Right of access (RoA) / data subject access requests (DSAR) policy and procedure

Aims and scope of this policy and procedure

The purpose for this policy and procedure is to ensure that an individual can exercise their rights under Article 15 of the UK-GDPR and that each DSAR is treated equally within the law.

It is an offence under s.173 (3) of the Data Protection Act 2018 for the Data Controller, a person who is employed by the Data Controller, an officer of the Data Controller or subject to the direction of the Controller to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure.

s.196 (1)(a) of the Data Protection Act further states that anyone committing an offence under s.173 is liable on summary conviction in England and Wales, to a fine.

An individual has the right to request:

  • access to their data, subject to certain safeguards
  • copies of their records
  • have these records explained if they are illegible or unintelligible
  • to be informed of the purpose(s) their information is used for and the source(s) of that data
  • obtain confirmation from the Data Controller that it is processing their personal data
  • obtain certain information about the Data Controller’s processing including:
    • purpose of processing
    • categories of personal data processed
    • recipients or categories of recipients who receive personal data from the Data Controller i.e. payroll provider, pension provider etc. and in particular if the recipient is outside the EEA
    • retention rules of the organisation over their personal data
    • where the personal data has come from if not collected directly (third party)
    • whether or not there are any automated decision-making procedures and if so the consequences of this for the data subject
    • the rights to rectification, erasure, restriction, objection and making complaints to the ICO