Subject Access Request Policy
1. Introduction and purpose
The Data Protection Act 2018 (the Act) gives individuals rights of access to their personal records held by Antrim Enterprise Agency. Subject access is a fundamental right for individuals. But it is also an opportunity for the enterprise centre to provide excellent customer service by responding to Subject Access Requests (SARs) efficiently and transparently and by maximising the quality of the personal information you hold. This Policy explains how Antrim Enterprise Agency will fulfil its obligations under the Act.
2. Policy Statement
Antrim Enterprise Agency regards the Act as an important mechanism in achieving an honest, safe and open relationship with its customers and employees.
Subject access is most often used by individuals who want to see a copy of the information Antrim Enterprise Agency holds about them. However, subject access goes further than this and an individual is entitled to be:
- Told whether any personal data is being processed;
- Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- Given a copy of the personal data; and
- Given details of the source of the data (where this is available).
The aim of this policy is to ensure that Antrim Enterprise Agency complies with its legal obligations under the Data Protection Act 2018 and can evidence that you have done so. It also aims to ensure that you:
- Have robust processes in place for dealing with SARs, saving time and effort;
- Increase levels of trust and confidence by being open with individuals about the personal information you hold;
- Improve the transparency of your activities in line with public policy requirements.
This policy should be read in conjunction with the Subject Access Request Procedure
3. Scope of the Policy
This document outlines how an applicant can make a request for their personal information under the Act and how it will be processed.
This is not a legal document. It does not confer rights nor override any legal or statutory provisions which either require or prevent disclosure of personal information.
This document takes into account the key features of the Act and outlines how Antrim Enterprise Agency will take steps to ensure compliance in relation to requests for personal information.
4. Key Definitions
|Subject Access Request or SAR||A request for access to data by a living person under the Act is known as a Subject Access Request or SAR. All records that contain the personal data of the subject will be made available, subject to certain exemptions.|
|Personal Data||Personal data means data which relates to a living individual who can be identified directly or indirectly from the data, particularly be reference to an identifier.
Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal).
|Data Controller||The organisation which determines the purposes and the manner in which, any personal data is processed is known as the data controller. Antrim Enterprise Agency is the data controller of all personal data used and held within each part of Antrim Enterprise Agency|
|Data Processors||Organisations or individuals who process personal data on behalf of a data controller are known as data processors. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on our behalf.|
|Data Subject||A living individual who is the subject of personal data is known as the data subject. This need not be a UK national or resident. Provided that the data controller is subject to the Act, rights with regards to personal data are available to every data subject, wherever his nationality or residence.|
|Third Party||An individual who is not the subject of the data but may be connected to or affected by it is known as a third party.|
5. Duties of the Information Commissioners Office
The Information Commissioner’s Office is the UK’s independent public body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals, ruling on complaints and taking appropriate action when the law is broken.
The Information Commissioners Office is responsible for ensuring compliance with the Act and Data Protection in practice for all organisations in England, Scotland, Northern Ireland and Wales.
There are a number of tools available to the Information Commissioners Office for taking action to change the behaviour of organisations that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audits. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller for breaches of the Act.
If organisations are found to be in breach of the Act the Information Commissioners Office may issue undertakings committing an organisation to a particular course of action in order to improve its compliance.
The Information Commissioners Office can serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law.
The Information Commissioners Office conduct consensual assessments (audits) to check organisations are complying. In cases of serious breaches the Information Commissioners Office may issue a monetary penalty notice, requiring organisations to pay a fine of up to €20 million.
The Information Commissioners Office can prosecute those who commit criminal offences under the Act. This includes organisations and individuals.
6. Roles and Responsibilities
Adhering to the Data Protection Act 2018 is the responsibility of every member of staff acting for or on behalf of Antrim Enterprise Agency. Subject Access requests fall within the data protection statutory framework and the ability to identify and appropriately handle a request for information is considered to be part of every employee’s role.
Your primary responsibility is to ensure that Subject Access Requests are in the first instance directed to the Data Protection Officer. It is important that requests are processed as soon as they are received to assist in meeting the statutory deadline.
7. How can an individual make a SAR?
A valid SAR must always be made in writing. Most SAR requests are made by clients and members of staff via email or post.
It is quite common that a request for personal data can be linked with a complaint.
NOTE: No matter how a request is received there is no requirement for the requester to mention either the Data Protection Act or Subject Access for it to be a valid request. In some cases the requester may even state the wrong legislation e.g. Freedom of Information Act, but the request will still be valid.
Either way, it is the responsibility of the staff member dealing with the request to appropriately recognize a request as one for personal data, i.e. information relating to the requester, and process it accordingly. Failing to recognize a SAR is not an excuse for non-response and Antrim Enterprise Agency will still fall foul of the Data Protection Act should a response not be provided in a prompt and appropriate manner.
8. Can individuals request personal information on behalf of another person?
Yes they can. The Act allows for an individual to make a request on behalf of another person. This may be a solicitor acting on behalf of the individual, a parent making a request for their child’s information, a third party making the request for someone who has limited capacity, or indeed many other reasons. However, whilst the Act allows us in certain circumstances to process a request in this way, there are a number of considerations and checks that need to be undertaken before you process a request which is made on behalf of another person. For example, a parent is not necessarily automatically entitled to information about their children. Further information with regards to SARs made on behalf of another person can be found in the Subject Access Procedure
9. How long do we have to respond?
Antrim Enterprise Agency has a maximum of a month starting from the day the request and identification (if required) is received. This is a statutory requirement which must be adhered to. In exceptional circumstances an extension can be agreed.
10. Can I charge for the request?
In most cases you cannot charge a fee to comply with a subject access request. However, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request. The fee must be based on the administrative cost of providing the information.
11. What do I do if I receive a request?
In practice, if someone wants to see a small part of their data you need to apply common sense. You should not require a formal SAR if the individual can prove their identity, the information is readily available there and then, and no other third party data will be unreasonably released. Such requests should be dealt with quickly, as business as usual and with little formality.
All other (“non-routine”) requests for personal data which are likely to take a reasonable amount of resource must be directed to the Data Controller and be logged.
12. How do I locate the information requested?
Requests for information are not limited to “live” files. SARs cover all information held by Antrim Enterprise Agency regardless of the format it is in or where it is stored, closed, archived, and in some cases even deleted information (eg. located in outlook deleted items) should be considered as part of a request.
Unfortunately, there is no outright exemption or time threshold with regards to the amount of time it may take members of staff to locate SAR information. Further information with regards to resource intensive or complex SARs can be found in the Subject Access Procedure.
13. Can I provide all information found relating to the data subject?
The simple answer is no.
Antrim Enterprise Agency must consider whether it is possible to comply with the SAR without revealing information that relates to and identifies a third party individual or any other exempt information.
Examples of third party information that cannot be shared routinely without specialist consideration are:
- Safeguarding concerns which may contain information about multiple children including siblings and estranged parents
- Files containing legally privileged information
- Employee files containing information identifying managers or colleagues who have contributed to (or are discussed in) that file.
Special consideration should be given to sharing this type of information.
14. How do I respond to a SAR?
Once all of the information has been collated (duplicates and third party information has been removed or redacted and a double check has been carried out) the information will be provided either in paper copy, electronically or during a meeting with the Data Subject and sent securely.
Antrim Enterprise Agency is required to provide the copies in a format requested by the data subject. For further information on how to respond securely to a SAR please refer to the Subject Access Request Procedure.
Antrim Enterprise Agency will provide a right of complaint to all applicants in the event they are dissatisfied with the handling of their request. If an applicant is unhappy with the service they have received they should firstly contact to Richard Cairns, Data Protection Officer – to be completed as appropriate]
The Data Protection Officer will make an independent assessment of the case. If the applicant remains dissatisfied they may ask the Information Commissioners Office to carry out an independent investigation.
15.1 Complaining to the Information Commissioners Office
If an applicant is not satisfied with the outcomes of Antrim Enterprise Agency’s decisions they have the right to submit a complaint to the Information Commissioners Office. The Information Commissioners Office will make an initial assessment of the case before carrying out an investigation.
The Information Commissioners Office has written guidance notes for applicants on how to complain to the Information Commissioners Office and published it on their website, www.ico.gov.uk
16. Related Policies
- Information and Record Management Policy
- Data Privacy Notice
- Data Breach Policy
- Social Media Policy
17. Review of the Policy
This policy will be reviewed as a minimum every 2 years to ensure that Antrim Enterprise Agency meets statutory requirements and any codes of practice made under the Act.