (the password) with the DPO by an alternative channel of communication (SMS, email, Instant Messenger, telephone). If in doubt, encrypt the information.

If sending via Outlook, email messages should be attached to a cover email as separate .msg files. Do not use a non-果冻影院 email account to transfer unencrypted personal data. If you intend to send data using a memory stick or disc these should be encrypted. See听ISD website听for details on how to do this. Paper files can be collected in person by the DPO, or hand-delivered via the Office of the General Council, 6th Floor, Bidborough House, London, WC1H 9BF.

If the personal data also contains information about people other than the requester (including you)

Under UK data protection law, an individual has a right of access only to his or her own personal data. Very often, the personal information gathered in response to a SAR also contains the personal data of other people (known as third parties). For example email correspondence can involve several people and contain the personal data of each person, as well as the requester. The DPO will exclude information that is out of scope of the request, but invariably some third party personal data will remain, particularly if it is not sensitive, e.g. other staff member鈥檚 names or 果冻影院 email addresses. The DPO will, by default, redact (remove) third party data that is sensitive or confidential, but where redaction is not possible (for example, the context of a document means the third party is inevitably identifiable) the team may contact the third parties involved, to establish if they consent to their personal data being disclosed. If the team cannot obtain consent (either because it is refused or because they can鈥檛 contact the third party) they will make a decision on whether it is fair and reasonable to release the third party information to the requester without consent. You may receive a 鈥榯hird party notification鈥 email from the team in relation to a SAR. If you do, please respond promptly by the date indicated in the message. If you have concerns about the release of your personal data please discuss these with the member of the Data Protection team responsible for the request

Checklist when responding to SAR听at 果冻影院

  • Have you checked for paper documents 鈥 personal and/or departmental?
  • Have you searched for your own computer files?
  • Have you searched relevant shared drives?
  • Have you checked your computer recycle bin?
  • Sending relevant data to the DPO:
  • Are you sending data from outside the 果冻影院 network? If so, are the files encrypted?
  • If sending files by memory stick or disk, have you encrypted these?
  • Information that identifies you
  • If the files contain your personal data and it is sensitive or confidential in some way, have you told the team if you consent or object to the release of the information that relates to you?

Refusing a SAR

果冻影院 may refuse a SAR if :听

鈥 An individual听is asking for personal data about another individual or the information which they are requesting contains personal data about another individual, unless:听
听 听 听 听 鈼 the second individual has also given permission for that user to be able to access that information.
听 听 听 听 鈼 It is reasonable for you to provide data about a different individual without their consent.
鈥 If the request is 鈥榤anifestly unfounded or excessive鈥 in which case 果冻影院 must justify and explain for arriving at this decision.

The decision to refuse a SAR can only be made by the DPO. Please do not attempt to make this decision yourself.听

Exemptions

Further information on the are available from the ICO website.

The Dos and Don鈥檛s听

听 听 鈥 Don鈥檛 ignore
听 听 鈥 Don鈥檛 delay

It is important that you do not听ignore any requests. Doing so may lead to financial penalties, enforcement action, legal proceedings and reputational damage.听

  • DON'T directly send data to the individual who initiated the SAR 鈥 The DPO听will co-ordinate and instruct on what data needs to be included.
  • DO respond to any instructions from data-protection@ucl.ac.uk within a quick timeframe.
  • DON'T disclose any personal data to any external persons or organisations as part of a SAR, except where this is instructed by the DPO.听

Best Practices

Help 果冻影院 meet its responsibilities.

  • If you are unsure on how to handle a SAR then contact the DPO听as soon as possible.
  • It is good practice to ask the individual who submits the SAR听to fill in a SAR form,听but you cannot force anyone to use it (explain that it will make the process transparent and manageable).听
  • Maintain your Out of office messages to avoid poor response times to SARs.听 Follow our guidance on Out of Office Messages.

Further Information

For further guidance and training please visit:

If you are unsure or want advice please contact the DPO听using the link below: