Under the GDPR, you can obtain:
Requests can be made verbally or in writing. They should include reasonable information to enable the University to identify and locate the information sought. They must also be accompanied by sufficient proof of identity. The University accepts the following forms of identification, photocopy:
Please note, ID checks are designed to protect your personal data from unauthorised disclosure.
Requests should be sent to:
Data Protection Officer, Legal Services, Corporate and Information Services, University of York, Heslington, York, YO10 5DD or emailed to dataprotection@york.ac.uk.
Where requests are manifestly unfounded, excessive or repetitive, the University will either:
Where a request is refused, the University will explain why and will inform you or your rights to complain to the supervisory authority and to a juidicial remedy without undue delay and at the latest within one month.
Typically, no. The University will not charge a fee for routine subject access requests. However, in line with the GDPR, the University may charge a 'reasonable fee' where requests are manifestly unfounded, excessive or repetitive. An administrative fee may also be charged where requests for further copies of the same information are made. Where a fee is charged, the one-month time limit for compliance will not begin until the fee has been paid.
Information will be provided as soon as possible and within one month of receipt of your Subject Access Request.
Example |
The University receives a subject access request on 15 May. The time limit for compliance starts same day. The deadline for compliance will be 15 June. |
Where the following month is shorter and there is no corresponding calendar date, the deadline for compliance will be the last day of the month.
Example |
The University receives a Subject Access request on 31 January. The time limit for compliance starts same day. The deadline for compliance will be 28 February. |
If the corresponding date falls on a weekend of public holiday, the deadline will be the next working day.
Please note, in certain circumstances, the University may extend the timeframe for compliance by a further two months where requests are complex or numerous. Where this is done, the University will inform you of the intended extension within one month of receipt of the request and explain why the extension is necessary.
Where requests are made electronically, information will be provided in a commonly used electronic format, typically PDF. Requests received by post will be responded to in paper form unless an alternative means of communication is specified by the applicant.
In the first instance, have a look at the ICO's Subject Rights Guidance, available here. If things are still unclear, get in touch with the University's Data Protection Officer at dataprotection@york.ac.uk or by telephone on extension 3869.