Submit a subject access request
Any person who believes that the University is holding personal information about them can apply for a copy of this by making a subject access request.
All subject acccess requests must be made in writing to the Data Protection Officer. To ensure that your request is processed quickly, please:
- download our subject access request form
- complete and print the form
- make a photocopy of suitable personal identification (driving licence or passport).
Send this information to:
Data Protection Officer, Wessex House 8.17, University of Bath, Claverton Down, Bath, BA2 7AY
If you have all your information in digital format, email it to dataprotection@.bath.ac.uk
Please be as specific as possible when outlining what data you want to see as this can help us locate and gather it.
Requests from third parties
We will only release any personal data on a third party if the Data Subject has given their express consent to us doing so.
Requests from parents
University staff are not allowed to discuss student's welfare, progress, or other personal data relating to them with parents, unless the student has given their explicit permission.
Such consent has to be in writing, in either a letter or an email from a recognised student email account.
Requests from sponsors
We are not able to discuss a student's progress with sponsors, unless the university has received explicit permission from the student to do so.
Such consent has to be in writing, in either a letter or an email from a recognised student email account.
Response to subject access requests
We are required to respond within one calendar month of receipt of the request, through we will always try to respond as quickly as possible.
If the requested data is located and can be released, we will normally send electronic copies via email.
In some exceptional cases, we may not release the information, or the information in its entirety. This may be because the data is subject to an exemption under the Data Protection Act, or if doing so will release personal data relating to other individuals. If this is the case, you will be provided with a full explanation.
What is a subject access request
Under the Data Protection Act, individuals have the right to know what personal data about them is being held by the University and to access that data (subject to certain limitations and exemptions). Requests made by individuals to access their data are known as "Subject Access Requests" (SAR).
There are strict legal requirements that you/the University needs to comply with regarding any such requests and strict statutory timescales apply.
Do I need to comply with this request and actively search for any relevant data which I may or may not have?
Yes. Just because it may be difficult or time consuming for you to find the requested personal data or the search generates a large volume of documents, this is not a valid basis for refusal.
What are the consequences of non-compliance with a SAR?
Failure to comply with a SAR could result in the University being fined. The fines are potentially large (a maximum of 20 Million Euros from May 2018). It could also result in criminal prosecutions being brought against individuals.
The University's reputation can be affected; the ICO (the Regulator) publishes Enforcement Notices it issues for non-compliance and these are often picked up by the media.
What information do I need to provide and how thorough do I need to be in my search?
You must ensure that you provide the Legal Office with ALL the documents that you possess that relate to or mention the individual. This applies regardless of what form they are in (formal correspondence, emails, handwritten notes, electronic and paper records, SDPRs if applicable and everything else which contains mention of, or refers to, the individual are potentially caught).
It is not sufficient to provide the majority of the documents you hold and you should ensure that you have included absolutely everything that you or your team hold that is or may be pertinent.
When you are dealing with a request if you are ever in doubt as to whether something needs to be included/disclosed, you must provide it to the Legal Office who can determine if it should be disclosed. They can advise further as needed.
If you know anyone else in the University who may also hold pertinent data, please make the Legal Office aware of this.
What if a document mentions someone else or something that I would rather was not disclosed to the individual?
Just because a document is embarrassing, inaccurate or unhelpful is not a valid basis for refusing access to it.
If documents contain someone else's data (i.e. they mention someone other than the person making the request), it may be appropriate to provide it in redacted form. This is a matter of legal judgement and is for the Legal office to consider. The Legal office carefully check all documents before copies can be provided.
Please note, it is a criminal offence to delete or make changes to personal data after receiving a SAR.
Where can I get more information?
You can contact the Data Protection Officer dataprotection@bath.ac.uk
There is also extensive guidance on Subject Access Rights available on the ICO website