Policies and Procedures

Subject Access Request Procedure

Contents

1.   Purpose
2.   Scope
3.   Procedure
4.   Responsibilities & review
5.   Version control and amendment history
6.   Appendices

Appendix 1 - Replying to a subject access request providing the personal data requested
Appendix 2 - Release of part of the personal data when the remainder is covered by an exemption
Appendix 3 - Replying to a subject access request explaining why you cannot provide any of the requested data
 

1   Purpose

1.1   The purpose of this procedure is to outline the steps to be taken on receipt of a subject access request form.


2   Scope

2.1   This procedure will be used by council employees on receipt of a subject access request.


3   Procedure

3.1   This procedure is to be followed when an individual contacts Doddington and Whisby Parish Council to request access to their personal information held by the council.  Requests must be completed within 1 month, so it should be actioned as soon as it is received. Excessive or very large requests will be completed within 3 months.

3.2   Subject access requests (SARs) should be provided free of charge. However, a ‘reasonable fee’ will be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. Excessive requests which are estimated to take longer than 18 hours of work will incur a fee to cover administrative costs.

The steps below should be followed to action the request:

3.2.1   Determine if the subject access request is valid.

a)   Is the request in writing? This can be letter, email, social media or fax.

b)   Has the person requesting the information provided you with sufficient information to allow you to search for the information? Further information can be requested from the individual if the request is perceived to be too broad.

3.2.2   Verify the identity of the person making the request

a)   Officers must be confident that the person requesting the information is the person the information relates to.

b)   The person making the request may be asked to confirm their identity and address.

c)   Accepted forms of identification include passport, photo driving licence, utility bill or bank statement.

3.2.3   Determine where the personal information will be found

a)   Consider the type of information requested and use the data processing map to determine where the records are stored. (Personal data is data which relates to a living individual who can be identified from the data (name, address, email address, database information) and can include expressions of opinion about the individual.)

b)   If you do not hold any personal data, inform the requestor. If you do hold personal data, continue to the next step.

3.2.4   Screen the information

a)   Some of the information you have retrieved may not be disclosable due to exemptions, however legal advice should be sought before applying exemptions.

Examples of exemptions are:

•   References you have given
•   Publicly available information
•   Crime and taxation
•   Management information (restructuring/redundancies)
•   Negotiations with the requestor
•   Regulatory activities (planning enforcement, noise nuisance)
•   Legal advice and proceedings
•   Personal data of third parties

3.2.5   Determine whether all the information found can be disclosed

a)   In some cases, emails and documents may contain the personal information of other individuals who have not given their consent to share their personal information with others. If this is the case personal data relating to any other individual must be redacted before the SAR is sent out.

3.2.6   Prepare the SAR response (using the sample letters at the end of this document) and include as a minimum the following information:

a)   the purposes of the processing;

b)   the categories of personal data concerned;

c)   the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;

d)   where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;

e)   the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f)   the right to lodge a complaint with the Information Commissioners Office (“ICO”);

g)   if the data has not been collected from the data subject: the source of such data;

h)   the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
 
Personal data undergoing processing should also be included

3.2.7   Information supplied in response to a SAR will be made in an intelligible form. Requests for information to be supplied in a particular format will be considered.

3.2.8   Maintain a log of all SARs received alongside the date the request was received, identity of the data subject, summary of the request, indication of if the Council can comply, the date information is sent to the data subject.


4   Responsibilities and review

4.1   The clerk to council is responsible for dealing with subject access requests, maintaining a disclosure log and keeping the council informed of any requests made.

4.2   This policy should be reviewed on a biennial basis or in response to changes in relevant legislation.


5   Version control and amendment history

Date approved

Version Number

Revision / amendments made

Review Date

23 September

2019

1.0

New procedure

May 2021

August 2020

1.1 acc

Reformatted for accessible website

May 2021

May 2021

1.2

Review

May 2023

 

6    Appendices

Appendix 1 - Replying to a subject access request providing the requested personal data

Doddington and Whisby Parish Council

[Name] [Address] [Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. We are pleased to enclose the personal data you requested.

Include 3.2.6(a) to (h) above.

Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely,

Clerk to Council 

Appendix 2 - Release of part of the personal data, when the remainder is covered by an exemption

Doddington and Whisby Parish Council

[Name] [Address] [Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. To answer your request, we asked the following areas to search their records for personal data relating to you:

•    [List the areas]

I am pleased to enclose [some/most] of the personal data you requested.  [If any personal data has been removed] We have removed any obvious duplicate personal data that we noticed as we processed your request, as well as any personal data that is not about you. You will notice that [if there are gaps in the document] parts of the document(s) have been blacked out. [OR if there are fewer documents enclose] I have not enclosed all of the personal data you requested.  This is because [explain why it is exempt].

Include 3.2.6(a) to (h) above.

Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published, or otherwise made available in whole or in part without the prior written consent of the copyright holder.

If you are not happy with this response, you may contact the Information Commissioner’s Office.

Yours sincerely,

Clerk to Council 

Appendix 3 - Replying to a subject access request explaining why you cannot provide any of the requested personal data

Doddington and Whisby Parish Council

[Name] [Address] [Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].

I regret that we cannot provide the personal data you requested. This is because [explanation where appropriate].

[Examples include where one of the exemptions under the data protection legislation applies.  For example, the personal data might include personal data is ‘legally privileged’ because it is contained within legal advice provided to the council or relevant to on-going or preparation for litigation.  Other exemptions include where the personal data identifies another living individual or relates to negotiations with the data subject.

Your data protection officer will be able to advise if a relevant exemption applies and if the council is going to rely on the exemption to withhold or redact the data disclosed to the individual, then in this section of the letter the council should set out the reason why some of the data has been excluded.]

If you are not happy with this response, you may contact the Information Commissioner’s Office.

Yours sincerely,

Clerk to Council