Brasenose College Subject Access Request Procedure

Data Protection Office

Brasenose College, Oxford OX1 4AJ, UK
Tel: +44 (0)1865 277513
Email: data.protection@bnc.ox.ac.uk

1. Scope - UK GDPR

All personal data processed by Brasenose College is within the scope of this procedure.

Data subjects are entitled to obtain:

  • Confirmation as to whether Brasenose College is processing any personal data about that individual.
  • Access to their personal data.
  • Any related information.

2. Responsibilities

2.1 The Data Protection Officer is responsible for the application and effective working of this procedure.

2.2 The Data Protection Officer is responsible for responding to all SARs the College receives.

3. Procedure

3.1 All staff members should be aware of the characteristics of a Subject Access Request (SAR) to identify them against what may be standard information requests. A SAR is a request for any personal information that would fall outside the scope of ‘Business as Usual’. If there is any doubt as to whether a request from a data subject is a SAR, staff should forward the request to data.protection@bnc.ox.ac.uk for advice.

3.2 Whilst SAR requests can be received in any form, the College has preferred methods of submission laid out on the College website at https://www.bnc.ox.ac.uk/SAR. Where possible, data subjects should be encouraged to use the online method.

3.3 The data subject must provide Brasenose College with evidence of their identity and address, in the form of a current passport/driving licence and utility bill/financial statement with the data subject’s address clearly visible.

3.4 Brasenose College records the date that the identification checks (mentioned in 3.3) were conducted and accepted. This indicates the start date of the SAR unless:

The data subject may specify particular data sets of interest or simply request all the personal data the College holds on them. If a SAR request is unclear as to scope, the College can request clarification from the data subject. The time taken by the data subject to reply is not included in the one-month time constraint and so should not record the ‘Start Date’ of the SAR until clarification is received.

3.5 Brasenose College must provide the requested information to the data subject within one calendar month from the recorded start date of the SAR. If the end of that one calendar month falls on a weekend or bank holiday, the next working day is set as the ‘Respond by Date’.

Under GDPR Article 12(3), the one-month period may be extended by two further months where necessary, considering the complexity and number of the requests. The controller shall inform the data subject of any such extension within the first month of receipt of the request, together with the reasons for the delay.

3.6 Once the identity of the data subject is confirmed, the scope of the request understood and the ‘Respond by Date’ set, the Data Protection Officer should inform the data subject that the SAR has been accepted and of the ‘Respond by Date’.

3.7 The Data Protection Officer (or appointed agent) should then use the College’s data dictionary to ascertain which data owners in College will need to be involved in the request. The SAR Procedure Template should be completed and sent to relevant data owners along with a clear deadline for completion. Collection entails:

  1. 3.7.1 Collecting the data specified by the data subject; or
  2. 3.7.2 Searching all databases and all relevant filing systems (manual files) in Brasenose College, including all back up and archived files (computerised or manual) and all email folders and archives. The College’s GDPR Data Dictionary can help identify relevant data stores.

3.8 If any of the requested data is being held or processed under one of the following exemptions, it does not have to be provided:

  • National security
  • Crime and taxation
  • Health
  • Education
  • Social Work
  • Regulatory activity
  • Journalism, literature, and art
  • Research history, and statistics
  • Publicly available information
  • Corporate finance
  • Examination marks
  • Examination scripts
  • Domestic processing
  • Confidential references
  • Judicial appointments, honours, and dignities
  • Crown or ministerial appointments
  • Management forecasts
  • Negotiations
  • Legal advice and proceedings
  • Self-incrimination
  • Human fertilisation and embryology
  • Adoption records
  • Special educational needs
  • Parental records and reports

3.9 If a data subject requests Brasenose College to provide them with the personal data stored by an appointed third-party controller/processor, Brasenose College will provide the data subject with the requested information in a suitable electronic format, unless otherwise specified.

3.10 If a data subject requests what personal data is being processed, then Brasenose College must provide the data subject with the information below. In most cases, this information is already available online at https://www.bnc.ox.ac.uk/privacypolicies in the form of ROPAs (Records of Processing Activities):

  • 3.10.1 Purpose of the processing
  • 3.10.2 Categories of personal data
  • 3.10.3 Recipient(s) of the information, including recipients in third countries or international organisations
  • 3.10.4 How long the personal data will be stored
  • 3.10.5 The data subject’s right to request rectification or erasure, restriction, or objection, relative to their personal data being processed

3.10.5.1 Brasenose College removes personal data from systems and processing operations as soon as a request for erasure has been submitted by the data subject where there is no overriding reason to keep it.

3.10.5.2 Brasenose College contacts and communicates with other organisations, where the personal data of the data subject is being processed, to cease processing information at the request of the data subject.

3.10.5.3 Brasenose College will take appropriate measures without undue delay if the data subject has withdrawn consent; objects to the processing of their personal data in whole or part; is no longer under legal obligation; and/or has been unlawfully processed.

  • 3.10.6 Inform the data subject of their right to lodge a complaint with the supervisory authority and a method to do so.
  • 3.10.7 Information on the source of the personal data if it has not been collected directly from the data subject.
  • 3.10.8 Inform the data subject of any automated decision-making.
  • 3.10.9 If and where personal data has been transferred and information on any safeguards in place.

3.11 The Data Protection Officer (or appointed agent) will review all documents that have been provided as part of the SAR response to identify whether any third parties are present in it, and either remove the identifying third party information from the documentation or obtain written consent from the third party for their identity to be revealed. The Data Protection Officer (or appointed agent) must maintain a record of any consent received from third parties.

3.12 Brasenose College may use the following electronic formats to respond to SARs. The College will consider any other format the data subject requests providing it is stated from the start of the request, feasible and reasonable:

  • PDF documents
  • .csv files
  • .jpeg files
  • ZIP files (where the size and security of a data transfer requires it)

3.13 The Data Protection Officer (or appointed agent) must maintain a full record of SAR requests for data and include details of dates, any consents and reasoning of any redactions.

3.14 The Data Protection Officer (or appointed agent) must consider multiple factors when handling a subject access request (SAR) from a child. Before responding to a SAR of the child data subject, the Data Protection Officer (or appointed agent) must consider their ability to not only make the request but understand the response.

A child has a right of access to the information held about them. In most cases, these rights are likely to be exercised by those with parental responsibility for them. However, before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. It is reasonable, in most cases, for a child that is aged 12 years or more to have the capacity to make a subject access request and understand reasoning about why their data may be shared. Under the age of 12, parental guidance may be required and sought.

Document Owner and Approval

The Data Protection Officer is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the GDPR.

A current version of this document is available publicly on the College’s GDPR Framework page: https://www.bnc.ox.ac.uk/privacypolicies