Protection of personal information is especially important and anyone who handles or processes personal information should be aware of the University Data Protection Policy.
Remember: a request for personal data doesn’t have to mention subject access or the Data Protection Act. It just has to be a request in writing (email will do). If you get such a request – alert the Information Governance Officers (IGOs) at info.sec@brookes.ac.uk immediately.
What does the Data Protection Act mean for staff?
- All individuals have a right to see the personal data that we hold on them.
- This extends to emails, letters, memos, minutes and spreadsheets etc – in short any recorded information from which they can be identified. Even audio, video, Google Chat and other CCTV recordings can be requested by an individual.
- Everything that the university holds on an individual can be, and frequently is, requested for disclosures under UK GDPR (2018) and DPA (2018). By law we have to release the data. Note this can include opinions made and intentions expressed towards that individual. For example if you wrote in an email “I believe that person x is a nuisance and should be demoted”, we would need to carefully consider whether to release this in full or redact the information before releasing and so words respectfully do matter.
The University’s Information Governance Officers (IGOs)
Information Governance Officers (IGOs) are the point of contact for both internal and external requests. As an employee you may be asked to perform a search for data and provide the output to them. It is a legal obligation to search for and provide the data. It can be a criminal offence for a public authority to destroy or conceal information which an individual “data subject under law” has a right to receive.
Releasing data
Individuals in most cases have the automatic right to view all of their own data, however they have no automatic right to see third party data. We may seek consent to release third party data, but there are other factors we take into consideration when making such a judgement.
Generally we release the majority of data when dealing with requests. There are some exemptions, but these are very specific and infrequently applied.
There is a strict time limit
We have 30 calendar days from the day after receipt of the request to provide the information once the request is finalised. It can be extended: that is, we can sometimes add up to two calender months but only in exceptional circumstances. Therefore it is important for persons to respond promptly and comprehensively despite other demands on their time.
Dos and don'ts
- do remember that whatever you write about an individual may be disclosed to them
- do make sure that all your communications about others are appropriate and professional
- do make sure you recognise when you receive a request for data and don't ignore it
- when asked for data by the University do provide it: don't conceal or destroy it.
Information Security Office
Oxford Brookes University
Headington Campus
Oxford
UK
OX3 0BP