UNIVERSITY of GLASGOW

DP and FOI office
home > services > DP and FOI office > Policies and procedures > DPA - Subject Access Requests

Subject Access Requests - How to request information about yourself

The Data Protection Act [DPA] is concerned with an individual's personal data, the individual's expectations of privacy and security in the use of the personal data, the framework of rules and procedures to be followed in collecting, storing, securing, transfering, accessing, retaining, and destruction of personal data, and the individual's right of access to his/her personal data

If your enquiry is concerned with general information, then a Request for Information under ther Freedom of Information [Scotland] Act is appropriate. The information below is intended for those who seek access to personal data about themselves that is held by the University.  If your enquiry is concerned with any other aspect of the Data Protection Act [DPA] must be directed to the University’s Data Protection Administrator, or by phone to 0141 330 3111, or in writing to the address at the foot of this page.

Please note that academic departments are responsible for releasing information on assessment (including examination marks) to students.  Students should only need to submit a Subject Access Request to the Data Protection Office for assessment information if they require their personal file, minutes of examiners' meetings, or advice on data protection issues; or where more complex DPA issues are evident.  

  1. Section 7 of the Data Protection Act 1998 entitles an Individual to enquire as to whether personal data about themselves is held by the University. This process is called a Subject Access Request [SAR].
  2. All enquiries about potential SARs, or for advice on the scope of a SAR, or for advice on requests for access to personal data, must be directed to the University's Data Protection Administrator, or by phone to 0141 330 3111, or in writing to the address at the foot of this page. 
  3. All SARs must be in writing by completing the relevant  SAR Formand submitting it, together with evidence of identity and payment for the £10 fee, to the University's Data Protection Officer [DPO] at the address at the foot of this page. 
  4. Any SAR submitted on behalf of another Individual must be accompanied by the written authority of that Individual and include a description of the relationship of the enquirer to that Individual.
  5. It is essential to specify, on the SAR Form, any specific documents to be located and/or areas to be searched.
  6. A SAR will be processed once the University has (a) validated the identity of the Individual and/or their Representative, (b) agreed on the  scope of the request, and (c) received the £10 fee, and will be completed within the period laid down in the legislation.
  7. The University must respond to a SAR within 40 calender days.  
  8. The University will notify the individual in the event that the University anticipates that its response to the SAR will be outwith the 40 calender days timescale.
  9. The DPO will contact appropriate organisations within the University in the search for relevant documents containing information on the Individual and to ensure compliance.
  10. All SARs will be treated in the strictest confidence and will only be processed by authorised University Staff in relevant departments/faculties who will have to be contacted in order to locate the information and process the SAR.
  11. Relevant manual filing systems will always be searched where the filing system is either (a) structured by reference to the Individual, or (b) indexed such that it would be known in advanced whether particular material would be found in a particular place in that file.
  12. The University will also seek to locate other personal data from non-relevant & non-structured filing systems when a specific & detailed description of the personal data is supplied on the SAR Form. The University may charge a fee, according to the provisions of the UK Freedom of Information Act 2000, to cover the costs of locating and supplying such unstructured information.
  13. Personal Data can be held in written information, e-mails, electronic documents, photographs, CCTV images, and include recorded opinions about, or intentions regarding, an Individual.
  14. The Individual/Subject of the SAR must be the focus of the information, the information must affect the Individual's privacy, the information must be biographical in a significant sense, for a document to be considered to contain personal data about that Individual - the mere mention of the Individual's name in a document is not enough to make the information in that document personal data about that Individual.
  15. A SAR, other than one involving examination information or where the Individual indicates otherwise, will involve a search of the appropriate records held by the following University Departments if the relevant boxes on the SAR Form are ticked: Central IT services, Finance Office, Human Resources Department, Registry, Senate Office, and the University Library.
  16. A search will also be undertaken within Faculty and Departmental Offices when information identifying the Faculty(ies) and Department(s), to be the subject of the  search, is supplied by the Individual.
  17. The Individual is entitled to be told of the logic involved in any process where personal data is used, or is likely to be used, to make an automatic decision about the Individual.
  18. Coded personal data will be rendered intelligible to the Individual.
  19. Encrypted personal data will be decrypted for the Individual.
  20. The anonymity of other individuals mentioned in personal data may be protected, when appropriate,  by redaction. In general, where an individual is acting in an official or work capacity, the identity of that individual will not be redacted.
  21. Part II sections 7(4), 7(6) and 10 of the DPA allows the University to withhold documents from the Individual, or subject documents to redaction, on the grounds of (a) lack of consent to release the document by a third-party, (b) judgement that the University must respect the confidentiality of a third-party, (c) judgement that the release of the document will cause distress to the Individual, and (d) judgement that the University must safeguard the vital interests of the Individual or another person. In general, where an individual is acting in an official or work capacity, documents relating to this part of an individual’s life will normally be provided and not subject to redaction.
  22. The University is not required to divulge when and whether documents have been withheld.
  23. The Information Commissioner has advised that a SAR made under the Data Protection Act cannot claim any exemptions that might apply to an Information Request made under the Freedom of Information [Scotland] Act 2002.
  24. The Information Commissioner has advised that the University is less likely to be able to justify withholding information, such as a reference or other report on an individual, where a third-party is a member of staff acting in the course of his/her duties as a line manager.
  25. A SAR requiring a search of CCTV records will require (a) the prior supply of a clear photograph, showing clear distinguishable features, of the Individual, (b) the specification of the date/time of the visit to the premises covered by the CCTV system, and (c) the ability for the Individual to be identifiable from the CCTV records.
  26. SARs that relate to examination marks or results, the timescale is extended to (a) five months from the time when the request is received and validated, or (b) forty days from the announcement of the examination results, if earlier, and provided the Individual’s Request has been validated.
  27. The response to SARs that relate to examination information will only result in the release of documents, such as examiners' comments & minutes of examiners' meetings, that contain personal data about the Individual.
  28. The reply to a SAR, unless the Individual specifies otherwise, will be sent by the Royal Mail Recorded Delivery Service to the address specified on the completed SAR Form.
  29. The University has the right under section 8(3) of the DPA to decline a SAR where it has already complied with a identical or similar SAR by the same Individual unless a reasonable interval has elapsed between compliance with the previous SAR and the making of a new SAR.
  30. The University retains the documents relating to the handling of a SAR according to the .

  31. If you are dissatisfied with the way in which the University has handled your request for information, please refer to the University's DPA Complaints Procedure.

All enquiries and comments should be made to the University's Data Protection Administrator, or by phone to 0141 330 3111, or in writing to the following address:

Data Protection Administrator
Data Protection & Freedom of Information Office
Main Building
University of Glasgow
Glasgow G12 8QQ