Privacy notice

When you submit a request for information to the University of Edinburgh under freedom of information, data protection or environmental information legislation, you provide information about yourself and the information you wish to receive. This privacy notice describes how we use the information the University holds about you to process your request.


We use this information for the following purposes:

1. To process requests

University staff use information about your request, including your identity, contact details and (where relevant) your relationship and interactions with the University, to process your request. These staff include those:

  1. whose role includes the management and co-ordination of the University’s response to information requests
  2. who hold information relevant to the processing of your request
  3. who are asked to contribute to the University’s response

Processing your request includes:

  • Establishing whether your request is valid and the University is obliged to answer it
  • Locating, retrieving, and collating information relevant to your request
  • Consulting individuals (for example staff and third parties) affected by your request
  • Identifying whether any of the information is already available to you and whether any of the information should be withheld from disclosure
  • Preparing the response to your request

If you have requested information about a member of staff, please note that, as outlined in our privacy notice for staff, the University will not normally disclose personal information.  Furthermore, we will inform or consult relevant staff if disclosure would not reasonably be expected, this may include sharing a copy of your request with them.

2. To process review or appeal requests

If you request a review of the University’s handling of your request, the University staff appointed to conduct the review use information about your request, including personal data about you described above, to scrutinise the handling of your request and to reconsider the University’s response.

If you submit a complaint or appeal to the Office of the Scottish Information Commissioner (OSIC) about the way we have handled your request for environmental or other information held by the University, we will share information about you, your request and its context with the OSIC.  If you submit a complaint or appeal to the Information Commissioner’s Office (ICO) about the way we have handled your request for personal information about yourself, we will share information about you, your request and its context with the ICO.

If the handling of your request is referred to a court of law, we will share information about you, your request and its context, with the Court and with our legal advisors.

3. To respond to your request and any review or appeal

We use the personal details you provide, including your contact details, to send you the University’s response.  The University normally replies using the method you used to submit your request; for example, if you submitted your request by email we will usually reply by email.  However, there are times when the type of information you have requested means that we need to make alternative arrangements; for example, if you have requested information about yourself we need to transmit it to you by a secure method.  Where this is the case, we will provide further details to you before we send the response.

4. To administer your request and keep a record of it

We keep records of all requests for information made under freedom of information, environmental information or data protection legislation.  This includes case folders containing our correspondence with you about your request and database records containing your name, contact details, a summary of your request and your relationship with the University (if known).  We use this information to ensure that the University complies with our legal obligations and can demonstrate and monitor our compliance.

Why we do this

We use information about you and your request to comply with our legal obligation to respond to requests for information, and to fulfil our public tasks under:

  • The Freedom of Information (Scotland) Act 2002 (‘FOISA’)
  • The Environmental Information (Scotland) Regulations 2004 (‘EISR’)
  • The General Data Protection Regulation, 27 April 2016 (‘UK GDPR’)
  • The Data Protection Act 2018 (‘DPA’)

Consequences of not providing information about yourself

If you request information about yourself under data protection legislation, we can only respond to your request if you provide us with enough information to locate and identify the information you want, and to verify your identity.  This is because we must not disclose information about you to the wrong person.

If you request other information held by the University under FOISA you must provide us with your real name, the name of anyone on whose behalf you are making the request, and a correspondence address.  If you do not provide this information, the University is under no obligation to provide the information you request and you will lose the right to appeal to the Scottish Information Commissioner if you are dissatisfied with the way the University has handled your request. The Scottish Information Commissioner provides guidance on this topic on their website. 

Scottish Information Commissioner Guidance on name of the requestor.

Data processors

We use the eCase software service provided by Fivium Limited as a data processor to help us manage information requests. 

eCase privacy notice

We sometimes use external law firms to help us resource the processing of subject access requests.

Information retention

Information Compliance Services dispose of request case folders ten years after the academic year in which we received your request, or (if your request relates to an ongoing relationship issue) the year in which the issue was resolved.  If a case folder may assist with the processing of current or future requests, we retain anonymised information about the request.

If your request is dealt with by a different department other than Information Compliance Services, they may apply a different retention period. This will normally be five years, unless your request relates to an ongoing relationship issue. 

Any questions?

If you have any questions about the way the University uses information about you and your request, please contact Information Compliance Services using the ‘contact us’ button at the top of this page.

Your rights

Details of your data protection rights and how to contact the University’s Data Protection Officer are published at:

Continued privacy notice


Version number Edited by Date
V09 Deputy Information Compliance Manager January 2021
V08 Deputy Information Compliance Manager October 2020
V07 Information Compliance Manager June 2019
V06 Information Compliance Manager May 2019
V05 Information Compliance Manager March 2019