Data Subject Access Request Policy

1. Introduction

1.1. The Data Protection Act 2018 (the Act) and the General Data Protection Regulation (GDPR) provide Data Subjects the right, subject to certain exceptions, to view and or obtain a copy of all personal data that a Data Controller holds about them.

1.2. Arun District Council (the Council) has a statutory duty to comply with the requirements of both the Act and the GDPR as a Data Controller.

1.3. The Information Commissioner’s Office (ICO) is responsible for regulating and enforcing the Act and the GDPR.

Document control

Document owner: Lindsey Reeves, Information Governance Officer

Version: V3

Date: 09 January 2020

Version history

Version History
Date Version number Revision notes Author
150819 V1 Draft created Lindsey Reeves
110919 V2 Draft updated Lindsey Reeves
250919 V3 Final Draft updated Lindsey Reeves

Approval

Approval
Date Version number Approved by
  V3 Liz Futcher, Data Protection Officer

2. Aim

2.1. The aim of this policy is to demonstrate the Council’s compliance with the principles of the Act and the GDPR.

2.2. The policy also aims to demonstrate that the Council understands its responsibilities for promoting accountability and good governance and has put appropriate technical and organisational measures in place to ensure adherence.

3. Scope

3.1. The policy applies to:

3.1.1. All personal data processed by the Council regardless of format.

3.1.2. Any individual processing of personal data held by the Council.

4. Definition of Terms

4.1. The following definitions shall apply as defined by the Act and the GDPR:

Data

Information which:

  • a) is being processed by means of equipment operating automatically in response to instructions given for that purpose;
  • b) is recorded with the intention that it should be processed by means of such equipment;
  • c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, i.e. a highly structured readily accessible paper filing system; Arun District Council Data Subject Access Request Policy V3 200109
  • d) does not fall within the above but forms part of an accessible record, i.e a housing record; or
  • e) is recorded information held by a public authority and does not fall within any of the above paragraphs.

Personal Data

Information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Personal identifiers can include a name, identification number, location data or online identifier.

Special Category Data (defined under the GDPR)

Sensitive information about an individual’s

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation

Processing

Obtaining, recording or holding the information or data, or carrying out an operation or set of operations on the information or data.

Data Subject

An individual who is the subject of the personal data

Data Controller

A person who alone, jointly or in common with other persons, determines the purposes and means of processing personal data. A Data Controller may also act jointly with another organisation to process personal data. The controller must ensure contracts with any processors comply with GDPR obligations.

Data Processor

Any person, other than an employee of the Data Controller, who is responsible for processing personal data on behalf of the data controller. The processor will have a legal liability if they are responsible for a breach.

Data Subject Access Request (DSAR)

The right of a Data Subject to have access to their own personal data as defined in the Data Protection Act 2018 Chapter 2 (45).

5. Roles & Responsibilities

5.1. The following roles and responsibilities shall be in place:

Roles and responsibilities
Role Responsibilities
Data Protection Officer (DPO)

Holds overall responsibility for Data Subject Access Requests across the Council.

Will delegate to the Information Management Team on a day-to-day basis.
Information Management Team

Co-ordinate Data Subject Access Requests and ensure responded to in accordance with statutory requirements and timeframes.

Liaise across Council to locate all relevant information.

Review all submitted data to check if records contain information relating to another individual, or information provided by a third party who can be identified from the entry. Make appropriate redactions where necessary.

Alert the DPO to any issues arising that may impact the delivery of the Data Subject Access Request.
Group Heads/Operational Managers

Supporting the Data Subject Access Request process by: -

  • Providing a point of contact for the Information Management Team

Either manage or delegate the following: -

  • Co-ordinate the retrieval of data
  • Ensure timescales are met
  • Highlight required redactions on third party data where appropriate
  • When necessary, make judgements as to whether release of certain data is likely to prejudice the effectiveness of carrying out statutory duties (eg planning issues) or consider whether a breach of confidentiality may occur if data is disclosed.
  • Confer on final judgements as to which data items should be withheld from disclosure following consultation with the Information Management Team.
All Council Staff Immediately refer any Data Subject Access Request to the Information Management Team at infomanagement@arun.gov.uk

6. Children under 18 years

6.1. If a child is too young to understand Subject Access rights, data about them remains their personal data and does not belong to anyone else, such as a parent or guardian. In the case of young children these rights are likely to be exercised by those with parental responsibility for them. Proof of parental responsibility is required when an adult requests a child’s data. Officers should be alert to any situation where there may be conflict between different persons who hold parental responsibility for the child.

6.2. Before responding to a DSAR for information held on a child, consideration will be given as to whether the child is mature enough to understand their rights (normally from the age of 12 years). If they are sufficiently competent Arun District Council Data Subject Access Request Policy V3 200109 we will consult the child or seek the child’s consent for disclosure to the person with parental responsibility who is making the request.

7. Third Party Requests

Where a legal, financial or other professional company (acting as a Third Party) request access on behalf of a client they are representing, they must provide the signed consent of their client. Proof of the client’s identity should be obtained by the Third Party. We reserve the right to check with the client/Data Subject that they are happy to proceed on the basis that the Third Party receive the personal data and explain the implications of the request. If reasonable doubt remains about the validity of the consent, the request will not be processed until we are satisfied.

8. Access on behalf of a Mentally Incapacitated Adult

Where an individual or organisation submits a Data Subject Access Request on behalf of a vulnerable person who lacks capacity, care will be taken to ensure there is an appropriate authority in place such as a valid power of attorney or court order.

9. The Process

9.1.Applications should be made in writing, preferably using the online form accessible here which assists us in collating the relevant data. We do not insist on its use.

9.2.We will make any reasonable adjustments to support the process for those with a disability or difficulty in making a DSAR, such as accepting verbal requests or providing information in an accessible format.

9.3.Applicants must provide two forms of identity, one of which should be photo ID such as passport or driving licence and the other a recent utility bill or similar of not more than 3 months old.

9.4.SAR applications will be acknowledged in writing or by email and a completion date provided.

9.5.The statutory time period for compliance is one calendar month from receipt of a valid request. This can be extended by a further two months where a request is complex. If this is necessary, we will inform the individual within one month of receipt of the request and explain why. The time limit will not begin until all identification and any relevant consent/clarification is received.

9.6.All paper files, email systems, electronic databases and storage will be considered for data retrieval. 9.7.Data must be prepared to ensure only appropriate data disclosed, via redaction.

9.8.Records can be sent by encrypted email if requested, and if the size of the files allows. If a paper copy is requested, arrangements will be made with the requester as to how this can be securely delivered or collected. Arun District Council Data Subject Access Request Policy V3 200109

9.9.A record of the request, its current status and completion will be recorded in an electronic system for legal and statistical purposes.

10. Relevant Council Policies

10.1. This policy should be read in conjunction with the following documents:

  • 10.1.1. Information Security Policy
  • 10.1.2. Privacy Policy
  • 10.1.3. Homeworking Policies
  • 10.1.4. Clear Desk/Clear Screen Policy
  • 10.1.5. Documentation Retention & Disposal Policy
  • 10.1.6. Human Resources Data Protection Policy
  • 10.1.7. Data Protection Policy