1. Introduction
This policy outlines the procedures and responsibilities for responding to Subject Access Requests (SARs) in accordance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, and the Data Protection Act 2018. It ensures that individuals can exercise their right to access personal data held about them by our organisation.
As part of our commitment to the Right2Thrive initiative, we recognize the importance of ensuring that all individuals have access to their personal data. The Right2Thrive initiative emphasizes the fundamental right of individuals to thrive in a safe and supportive environment, which includes the protection and accessibility of personal information.
- Empower Individuals: By providing clear and straightforward access to personal data, we empower individuals to understand and manage their information.
- Ensure Transparency: We are committed to maintaining transparency in how personal data is collected, used, and shared, in accordance with the principles of the Right2Thrive initiative.
- Support Well-being: Access to personal data is a key component of individual well-being, and our policy ensures that this access is granted in a timely and efficient manner.
We believe that integrating the principles of the Right2Thrive initiative into our Subject Access Request policy will enhance our commitment to protecting individual rights and promoting a culture of trust and respect.
2. Purpose
The purpose of this policy is to ensure that all SARs are handled in a consistent, transparent, and timely manner, while safeguarding the rights of data subjects and maintaining compliance with relevant legislation.
3. Scope
This policy applies to all employees, contractors, and third parties who process personal data on behalf of the organisation, regardless of their location.
4. What is a Subject Access Request?
A Subject Access Request is a written or verbal request made by an individual (data subject) to obtain confirmation of whether their personal data is being processed, access to that data, and supplementary information about the processing.
5. Receiving a Subject Access Request
- A SAR can be made in writing, by email, or verbally to any member of staff.
- All SARs must be forwarded immediately to the Data Protection Officer (DPO) or designated contact.
- Record the date the request was received to ensure compliance with statutory timeframes.
6. Verifying the Identity of the Requester
Before disclosing any personal data, the identity of the requester must be verified to protect against unauthorised access. Acceptable forms of identification include a passport, driving licence, or other official documentation. If the request is made by a representative, written authorisation from the data subject must be provided.
7. Responding to a Subject Access Request
- Respond without undue delay and within one month of receipt.
- The response period may be extended by a further two months if the request is complex or numerous, but the data subject must be informed within one month.
- Provide information including:
- Whether personal data is being processed
- Access to the personal data held
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom the data has been or will be disclosed
- Retention periods for the data
- Rights to rectification, erasure, or restriction of processing
- The right to lodge a complaint with the Information Commissioner’s Office (ICO) or Data Protection Commission (DPC)
- The source of the data, if not obtained directly from the data subject
8. Exemptions and Refusals
Certain exemptions may apply, such as data relating to the prevention or detection of crime, or where disclosing the data would adversely affect the rights and freedoms of others. If a SAR is refused, the data subject must be informed of the reasons and their right to complain to the supervisory authority.
9. Fees
In most cases, SARs must be processed free of charge. A 'reasonable fee' may be charged for manifestly unfounded or excessive requests, or for additional copies of the data.
10. Record Keeping
A record of all SARs, including the nature of the request, the response provided, and any correspondence, must be maintained for audit and compliance purposes.
11. Training and Awareness
All staff must receive regular training on data protection, including how to recognise and respond to SARs in accordance with this policy.
12. Review and Updates
This policy will be reviewed annually or in response to significant changes in legislation or organisational procedures.
13. Contact Information
For any queries regarding this policy or to make a Subject Access Request, please contact:
Data Protection Officer
[Insert Organisation Name]
[Insert Address]
[Insert Email Address]
[Insert Phone Number]
