1. What is This Policy for?
This policy details what will happen and how we will respond to a Subject Access Request (‘SAR’) under the General Data Protection Regulation (EU) 2016/679 (‘the GDPR’) and the Data Protection Act 2018 (‘DPA’).
2. What is the GDPR and a Subject Access Request?
The GDPR sets out how organisations must handle personal data. Article 15 of the GDPR gives individuals the right to be told what information is holding about them and, to receive a copy of that information upon request unless an exemption applies.
3. What is our General Policy?
We are committed to complying with individual’s requests for information made under the GDPR and we will respond to all reasonable requests for information that are not subject to specific exemptions as set out in the GDPR or the DPA.
4. How Can You Make a Subject Access Request?
A subject access request must be made in writing. To make a subject access request you should write to our Data Protection Officer at the address below providing the following information:
5. How and Where to Send Your Subject Access Request
Please send your request or your completed Subject Access Request Form to our Data Protection Officer, Claire Rybczynski, who can be reached at 6 Knowsley Place, Angouleme Way, Bury, BL9 0EL or e-mail a copy of the form to firstname.lastname@example.org.
We will process your subject access request in accordance with the GDPR and the DPA and provide you with a response within 1 month of receipt of all the relevant information detailed above.
6. What will we do When We Receive your Subject Access Request?
Verify Your Identity
We will need to verify your identity. This may be done by you attending our office with two forms of identification documents or by you providing us with two copies of your identification documents which have been certified as being valid. When you make your subject access request, we will contact you to discuss the best way in which you can verify your identity.
If you are making a subject access request on behalf of someone else, you will need to provide evidence that the individual has given consent for you to receive their personal information. This can be done by a letter of consent signed on behalf of the individual or in the form of a power of attorney.
Retrieve Your Information
Once we have verified your identity, we will need to check we have received enough information from you to gather the information you have requested. If we do not have enough information, we will get in touch with you to request the further information. We will ask you for any further information promptly.
We will then search all our relevant paper and electronic records to locate the information you have requested. We will also speak to members of staff who might hold information about you.
Review Your Information
Once we have carried out our searches and located the information you have requested, we will review that information to establish whether or not it can be released from you. In particular, if the information we have located contains information which relates to third parties, we may have to write to them to ask whether there is any reason why this information cannot be disclosed to you. If the third party refuses to give us consent to disclose the information to you, we may need to seek legal advice about what action we should take.
Additionally, where the located information contains third party information we may have to anonymise the information that contains details of third parties. We may do this by ‘editing’ or ‘redacting’ documents so that you will be unable to see third party details or information that might affect somebody else’s privacy. We may also summarise information that contains third party details rather than provide a copy of the whole document.
We will also need to review the located information to see whether an exemption under the DPA applies. The DPA contains a number of exemptions to the duty to disclose personal information as part of a subject access request. Examples of possible exemptions include information that is covered by legal profession privilege, information that would prejudice the prevention or detection of a crime or confidential references we have provided.
Respond to Your Subject Access Request
Once we have reviewed the relevant information and determined that we can disclose the information to you, we will send you a copy of the information in a permanent form (unless where we have agreed otherwise).
7. Can we Charge a Fee for Responding to a Subject Access Request?
Under the GDPR, we cannot charge a fee for standard subject access requests.
However, the GDPR does allow us to charge a ‘reasonable fee’ where a request is unfounded or excessive. This will usually mean that the request is repetitive.
We are also entitled to charge a reasonable fee to comply with any requests you make for further copies of the same information. Any fee charged for the additional copies of information will be based on the administrative costs of providing you with the information.
8. What is the Timeframe for Responding to Subject Access Requests?
We have 1 month to respond to your subject access request. This timeframe will begin from the date we receive all the information necessary to verify your identity. There are certain circumstances where we can extend this timeframe. We will notify you if it is necessary for the timeframe to be extended.
9. Are there any Circumstances where we can Refuse to Respond to a Subject Access Request?
Unfounded or Excessive Requests
We can refuse to respond to your subject access request if we believe that your request is manifestly unfounded or excessive. If we do refuse to respond to your request on this basis, we will explain to you the reasons why we will not deal with your request and provide you with information about your right to complain to the Information Commissioner’s Office (‘ICO’) about our handling of your request.
The DPA contains certain exemptions to the right to access personal information. Examples of possible exemptions include information that is covered by legal profession privilege, information that would prejudice the prevention or detection of a crime or confidential references we have provided.
10. What if there is an Error in your Personal Information?
If you notice an error in the personal information we have provided to you in response to your subject access request, please contact the Data Protection Officer and ask us to rectify the error. We will review your request to rectify the information. If we agree that the information is inaccurate, we will rectify the error and erase the inaccurate information if possible.
11. What if you Want us to Stop Processing your Personal Information?
Under Article 21 of the GDPR, you have the right to object to us processing your personal information all together in certain circumstances. If you want to exercise your right to object to us processing your personal information, please contact the Data Protection Officer and we will consider whether or not we can comply with your request.
12. What if you are Unhappy with our Response to your Subject Access Request?
If you are unhappy with our response to your subject access request, you may ask us to conduct an internal review of our decision to respond to you in that way. If you do wish to make a complaint to us about the way in which we have responded to your subject access request and request an internal review, please contact our DPO, Claire Rybczynski.
If you still dissatisfied following our internal review, you can complain to the Information Commissioner using the details below:
0303 123 1113 (local rate) or 01625 545 745
Please note you are able to make a complaint to the Information Commissioner’s Office without first going through our internal procedure.