Data Protection Procedures

Data Protection Procedures – Third Party Requestsfor Personal Data Made Under ss.29 or 35 of the Data Protection Act 1998

(DRAFT)

1. Introduction

Under s.29(3) and s.35 of the Data Protection Act 1998 (DPA)parties may make requests for disclosure of personal data in connection with crime and taxation (s.29) or legal proceedings or some other citable Act or with a court order (s.35). [Section 28 contains similar provisions linked with national security, which is not covered here as it does not apply to Queen Mary.] These third parties are usually police forces, HMRC, UKBA or local authorities, but can be certain others.

2. Dealing with Requests

2.1Process for receipt of requests

• The request must be in writing (if received by telephone or in person, please ask the requester to put it in writing). The requesting party may have a standard form for doing this, but Queen Mary has its own version, which can be found here.

• The usual £10 fee for subject access requests is not to be charged.

• The identity of the applicantand their organisation must be verified. For example the organisation could be contacted by alternative means to verify that the applicant is an individual who is employed there.

• The form must be authorised by being countersigned by an officer in the requesting organisation of a higher rank/position. Any electronic versions should ideally be followed by a hardcopy with original signatures.

• All requests should be notified to the Records & Information Compliance Manager who will log the request as described in the Data Protection Procedures.

• QMUL has 40 calendar days to supply the information or provide any other response. Usually responses are required very quickly.

2.2 Who is responsible for handling requests?

Requests could be received in any part of Queen Mary, though applicants should be directed to contact the Records & Information Compliance Manager, through the mailbox – fromwhere it will be forwarded to the most appropriate department to deal with – andwho will co-ordinate the request handling. Occasionally police officers will turn up in person.

If any part of the request is for information relating to IT use (e.g. access to student email), then the Records & Information Compliance Manager will contact the Information Security Manager in the first instance. This will be either by telephone, perhaps if the matter is sensitive, or by email to . The information will be supplied back to the Records & Information Compliance Manager by IT Services or the department which holds the information if the request needs to be forwarded.

2.3How to respond

Responses should be supplied in the format specified by the applicant by the deadline, see ‘Replying’ below. The Records & Information Compliance Manager will decide, if necessary in consultation with other appropriate colleagues, what may be released, to whom and possible exemptions.The information supplied must be proportionate to the need described by the requesting party.

2.4 Replying

It is important to note that the above Sections of DPA allow third parties to make requests and allow personal data to be disclosed if all conditions are met, but they do not compel Queen Mary to provide information (unless made with a court order, see below). Details of the authority under which the request is made will always need to be supplied and recorded; a data processing condition from Schedule 2 and/or 3 of DPA will still need to be relied on to disclose (although sch. 2, condition 6 is not ideal). The nature and scope of disclosure must be necessary and proportionate to the aim to be achieved. Queen Mary takes seriously its obligations under Data Protection and Human Rights legislation but understands the need forother agencies toconduct their legitimate business or to combat fraudulent activity. It will ensure organisationscan justify any request for, and Queen Mary can justify any subsequent release of, personal information.

The Records & Information Compliance Manager will reply usually by email from the data-protection mailbox. The date of response will be inserted on the Log1 spreadsheet and the row filled as red or green depending on whether the deadline has been met.

2.5 Records

All requests are filed in hardcopy by the Records & Information Compliance Manager and other information may be held at: N:\Council Secretariat\RIM Compliance\Data Privacy\SAR. Records are retained for three years from the date of completing a request by calendar year.

3. Mandatory disclosures

It is possible that parties, particularly the police, may make requests by issuing the College with a warrant or court order (or by citing legislation which mandates disclosure). The same procedure as above will be followed in this event, i.e. the Records & Information Compliance Manager must be informed and will co-ordinate the response as required. A warrant or courtorder (or applicable legislation) will compel production of the information as it will beexempt from the non-disclosure provisions of the DPA. No disclosure should take place before the Records & Information Compliance Manager has been consulted and verified the order.

4. Guidance

Please refer to the Data Protection Policy and its appendix and/or contact the Records & Information Compliance Manager, Paul Smallcombe.

1