Subject Access Policy
Purpose and Scope
The Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR) allow an individual to make a request to the Councils for copies of all personal information we hold about them. This is known as a subject access request.
The Act gives individuals (known as data subjects) the right to request access and obtain copies of personal data about themselves.
Data subjects have access rights to their personal information irrespective of when the record was created. This is known as a subject access request.
The purpose of this policy is to outline how Chorley Council and South Ribble Borough Council (referred to as the Council) will manage subject access requests in compliance with UK GDPR and Data Protection Act.
This policy applies to all staff as well as third parties and suppliers involved in the receipt, handling or sharing of information held by the Council.
Principles
Individuals have the right to request copies of their information that the Council may hold and to also request certain information relating to the processing of their information including:
- A description of the information.
- The purposes the information is used for.
- The disclosures that are made or might be made.
- The source of the data.
The Council are required to respond to Subject Access requests within one calendar month from receipt of the request.
Failure to do so is a breach of the Act and could lead to a complaint to the Information Commissioners Office (ICO).
If it is anticipated that a request will take longer than this the applicant must be informed providing an explanation of the delay and agree a new deadline.
Failure to comply with a request for subject access may be referred to the ICO.
Who can make a request?
Subject access requests can be made by:
- The individual themselves.
- Individuals requesting access on behalf of a child for whom they have parental responsibility.
- A representative nominated by the individual to act on their behalf such as solicitors or a relative, where there is valid consent by the individual granting this authority.
- In certain situations, a person granted an attorney or agent by the Court of Protection on behalf of an adult who is incapable of consent.
Roles and Responsibilities
The Council SIRO is the senior person responsible for ensuring personal information is kept protected and used appropriately.
Requests from employees shall be responded to in conjunction with the HR Department.
Requests received by the Council will be dealt with by the FOI team with support from Legal within 30 days.
All request will be entered into a log and this will be maintained to monitor compliance.
Prior to the release of any information the Council must be satisfied as to the identity of the person making the request. No information will be released until this identification has taken place. No personal information should be provided over the phone.
The preferred format for submitting SARs is electronically. However, the Council recognises that a request may be in any format - verbal, email, social media, written etc and will manage all in the same way.
SAR's will be undertaken free of charge unless the legislation permits reasonable fees.
This policy applies to all Officers, Councillors and third parties working on or on behalf of the Council.
Where a requestor is not satisfied with a response to a SAR, the Council will manage this as a complaint.
How is a SAR processed?
Task | Responsibile Team | |
1 | On receipt of a subject access request you must forward it immediately to FOI. | ALL |
2 | The request will be checked to ensure it is within the scope of the Data Protection Act. | FOI, LEGAL |
3 | The request will be logged, acknowledged and the identity of the individual confirmed. | FOI |
4 | The 30 days will begin. | |
5 | The FOI team will email the relevant departments to request the information liaising with legal and the DPO as required. | FOI, ALL |
6 | Exceptions applied and communicated to requestor if required. | FOI, LEGAL |
7 | Collated information redacted (if required). | FOI |
8 | Information released to requestor. | FOI |
How do I confirm someone's identity?
Along with their address, the requestor must provide one of the following documents (scanned copies will be accepted):
Must be dated in the past 12 months | Must be dated in the last three months | |
Current UK/EEA Passport | State Benefits Entitlement Document | Financial Statement issued by bank, building society or credit card company |
UK Photocard Driving Licence (Full or Provisional) | State Pension Entitlement Document | Utility bill for supply of gas, electric, water or telephone landline |
EEA National Identify Card | HMRC Tax Credit Document | |
Full UK Paper Driving Licence | Local Authority Benefit Document | |
HMRC Tax Notification Document | State/Local Authority Educational Grant Document | |
Disabled Drivers Pass | ||
Judiciary document such as a Notice of Hearing, Summons or Court Order | ||
Most recent Mortgage Statement | ||
Most recent Council Tax Bill/Demand or Statement | ||
Tenancy Agreement | ||
Building Society Passbook which shows a transaction in the last 3 months and your address |
I have been asked to provide information for a SAR what do I do?
You need to provide all personal information relating to the request. This includes but is not limited to: Emails (including Mimecast), electronic documents, databases, systems, removable media (for example memory sticks, floppy disks, CDs), tape recordings, paper records and any data which your area is responsible for or owns.
You must not withhold personal data. All data must be provided to the FOI team. They will determine alongside legal if exceptions apply.
For any data you provide this information needs to in an intelligible form. e.g. any acronyms etc must be clearly explained.
The personal data must be supplied in a permanent form except where the requestor agrees it is impossible or would involve due effort. You may be able to agree with the requestor that they will view the personal data on screen or inspect files on our premises.
FOI must redact any exempt personal data from the released documents and explain why that personal data is being withheld.
What should I do if I receive a complaint relating to a SAR?
Task | Responsible Team | |
1 | Forward this to the FOI inbox. | ALL |
2 | The request will be logged, acknowledged and the identity of the individual confirmed. | FOI |
3 | Complaint investigated by Legal and DPO. | LEGAL, DPO |
4 | Information collated by FOI. | FOI |
5 | Referred to the ICO if required. | FOI, SIRO |
Data Processors and SARs
When procuring a service provider to undertake work on behalf of the Council, appropriate protocols must be agreed to ensure that data processors are aware of their responsibility to assist with requests and to provide information (where necessary) that they may hold relevant to a subject access request received by the Council.