The Data Protection Act contains many complex exemptions in a wide range of areas. Many exemptions are only exempt from particular aspects of the Act (such as notification) and not other aspects (for example subject access), under different circumstances which makes it particularly confusing and complex to understand.

Below is a summary of common exemptions that may apply to us

  • The prevention and detection of crime (Section 29)
    The University may not be required to seek consent from data subjects if the purpose of the disclosure to third parties is to assist in the prevention or detection of crime.
  • Research, History and Statistics (Section 33)
    Data kept for research purposes can be kept for an indefinite period of time providing that the data subjects cannot be identified from the data. These kinds of data are also exempt from Subject Access Requests.
    For more information, see our Documents and Guidance page.
  • Examination marks (Schedule 7 Paragraph 8)
    The University is obliged to disclose examination marks either 40 days after the official publication of the results or 5 months after a request has been made, whichever is sooner.
  • Examination scripts (Schedule 7 Paragraph 9)
    Exam scripts are exempt from the data subject's access rights. However, it must be noted that comments made by examiners are not exempt and must be released if required by the data subject.
  • Confidential references (Schedule 7 Paragraph 1)
    Confidential references given by the University are exempt from Subject Access Requests. However, confidential references received by the University are not exempt and can be released under the Data Protection Act. Since references can be obtained by the data subject via the receiving organisation, we strongly advise individuals to be cautious about what information they disclose in references.
    For more information, see our Documents and Guidance page.
  • Information related to third parties
    Generally, personal data relating to third parties is exempt when responding to Subject Access Requests. When responding to Subject Access Requests, it is important that we do not disclose third party personal data without permission in the process. If we do come across this type of information, we would normally consult the third party and request permission to release the information. If the third party does not give consent to release the information then we would usually either anonymise the information or remove the sections relating to the third party. For more information, see our Documents and Guidance page.