Subject Access Requests Model Letters Pack University of Edinburgh
1
Data Protection Law: Subject Access Requests Model Letters Pack
Introduction
This pack contains model letters which may be used when processing subject access
requests made under Data Protection law. They are model letters and as such can be
altered to suit particular circumstances. The model letters should be used in conjunction
with the University’s request handling procedures:
• Dealing with a subject access requests
Contents
Introduction ........................................................................................................................... 1
Contents ............................................................................................................................ 1
Model letters included in this pack ..................................................................................... 2
Receiving and clarifying request .................................................................................... 2
Looking for the information ............................................................................................. 2
Obtaining and acknowledging the opinions of third parties ............................................. 2
Release and partial release ........................................................................................... 2
Refusal .......................................................................................................................... 2
About this guidance ........................................................................................................... 2
1. Acknowledgement ......................................................................................................... 3
2. Internal letter asking staff to search their records........................................................... 3
3. Obtaining the opinions of a third party (including referees) ............................................ 4
4: Acknowledgment of the third party’s consent to disclose the information ...................... 5
5: Acknowledgment of the consideration of the third party’s opinions regarding disclosure
of the information and explanation of decision reached ..................................................... 5
6: Obtaining a valid subject access request (fee and/or further information required) ....... 6
9: Verifying the identity of a data subject .......................................................................... 7
Telephone call to confirm the identity of an individual making a subject access request 8
10: Replying to a subject access request providing the requested information ................. 9
11: Release of part of the information, when the remainder is covered by an exemption
(excluding references – see letter 14) .............................................................................. 10
12: Replying to a subject access request explaining why you cannot provide any of the
requested information (excluding references – see letter 15) ........................................... 11
13. Replying to a subject access request explaining that only references received by the
University are liable for disclosure ................................................................................... 11
14: Replying to a subject access request explaining why you have only sent some of the
requested references ....................................................................................................... 13