Right of access (RoA) / data subject access requests (DSAR) policy and procedure

Responding to requests

We are committed to good practice, high standards and will record all data subject access request (DSAR) requests.

Received requests

A log of all requests received is maintained and will record:

  • date the DSAR was received and date the response is due (normally within one calendar month of receipt)
  • applicant details, and information requested
  • exemptions applied in respect of information not to be disclosed
  • details of decisions to disclose information without a data subjects consent
  • details of information to be disclosed and the format in which they were supplied
  • when and how supplied, e.g. paper copy and postal method used to send them, or electronic and the means and whether encrypted or not

Type of request

The first step will be to determine whether the individual’s request is to be treated as a:

  • data subject access request (DSAR)
  • Freedom of Information (FoI) request
  • Environmental information regulations (EIR) request, or
  • routine enquiry

Proof of identity

We must ensure adequate proof of identity of the applicant if we are asking for their own data.

Where this is a third party asking on behalf of another we must establish what authority the third party has, then obtain proof of identity of both the applicant and the data subject, before releasing the information requested.

It is important to carefully issues such as capacity and parental responsibility where a request relates to a child.

A list of acceptable identification is listed in Appendix A.

If proof of identity has not been provided, the process and timing for a DSAR only starts following the establishment of identity. Once identity has been confirmed the documentation should be securely disposed of as the purpose for the processing of it has been fulfilled.

Information needed

We must ensure adequate information has been received from the applicant to facilitate locating the information requested.

Preferably the application form detailed on Appendix B will be completed by the applicant, however, internally we can complete this for our convenience.

Reviews

We then locate the required data from all sources and collate it ready for review by an appropriate member of staff. Advice can be sought from the Data Protection Officer (DPO).

This review is to ensure that the information is appropriate for disclosure, i.e. to ascertain whether any exemptions apply, for example:

  • it does not contain information about other individuals
  • it is likely to cause harm or distress if disclosed
  • it is information to be withheld due to ongoing formal investigations

Exemptions

Details of exemptions are available. If further advice is needed, the DPO can determine to what extent data can be disclosed or whether the request is to be refused.

Information that is not held

Where the requested information is not held, we must inform the applicant in writing, as soon as possible, but in any case, by the due date.

Copies of information

A copy of the information should be supplied in a permanent form, preferably in an electronic format.

Any electronic data that is sent to the applicant must be encrypted.

Before supplying any data, we must ensure that all copies are watermarked with ‘Data Subject copy’.