SUBJECT ACCESS REQUEST PROCEDURE



INTRODUCTION

The purpose of this document is to explain subject access requests, outline a process and propose simple templates for review and approval by [Organisation name].

SCOPE

Any request where a member of the public or member of [Organisation name] staff, asks for personal information relating to them to be provided in permanent form should be considered as a subject access request.

Note personal information requests are different from non-personal Freedom of Information FOI Requests which are handled differently. Note that FOI only applies to some organisations, mostly government so most organisations do not need to worry about FOI.

Information is taken to encompass data, information and knowledge assets and is inclusive of all formats whether paper, electronic or media based.

This policy relates to information held by [Organisation name] and any organisation providing services on behalf of [Organisation name](i.e. data processors).

GDPR GUIDANCE AND SUBJECT ACCESS REQUEST

Under the GDPR, individuals will have the right to:
  1. confirmation that their data is being processed
  2. access to their personal data and
  3. other supplementary information
  • the purposes of the processing
  • the categories of personal data concerned
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • where the personal data are not collected from the data subject, any available information as to their source
  • the existence of automated decision-making, including profiling, referred and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

FACTORS TO CONSIDER WHEN RESPONDING

  1. Is it a subject access request?
  2. Do you have enough information to be sure of the requester's identity?
  3. Do you need more information from the requester to find what they want?
  4. Do you have the information the requester wants?
  5. Will the information be changed between receiving the request and sending the response?
  6. Does it include information about other people?
  7. Are you obliged to supply the information?
  8. Does the information contain any complex codes or terms?

MAKING A REQUEST

Requests may be made on behalf of the data subject, such as a solicitor or a family member where they have legal authority (for example by virtue of a court-order). Beware, for example, of giving information to someone who is a former or estranged partner seeking details about someone else.
Requests made on behalf of an individual must contain a letter of signed authorisation from the data subject in addition to the forms of identification.

If the requestor is a current member of staff and the request is sent from a [Organisation name] email address then no additional identification will be required.

LOGGING THE REQUEST

GDPR requires that all requests for personal information should be satisfied within 4 weeks ([Organisation name] will aim to respond within 30 calendar days, or 20 working days) .It is therefore vital to log and record progress.

All requests for personal information received should be forwarded to the [Data Protection Role] as soon as they are received, who will log and acknowledge the request.

The period of 4weeks may be extended by a further 8weeks where necessary, taking into account the complexity and number of the requests, and the controller must inform the data subject of any such extension within 4weeks of receipt of the request, together with the reasons for the delay.

All requests received in hard-copy format should be date stamped.

ACKNOWLEDGING THE REQUEST

All requests for personal information should be acknowledged within 3 working days by the [Data Protection Role].

In some cases, personal data may be difficult to retrieve and collate. If further information is reasonably required to find the personal data covered by the request, or to confirm the identity or authority of the person making the request (see above) then the [Data Protection Role] will request this in writing.

The [Organisation name] need not comply with the subject access request until this information is received.

The right of subject access applies whatever the motive of the data subject for seeking the information. Whilst we are allowed to clarify the request, we are not entitled to ask the data subject why they are seeking the information.

However in many cases the information being requested by available in the data-subjects contract or Privacy Notice, and [Organisation name] may refer the data-subject to this to confirm whether any further information is needed.

Once the above points have been satisfied, the statutory 30 day period for responding begins. At this stage the requestor will be contacted in writing to inform them that we are satisfied with the request and to communicate the deadline date.

REQUESTS MADE ON BEHALF OF CHILDREN

The Data Protection (Jersey) Law, specifies the age from which children may exercise or enforce their rights as 13. However some 13 year-old are very mature and some are less mature and you should exercise extreme caution in releasing personal data about children.

Information Commissioner guidance does state that where data subjects are incapable of understanding or exercising their rights, for instance because they are too young, subject access requests can be made by parents or other persons who are legally able to act on behalf of the data subjects (for example, if they have an enduring power of attorney).

A parent or guardian does not have an automatic right of access to their dependants records.

It is important that the request is made on behalf of the data subject, and not in the interests of the requester. The Data Processing Officer will decide on behalf of the Data Controller as to whether a request will be refused if it is felt that it is not in the best interests of the data subject to release this, and will document their decision.

Where requests are made on behalf of a child, the Data Processing Officer and the service area representative will consider whether the information was provided by the data subject in the expectation that it would not be disclosed to the person making the request, i.e. whether the information is covered by a common law duty of confidence.

REPEATED OR UNREASONABLE REQUESTS

The Data Protection (Jersey) Law, does not limit the number of subject access requests an individual can make to any organisation. However, it does allow some discretion when dealing with requests that are vexatious.

Where requests from a data subject are manifestly vexatious, unfounded or excessive, in particular because of their repetitive character, the burden of proving this is on the [Organisation name]. The [Organisation name] may either

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the other action requested or
(b) refuse to act on the request.

COLLATION OF INFORMATION

All departments that handle personal and/or sensitive information are responsible for supporting the [Data Protection Role] ensuing that requests are responded to promptly and appropriately and within the 4 week period (20 working days).

Requests for information from staff will be co-ordinated by the HR department and [Data Protection Role] who will request information from managers.

Managers should collate the information they hold and provide it to the [Data Protection Role] to send out within 4 weeks. This will ensure that the [Data Protection Role] is able to compile the information and approve any exemptions or redactions. However, all requests should be dealt with promptly and as a matter of priority.

Clear time scales must be given to third parties, officers and other professionals to respond to enquiries relating to the request.

The requested data must be supplied in intelligible and permanent form, unless this is not possible or would involve disproportionate effort.

Managers should search for the requested data on the relevant databases, computer or email systems, and in their paper filing systems, and print out or photocopy all the requested information. This may be delegated to another officer if appropriate.

They must then:

CHECK the material for any references to third parties.

CHECK that any acronyms or codes are explained.

DECIDE whether there are grounds for withholding any information under the exemptions.

Any decisions to withhold information must be confirmed with the [Data Protection Role] and documented on the requesters file.

The [Data Protection Role] will then make the necessary redactions, and will ensure that an original copy is retained on file for audit purposes.

Managers should consider whether it is appropriate to offer the requester support to understand or read the information. This is especially relevant for requests for records which may include sensitive or specialist information.

Once the request (irrespective of whether from an individual and / or from a third party) has been received, no amendments or deletions must be made to the data that would not have been otherwise made. The data must not be tampered with in order to make it acceptable.

SENDING THE RESPONSE

All the information, irrespective of the originating department, should normally be sent as one response.

A covering letter should accompany the response and should detail the following:
The source of the information released,

The organisations purpose in processing this data,

If information has been withheld, details of the exemption used,

If no information has been found, a statement to that effect,

Details of any acronyms, special codes or specialist terms used within a document,

The Record Management Officers contact details in the event of further queries.

If information is posted, it must be sent by special delivery. Alternatively, the [Data Protection Role] will invite the customer/data subject into the office to collect.
If information is emailed, it must be sent in an encrypted format, and users will be asked to contact [Organisation name] for the password. .

COMPLAINTS

It is a requirement of GDPR that the data-subjects rights (see above), including the right to complain, must be notified to the data-subject in their contract or relevant Privacy Notice.

If an individual is unhappy with the process of providing the information, or feels that the information is incomplete, [Organisation name] will initially attempt a local resolution.

The [Data Protection Role] will in the first instance deal with any complaints, and will subsequently liaise with the relevant department manager.

If the complaint cannot be resolved satisfactorily, then the [Organisation name] will recommend that the Data Subject contacts the Information Commission Office directly.

INTERNAL ASSURANCE

An annual review of systems of internal control over handling requests will be conducted by the [Data Protection Role].

The conclusions of this review will be presented to the Board as part of data-protection governance.

TRAINING AND AWARENESS

Staff will be made aware of this procedure as part of GDPR Awareness and on a regular basis afterwards through the organisations internal communications channels.

New staff will be informed of the procedure and GDPR Awareness through the mandatory training as part of the induction process.

Managers are responsible for ensuring that their staff are sufficiently aware of this procedure, and GDPR Awareness in general and any associated guidance to carry out their role.