Right of access (RoA) / data subject access requests (DSAR) policy and procedure

Responding to requests

We are committed to good practice, high standards and will record all DSAR requests. A log of all requests received is maintained and will record:

  • date the DSAR was received and date the response is due (normally within one calendar month of receipt)
  • applicant details, and information requested
  • exemptions applied in respect of information not to be disclosed
  • details of decisions to disclose information without a data subjects consent
  • details of information to be disclosed and the format in which they were supplied
  • when and how supplied, e.g. paper copy and postal method used to send them, or electronic and the means and whether encrypted or not

The first step will be to determine whether the individual’s request is to be treated as a DSAR, FoI, EIR or routine enquiry.

Ensure adequate proof of identity of the applicant if they are asking for their own data, or where this is a third party asking on behalf of another establish what authority the third party has, then obtain proof of identity of both the applicant and the data subject before releasing the information requested. Consider carefully issues such as capacity and parental responsibility where a request relates to a child.

A list of acceptable identification is listed in Appendix A. If proof of identity has not been provided the process and timing for a DSAR only starts following the establishment of identity. Once identity has been confirmed the documentation should be securely disposed of as the purpose for the processing of it has been fulfilled.

Ensure adequate information has been received from the applicant to facilitate locating the information requested. Preferably the application form detailed on Appendix B will be completed by the applicant, however, internally we can complete this for our convenience.

Locate the required data from all sources and collate it ready for review by an appropriate member of staff. Advice can be sought from the Data Protection Officer (DPO).

This review is to ensure that the information is appropriate for disclosure, i.e. to ascertain whether any exemptions apply, for example:

  • it does not contain information about other individuals
  • it is likely to cause harm or distress if disclosed
  • it is information to be withheld due to ongoing formal investigations

Details of exemptions are available. If further advice is needed, the DPO can determine to what extent data can be disclosed or whether the request is to be refused.

Where the requested information is not held, inform the applicant in writing, as soon as possible, but in any case, by the due date.

A copy of the information should be supplied in a permanent form, preferably in an electronic format. Any electronic data that is sent to the applicant must be encrypted. Before supplying any data, ensure that all copies are watermarked with ‘Data Subject copy’.