University home > University Secretary's … > Data Protection > Advice for Individuals > Subject Access Requests

Making a subject access request

1. Subject Access Request Form

Individuals wishing to have access to personal data held by the University under the Data Protection Act 1998 ("the Act") must send a completed Data Subject Access Request Form to:

Information Rights Manager
Office of the University Secretary
Senate House
Tyndall Avenue
Bristol
BS8 1TH

2. Information required and procedure for responding to Subject Access Requests

The personal data requested should be clearly stipulated (e.g. student records held in the Department, UCAS forms, copies of research data for a particular project, personnel file). A cheque for Ł10 (the standard fee set by the Information Commissioner) made payable to the University of Bristol should be enclosed with the completed Request Form. It may be necessary to confirm the identity of the data subject and/or the person making the request. The University will respond to requests within 40 days of receipt of the completed Request Form (provided sufficient information has been given to the University to enable the University to process the request), or, in the case of exam marks, up to 5 months from the time when the University has sufficient information to process the Request Form.

3. General Guidance when Requesting subject access to emails

Data subjects are entitled to have access to their personal data held in the form of emails under the Act. However, data subjects must supply enough information to enable the University to locate the relevant emails. As a minimum, the following information must be provided to the Information Rights Manager when completing the Request Form:

The fact that the data may be held in the form of emails;
The names of the authors or recipients of the messages;
The dates or ranges of dates upon which the messages have been sent;
Any other information that might assist the University in locating the data.

Please note that failure to provide information reasonably required to narrow down the search could result in the University being unable to comply with a subject access request.

4. Emails containing personal data about other people (third parties)

Some emails are likely to contain personal data relating to third parties. The request may therefore lead to a conflict between the data subject's rights of access and the third party's rights over their own personal information. In responding to subject access requests the University will need to ensure that the rights of those third parties are not compromised by releasing the emails. As the obligation on the University is to provide information rather than documents, emails may be edited so that the third party information does not form part of the requested information.

The University may also ask for consent from the third party. Where consent is not given, in line with the Information Commissioner's guidance on "Subject Access Requests involving other people's information", the University will consider whether it is reasonable in all the circumstances to disclose the email without the third party's consent.

5. Accessing deleted emails

The University's central email system is backed up regularly and so deleted email messages may be held on backup media. The backups are eventually erased after a safe period (approximately three months), and normally the data are no longer used with respect to individuals. The University's policy is that to supply deleted emails as part of a subject access request amounts to disproportionate effort, and will only be done in exceptional circumstances or as required by law. For more information please see the Policy on Investigation of Computers used by Staff and Students.

6. Retention

Subject access requests will be held by the University for six years after the final action.