Subject access request policy (GDPR compliant)
Introduction
Under the General Data Protection Regulation (GDPR), you have a right to receive confirmation that an organisation processes your personal data, and also a right to access that data so that you may be aware of it and are able to verify the lawfulness of the processing. The process for doing so is called a subject access request and this policy sets out the procedure to be undertaken when such a request is made by you regarding data processed about you by the Company.
What is personal data?
“Personal data” is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including your name.
“Special categories of personal data” includes information relating to:
• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• biometrics (where used for ID purposes)
• health
• sex life or
• sexual orientation.
Information you are entitled to
When you make a subject access request, you will be informed of:
• whether or not your data is processed and the reasons for the processing of your data
• the categories of personal data concerning you
• where your data has been collected from if it was not collected from you
• anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security
• how long your data is kept for (or how that period is decided)
• your rights in relation to data rectification, erasure, restriction of and objection to processing
• your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed
• the reasoning behind any automated decisions taken about you.
Making a subject access request
Subject access requests must be made in writing and can be made in either hard copy format or electronically. Your line manager can provide you with a form for making a request though making a request in this format is not a requirement. Including specific details of the data you wish to see in your request will enable a more efficient response from the Company. We may need to contact you for further details on your request if insufficient information is contained in the original request.
Requests may be made by you personally or by a third party eg a solicitor acting on your behalf. We will request evidence that the third party is entitled to act on your behalf if this is not provided at the same time as the request is made.
Upon receiving a subject access request
The Company will comply with your request without delay and at the latest within one month unless one of the following applies:
• in some cases, we will be unable to supply certain pieces of information that you have requested. This may be because it is subject to legal privilege or relates to management planning. Where this is the case, the Company will inform you that your request cannot be complied with and an explanation of the reason will be provided
• we require extra time because the requests are complex or numerous. In these circumstances, the Company will write to you within one month of receipt of your request to explain why an extension is required. Where an extension is required, information will be provided within three months of the request.
Before supplying the data (where appropriate) we may contact you asking for proof of identity. You must produce this evidence for your request to be complied with.
Your request will normally be complied with free of charge. However, we may charge a reasonable fee if the request is manifestly unfounded or excessive, or if it is repetitive. In addition, we may charge a reasonable fee if you request further copies of the same information. The fee charged will be based on the administrative cost of providing the information requested.
Refusing a request
The Company may refuse to comply with a subject access request if it is manifestly unfounded or excessive, or if it is repetitive. In these circumstances, we will write to you without undue delay and at the latest within one month of receipt to explain why we are unable to comply. You will be informed of the right to complain to the Information Commissioner and to a judicial remedy.
Enforced subject access requests
Forcing employees to obtain information via a subject access request, usually in relation to an individual’s criminal record, is a criminal offence. No employee of the Company will be required to make a subject access request.