You can find out more and download the Subject Access Request form here There is a statutory fee of £10 payable upon request.
Staffordshire University needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the University’s data protection standards — and to comply with the law under the Data Protection Act 1998.
This data protection policy ensures Staffordshire University
Why this policy exists
This data protection policy ensures Staffordshire University
Data protection law
The Data Protection Act 1998 describes how organisations — including Staffordshire University must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
People, risks and responsibilities
This policy applies to all staff and all contractors, suppliers and other people working on behalf of Staffordshire University.
It applies to all data that the University holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
Data protection risks
This policy helps to protect Staffordshire University from data security risks, including:
Everyone who works for or with Staffordshire University has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
These rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Personal data is of no value to Staffordshire University unless it can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
The law requires Staffordshire University to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Staffordshire University should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
Subject access requests
All individuals who are the subject of personal data held by Staffordshire University are entitled to:
If an individual contacts the University requesting this information, this is called a subject access request.
Information about subject access requests is available from the University website http://www.staffs.ac.uk/legal/request_information/
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Staffordshire University will disclose requested data where the request is legitimate.
In addition Staffordshire University will ensure that:
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.
In case of any queries or questions in relation to this policy please contact the Data Controller: firstname.lastname@example.org .
Further information can be found on the University Legal Website:
Under the Data Protection Act 1998 an individual has the right, subject to certain exemptions, to access the personal information that an organisation holds about them. Accessing personal data in this way is known as making a Subject Access Request.
If you wish to make a subject access request to the University, your request must be:
made in writing accompanied by a fee of £10
You are entitled:
You may apply to access your data in writing in any way you choose. A Subject Access Request Form is made available for your convenience. The form sets out where you should send your request as well as the various ways (check with Helen Holt re ways of payment) in which you may pay the fee and provide us with proof of your identity.
On receipt of your completed request, payment of the fee, verification of your identity, and sufficient information to enable us to locate the information, the University is obliged to respond within 40 calendar days. The information will be supplied subject to any applicable exemptions. The data will be provided as of the date of receipt of your request.
Please return your form to the Information Protection & Security Manager at the address shown.
The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.
If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.
The organisation should give you the information in writing but they need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen. The Act does not define what disproportionate effort means but we think the following should be taken into account:
Can the organisation withhold any information?
Yes. There are some circumstances where the information you have asked for contains information that relates to another person. Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, the organisation is entitled to withhold this information.