Access to Personal Information
- What are my rights?
- What are the exemptions?
- How do I submit a request?
- What happens next?
- Can I appeal?
1. What are my rights?
The General Data Protection Regulation and the Data Protection Act 2018 (the data protection laws) give individuals a right of access to the personal data which organisations (i.e. Data Controllers) hold about them, subject to certain exemptions (see What are the exemptions?). Requests for access to personal data are known as subject access requests. This page explains how to submit a subject access request to the University, how we will handle your request, and your right to complain if you are dissatisfied.
If you submit a subject access request to the University, you are entitled to be told whether we hold any Personal Data about you. If we do, you also have the right to be:
- Given a description of the Personal Data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- Given a copy of the information comprising the Personal Data and given details of the source of the data (where this is available);
- Told the purpose of Processing;
- Told the categories of Personal Data concerned;
- The recipients or categories of recipients to whom the Personal Data has been or will be disclosed, particularly 3rd countries or international organisations – where this is the case you are also entitled to be informed of appropriate safeguards relating to the transfer of information;
- The period data will be stored;
- The right to request rectification, erasure or restriction of processing;
- The right to lodge a complaint;
- The existence of automated decision making including profiling.
These rights apply to electronic Personal Data, and to Personal Data in "manual" (i.e. non-electronic) formats subject to certain limitations (see How has Freedom of Information affected Data Protection?). Further information about your rights under the applicable data protection laws is available on the website of the Information Commissioner.
2. What are the exemptions?
The data protection laws include various exemptions which specify the circumstances in which a Data Controller can refuse to provide access to Personal Data. The most likely situations in which the University could refuse to release information in response to a subject access request are where:
- The release of the information would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders;
- The request relates to access to an examination script, other than examiners' comments;
- The request relates to Personal Data contained in a confidential reference provided by the University;
- The request relates to Personal Data which record the University's intentions in relation to any negotiations with you, and the release of the Personal Data would prejudice the negotiations;
- The Personal Data requested is covered by legal professional privilege;
- The Personal Data requested relates to management forecasting or management planning, and its release to you would prejudice the University's business or activities; or
- The request relates to access to Personal Data which have been retained for the purposes of historical or statistical research, the conditions set out in the data protection laws for processing for research purposes have been met, and the results of the research have not been published in a way which identifies individuals.
If the University withholds Personal Data from you as a result of an exemption under the applicable data protection laws, we will explain why the Personal Data have been withheld and the relevant exemption, unless doing so would itself disclose information which would be subject to the exemption.
Data protection laws allow us to refuse to act on your request, or to charge you a reasonable fee (taking into account the administrative costs of providing the information) where we consider your request to be manifestly unfounded or excessive, in particular because the request is repetitive in character.
We have to protect the data protection rights and other legal rights of other individuals when we respond to subject access requests. Information which does not relate to you may be 'blanked out' or edited out, particularly if it relates to other individuals. Sometimes we may not be able to release Personal Data relating to you because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, you will be informed that Personal Data about you have been withheld and the reasons for doing so.
If we consider that you have made a subject access request which is manifestly unfounded or excessive in nature (for example because a request is repetitive), it is possible for the University to:
- Charge a reasonable fee taking into account the administrative costs of providing the information; or
- Refuse to act on the request.
If it is determined that a fee should be charged, you will be notified, in writing, of that fact, the level of the fee, and the reason for requesting the fee, without delay.
If it is determined that your request will be refused, you will be notified, in writing, of that fact and the reasons for the refusal to act on the request, without delay.
3. How do I submit a request?
You can make your subject access request by telephone or in person, as well as in writing for example by email. However, due to Covid 19, staff are currently working from home and are unable to receive requests by telephone, in person or by post at present. Therefore, please submit your request in writing via email to the following address: firstname.lastname@example.org
When making your request please be as specific as possible about the Personal Data which you want access to, as this will assist us in processing your request. For example, if you only want Personal Data relating to your academic record, you should indicate that. A general request such as "please send me all of the Personal Data which you hold about me" is likely to lead us to contact you for further information or clarification.
We require proof of ID to ensure that we are releasing Personal Data to the correct person. Please supply a photocopy (not the original) of one of the following:
- Your current Swansea University student ID or staff ID.
- The pages which identify you in your passport.
- Your driving licence.
Your ID and information request can be emailed to email@example.com (please note the University cannot guarantee secure transfer over email so attaching a password protected document containing your request and ID is advised).
4. What happens next?
We will send you an acknowledgement of your request as soon as possible. This will indicate the deadline by when we will send you a response.
We may ask you to complete and return the University's subject access request form. You are not obligated to complete this form, but is it designed to gather the information which we need to identify you, communicate with you and locate your Personal Data, which will assist us in dealing with your request efficiently, and avoid the need for us to contact you to obtain clarification.
We will respond to your request as soon as possible, and within 1 month of receipt of your request (unless we have grounds to extend that timescale). If we reasonably require further information from you to locate the Personal Data which you have requested, we will inform you as soon as possible.
Where you have made a request by electronic means (e.g. via email) we will provide the Personal Data in a commonly used electronic form. Where you have made a request by post, we will normally send the Personal Data on paper to the postal address specified by you, unless we agree with you that the Personal Data can be supplied in a different format. The Personal Data may take the form of photocopies, printouts, transcripts or extracts, or a combination of these, depending on what is most appropriate in the circumstances.
If you request further copies of the Personal Data we may charge a reasonable fee based on administrative costs.
5. Can I appeal?
If you are dissatisfied with the response to a subject access request, you are encouraged to contact the Information Compliance Manager in writing to firstname.lastname@example.org.
In order to progress your appeal as quickly as possible, please quote your request reference number and the date of your original request, as well as details of why you are making the appeal. Please include full contact details including a phone number where possible, in case we need to contact you during the appeal process. Receipt of your appeal will be acknowledged in writing. Following the review, you will be provided with a report containing the outcome and subsequent actions taken by Swansea University.
If you are not content with the outcome of the appeal, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: -
Information Commissioner’s Office,
Further information about how to enforce your rights under applicable data protection laws is available on the Commissioner's website.