Data protection: subject access request policy

Policy requirements

Upon receipt of data subject access request (DSAR)

Upon receiving a request staff are required to report this to the Data Protection Officer at dpo@catch-22.org.uk immediately. The DPO will work with relevant staff to:

• Verify whether Catch22 hold the data subject’s personal data. If Catch22 is not the controller, but merely a processor, inform the data subject and refer them to the controller. Catch22 will ensure that we support the controller promptly with any data that we hold on their behalf;
• Verify the identity of the data subject; if needed, request any further evidence on the identity of the data subject.
• Verify the access request; is it sufficiently substantiated? Is it clear what information is requested? If not: request additional information.
• Verify whether request(s) are unfounded or excessive (in particular because of their repetitive character); if so, Catch22 may refuse to act on the request or charge a reasonable fee.
• Promptly acknowledge receipt of the SAR and inform the data subject of any costs involved in the processing of the SAR
• Verify whether you process the data requested. If you do not process any data, inform the data subject accordingly. At all times make sure this policy is followed and progress can be monitored.
• Ensure data will not be changed as a result of the SAR. Routine changes as part of the processing activities concerned are permitted.
• Verify whether the data requested also involves data on other data subjects and make sure this data is redacted before the requested data is supplied to the data subject; if data cannot be redacted, ensure that other data subjects have consented to the supply of their data as part of the SAR or unless it is reasonable to disclose without the other person’s consent.

Charging a fee for requests

Fees can only be charged to the requester in two distinct instances, when the request is manifestly unfounded, excessive or repetitive or when there is a request for further copies of the same information. Unless these two scenarios apply, the information must be provided free of charge.

For further detail on charging fees please contact the DPO for guidance.

Responding to DSAR

In addition to providing the requester with their personal data, controllers are also required to provide them with the following information:

• The purpose of the processing
• The categories of the personal data concerned
• The recipients or categories of recipient to whom the personal data have been or will be, disclosed, in particular recipients in third countries or international organisations
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
• The right to lodge a complaint with the Information Commissioners Office
• Where the personal data are not collected from the data subject, any available information as to their source
• The existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Data can be provided in both electronic and written format, depending on the requester’s preference and the viability of producing the data in that format. The requester’s data will be provided to them without undue delay and within one calendar month of the receipt of the request. This time period may be extended by an additional two further months, where necessary, taking into account the complexity and the number of requests. In instances where the organisation elects to extend the deadline, DPO’s will inform the requester of the extension and the reasons why the extension was taken.

Definitions

Personal data means data which relate to a living individual who can be identified either directly or indirectly –

• from those data, or
• from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive/Special Category personal data means personal data consisting of information as to –

• the racial or ethnic origin of the data subject,
• their political opinions,
• their religious beliefs or other beliefs of a similar nature,
• whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
• their physical or mental health or condition,
• their sexual life,
• the commission or alleged commission by them of any offence, or
• any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if we are processing sensitive personal data we must satisfy one or more of the conditions for processing which apply specifically to such data, as well as one of the general conditions which apply in every case.

Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –

• organisation, adaptation or alteration of the information or data,
• retrieval, consultation or use of the information or data,
• disclosure of the information or data by transmission, dissemination or otherwise making available, or
• alignment, combination, blocking, erasure or destruction of the information or data.

The definition of processing is very wide and it is difficult to think of anything an organisation might do with data that will not be processing.

Data subject means an individual who is the subject of personal data.  In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.

Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A data controller must be a “person” recognised in law, that is to say:

• individuals;
• organisations; and
• other corporate and unincorporated bodies of persons.

Data controllers will usually be organisations, but can be individuals, for example self-employed consultants. Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller.

In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other.

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Data controllers remain responsible for ensuring their processing complies with the Act, whether they do it in-house or engage a data processor. Where roles and responsibilities are unclear, they will need to be clarified to ensure that personal data is processed in accordance with the data protection principles.

A person is only a data controller if, alone or with others, they “determine the purposes for which and the manner in which any personal data are processed”. In essence, this means that the data controller is the person who decides how and why personal data is processed.

Inaccurate data, data are inaccurate if they are incorrect or misleading as to any matter of fact.

Personal data may not be inaccurate if it faithfully represents someone’s opinion about an individual, even if the opinion proves incorrect (for example, a doctor’s medical opinion about an individual’s condition). In these circumstances, the data would not need to be “corrected”, but the data controller may have to add a note stating that the data subject disagrees with the opinion.

Recipient, in relation to personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.

Third party, in relation to personal data, means any person other than –

• the data subject,
• the data controller, or
• any data processor or other person authorised to process data for the data controller or processor.

Related policies

• Data Protection Policy Suite
• ISO 27001 Policy Suite