Requesting access to personal data
Data Protection Law gives individuals a right of access to the personal data which organisations hold about them, subject to certain exemptions (see What are the exemptions? ). Requests for access to personal data are known as subject access requests. This page explains how to submit a subject access request to SOAS, how we will handle your request, and your right to complain if you are dissatisfied.
If you submit a subject access request to SOAS, you are entitled to be told whether we hold any data about you. If we do, you also have the right:
- To be given a description of the data, the purposes for which the data are being processed, how long the data is retained, and those to whom the data may have been disclosed, including transfers outside of the European Economic Area;
- To be informed of your other rights, particularly the right to correct or request erasure of your data
- To be given a copy of the data in an intelligible form, with any unintelligible terms explained;
- To be provided with any information available to SOAS about the source of the data; and
- To be told of the existence of any automated decision-making, including profiling, using your personal data, with an explanation of the logic involved and how this processing is likely to affect you.
Further information about your rights under Data Protection Law is available on the website of the Information Commissioner .
If your request is for information other than information about yourself, such as information about decisions or actions by SOAS, you cannot submit it as a subject access request. See our Freedom of Information pages for details of how to submit a Freedom of Information Act request
Requests for access to personal data can be made in writing or orally. SOAS has a Subject Access Request Form (msword; 50kb) , which is designed to gather the information which we need to identify you, communicate with you and locate data about you. You do not have to complete this form to submit a request, but we find it is a helpful guide for both the School and requesters in clarifying who you are and what information you wish to receive.
When making a subject access request, please note that in doing so you will be checking that SOAS is processing your data lawfully. If you only want certain types of data, please be as specific as possible about the information which you want access to, as this will assist us in processing your request. If we hold a large quantity of information on you, and your request covers all or most of that information, we may return to you to specify the information you want or the processing activities to which your request relates.
You may ask a third party to make a request on your behalf. However, please be aware that it is your responsibility for ensuring that you provide evidence of the third party's entitlement to make the request for you.
In order to process your request we will take reasonable steps to verify your identity, which may involve asking you for specific forms of photographic ID, such as your student/staff ID, a driver's licence or the page(s) in your passport which identify you. We will not begin processing your request until we are satisfied we have verified your identity.
If we have deemed it necessary to ask you for a valid form of identification or further information to understand your request, we will wait for one calendar month for clarification before closing your request.
Please send details of your subject access request and ID by email to firstname.lastname@example.org, or by post to the following address:
Information Compliance Manager
Governance and Compliance Directorate
SOAS, University of London
London WC1H 0XG
We will send you an acknowledgement of your request as soon as possible. This will indicate the deadline by which you can expect a response. We may also ask you to provide further information or clarification if we require it to process your request.
After SOAS receives your request, we must consider it and respond to it. We will respond as soon as possible, and in all cases within one month of receipt of your request. Following ICO guidance, we calculate deadlines by following the formula below:
Equivalent day of the next month, counted from the day after the request is received. For example, if a request is received on 5 June, we calculate the deadline as 6 July.
If we reasonably require further information from you to locate the data which you have requested, or we need to verify your identity, we will inform you as soon as possible, and the one month deadline will commence from the date when we receive the information from you.
You will receive your response in standard letter format. If the amount of information you have requested is too large to fit into the letter, or is held in a different format (e.g. as a dataset), we will provide the information you have requested separately. If you have made your request electronically, then we will respond to you electronically unless you have asked us to do otherwise.
If SOAS holds no data about you, you will be informed of this. You will also be informed of any cases where data about you have been withheld and the reasons for this, including the relevant exemptions (see What are the exemptions? ), unless doing so would itself reveal information which would be subject to an exemption.
The Data Protection Act (2018) includes various exemptions which specify the circumstances in which an organisation can refuse to provide access to personal data. The most likely situations in which SOAS could refuse a subject access request are where:
- The release of the data would jeopardise the prevention or detection of crime, or the apprehension or prosecution of offenders;
- You have requested access to an examination script, other than examiners' comments;
- You have requested data contained in a confidential reference;
- You have requested data which record SOAS's intentions in relation to any negotiations with you, and the release of the data would prejudice the negotiations;
- The data is covered by legal professional privilege;
- The data relates to management forecasting or management planning, and its release to you would prejudice SOAS's business or activities; or
- You have requested access to data which have been retained for the purposes of historical or statistical research, the conditions set out in the Data Protection Act for processing for research purposes have been met, and the results of the research have not been published in a way which identifies individuals.
If SOAS withholds data from you as a result of an exemption under the Data Protection Act, we will explain why the data have been withheld and the relevant exemption, unless doing so would itself disclose information which would be subject to the exemption.
Data Protection Law allows us to extend the deadline for responding to your request by up to two months if your request is complex, and will communicate our intention to extend the deadline along with the reason within one month of receiving your request. If you request further copies of your data we may charge a reasonable administrative fee.
We have to protect the Data Protection rights and other legal rights of other individuals when we respond to subject access requests. Information which does not relate to you may be redacted (blacked out) or removed, particularly if it relates to other individuals. Sometimes we may not be able to release data relating to you because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, you will be informed that data about you have been withheld and the reasons for doing so.
If you are dissatisfied with the handling of your subject access request, you are encouraged to contact the Information Compliance Manager in the first instance, to determine if they can resolve your concerns (see Where can I get further information? for contact details). You should state as fully as possible why you think your request was not dealt with in accordance with Data Protection Law, and the remedy which you are seeking from the School. The Information Compliance Manager will aim to conclude the review within 20 working days.
If you are dissatisfied with the outcome of the Information Compliance Manager's review of your request, you can ask the Information Commissioner for an assessment as to whether SOAS has processed your data in accordance with Data Protection Law. The Information Commissioner can be contacted at the following address:
Cheshire SK9 5AF
Further information about how to enforce your rights under Data Protection Law is available on the Information Commissioner's website.
The copyright of any data which is supplied to you will be owned by SOAS unless otherwise indicated. The supply of information under Data Protection Law does not give the person who receives it an automatic right to re-use the information in a way which would infringe copyright, for example, by making multiple copies, publishing and issuing copies to the public.
Brief extracts of any material which is supplied to you may be reproduced under the fair dealing provisions of the Copyright, Designs and Patents Act 1988 (sections 29 and 30) for the purposes of research for non-commercial purposes, private study, criticism, review and news reporting. More extensive re-use must only be carried out with prior written permission from SOAS.
Enquiries about the re-use of material should be directed to SOAS's Information Compliance Manager (see Where can I get further information? for contact details).
If you are seeking a transcript of your academic results, or you need a copy of your SOAS degree certificate, you should not submit a subject access request.
Transcripts, degree letters and degree certificates are issued by SOAS Registry. Please contact Registry to obtain an additional copy for a fee. There are different requirements for students who graduated up to and including 1998, and from 1999 onwards.
Students can exercise their rights under Data Protection Law to request access to their marks; to the comments by examiners on their dissertations and on their exam scripts; and any data about them in the papers of examination boards. You should submit a subject access request in the usual way (see How do I submit a request? ). The identities of your examiners will not normally be released to you. Data Protection Law provides that, if your results have not been published when your request arrives, we will respond within 5 months of the date of receipt of your request or one month from the publication of the results (whichever is sooner).
However, SOAS students can also request informal feedback on their examination and dissertation performance without having to make a request under the law. Requests for informal feedback should be directed to the relevant Department. Questions about informal feedback should be directed to your Department or the SOAS Registry.
Students should note that the right of access to personal data does not provide a right of access to examination scripts.
Further information about how SOAS aims to protect the rights of individuals under data protection law is provided in SOAS's Data Protection Policy . Enquiries relating to data protection at SOAS should be directed to SOAS's Information Compliance Manager, whose contact details are below:
Information Compliance Manager
Information and Technology Directorate
SOAS, University of London
London WC1H 0XG
Telephone: +44 (0)20 7898 4817
Information about your rights under Data Protection Law and how to submit a subject access request is also available on the website of the Information Commissioner .