Data Subject Access Request Procedure

Data Subject Access Request Procedure

Down­load and print the con­tent on this page

 

1.     Scope, Purpose, and Users

This pro­ce­dure sets out the key fea­tures regard­ing han­dling or respond­ing to requests for access to per­son­al data made by data sub­jects, their rep­re­sen­ta­tives or oth­er inter­est­ed par­ties. This pro­ce­dure will enable iCon­nect (fur­ther: “Com­pa­ny”) to com­ply with legal oblig­a­tions, pro­vide bet­ter cus­tomer care, improve trans­paren­cy, enable indi­vid­u­als to ver­i­fy that infor­ma­tion held about them is accu­rate, and increase the lev­el of trust by being open with indi­vid­u­als about the infor­ma­tion that is held about them.

This pro­ce­dure applies broad­ly across all enti­ties or sub­sidiaries owned or oper­at­ed by the Com­pa­ny but does not affect any state or local laws or reg­u­la­tions which may oth­er­wise be applicable.

This pro­ce­dure applies to employ­ees that han­dle data sub­ject access requests such as the Data Pro­tec­tion Officer.

 

2.     Reference Documents

• EU GDPR 2016/679 (Reg­u­la­tion (EU) 2016/679 of the Euro­pean Par­lia­ment and of the Coun­cil of 27 April 2016 on the pro­tec­tion of nat­ur­al per­sons with regard to the pro­cess­ing of per­son­al data and on the free move­ment of such data, and repeal­ing Direc­tive 95/46/EC)
• Per­son­al Data Pro­tec­tion Policy
• [rel­e­vant local legislation]

 

3.     Data Subject Access Request (“DSAR”)

A Data Sub­ject Access Request (DSAR) is any request made by an indi­vid­ual or an individual’s legal rep­re­sen­ta­tive for infor­ma­tion held by the Com­pa­ny about that indi­vid­ual.  The Data Sub­ject Access Request pro­vides the right for data sub­jects to see or view their own per­son­al data as well as to request copies of the data.

A Data Sub­ject Access Request must be made in writ­ing. In gen­er­al, ver­bal requests for infor­ma­tion held about an indi­vid­ual are not valid DSARs. In the event a for­mal Data Sub­ject Access Request is made ver­bal­ly to a staff mem­ber of the Com­pa­ny, fur­ther guid­ance should be sought from Data Pro­tec­tion Offi­cer, who will con­sid­er and approve all Data Sub­ject Access Request applications.

A Data Sub­ject Access Request can be made via any of the fol­low­ing meth­ods: email, fax, post, cor­po­rate web­site or any oth­er method. DSARs made online must be treat­ed like any oth­er Data Sub­ject Access Requests when they are received, though the Com­pa­ny will not pro­vide per­son­al infor­ma­tion via social media channels.

 

4.     The Rights of a Data Subject

The rights to data sub­ject access include the following:

• Know whether a data con­troller holds any per­son­al data about them.
• Receive a descrip­tion of the data held about them and, if per­mis­si­ble and prac­ti­cal, a copy of the data.
• Be informed of the purpose(s) for which that data is being processed, and from where it was received.
• Be informed whether the infor­ma­tion is being dis­closed to any­one apart from the orig­i­nal recip­i­ent of the data; and if so, the iden­ti­ty of those recipients.
• The right of data porta­bil­i­ty. Data sub­jects can ask that their per­son­al data be trans­ferred to them or a third par­ty in machine read­able for­mat (Word, PDF, etc.). How­ev­er, such requests can only be ful­filled if the data in ques­tion is: 1) pro­vid­ed by the data sub­ject to the Com­pa­ny, 2) is processed auto­mat­i­cal­ly and 3) is processed based on con­sent or ful­fil­ment of a contract.
• If the data is being used to make auto­mat­ed deci­sions about the data sub­ject, to be told what log­ic the sys­tem uses to make those deci­sions and to be able to request human intervention.

The Com­pa­ny must pro­vide a response to data sub­jects request­ing access to their data with­in 30 cal­en­dar days of receiv­ing the Data Sub­ject Access Request unless local leg­is­la­tion dic­tates otherwise.

 

5.     Requirements for a valid DSAR

In order to be able to respond to the Data Sub­ject Access Requests in a time­ly man­ner, the data sub­ject should:

• Sub­mit his/her request using a Data Sub­ject Access Request Form.
• Pro­vide the Com­pa­ny with suf­fi­cient infor­ma­tion to val­i­date his/her iden­ti­ty (to ensure that the per­son request­ing the infor­ma­tion is the data sub­ject or his/her autho­rized person).

Sub­ject to the exemp­tions referred to in this doc­u­ment, the Com­pa­ny will pro­vide infor­ma­tion to data sub­jects whose requests are in writ­ing (or by some oth­er method explic­it­ly per­mit­ted by the local law), and are received from an indi­vid­ual whose iden­ti­ty can be val­i­dat­ed by Company.

How­ev­er, Com­pa­ny will not pro­vide data where the resources required to iden­ti­fy and retrieve it would be exces­sive­ly dif­fi­cult or time-con­sum­ing. Requests are more like­ly to be suc­cess­ful where they are spe­cif­ic and tar­get­ed at par­tic­u­lar information.

Fac­tors that can assist in nar­row­ing the scope of a search include iden­ti­fy­ing the like­ly hold­er of the infor­ma­tion (e.g. by mak­ing ref­er­ence to a spe­cif­ic depart­ment), the time peri­od in which the infor­ma­tion was gen­er­at­ed or processed (the nar­row­er the time frame, the more like­ly a request is to suc­ceed) and being spe­cif­ic about the nature of the data sought (e.g. a copy of a par­tic­u­lar form or email records from with­in a par­tic­u­lar department).

 

6.     DSAR Process

6.1.Request

Upon receipt of a DSAR, the Data Pro­tec­tion Offi­cer will acknowl­edge the request. The requestor may be asked to com­plete a Data Sub­ject Access Request Form to bet­ter enable the Com­pa­ny to locate the rel­e­vant information.

6.2.Identity verification

The Data Pro­tec­tion Offi­cer needs to check the iden­ti­ty of any­one mak­ing a DSAR to ensure infor­ma­tion is only giv­en to the per­son who is enti­tled to it. If the iden­ti­ty of a DSAR requestor has not already been pro­vid­ed, the per­son receiv­ing the request will ask the requestor to pro­vide two forms of iden­ti­fi­ca­tion, one of which must be a pho­to iden­ti­ty and the oth­er con­fir­ma­tion of address.

If the requestor is not the data sub­ject, writ­ten con­fir­ma­tion that the requestor is autho­rized to act on behalf of the data sub­ject is required.

6.3.Information for Data Subject Access Request

Upon receipt of the required doc­u­ments, the per­son receiv­ing the request will pro­vide the Data Pro­tec­tion Offi­cer with all rel­e­vant infor­ma­tion in sup­port of the DSAR.  Where the Data Pro­tec­tion Offi­cer is rea­son­ably sat­is­fied with the infor­ma­tion pre­sent­ed by the per­son who received the request, the Data Pro­tec­tion Offi­cer will noti­fy the requestor that his/her DSAR will be respond­ed to with­in 30 cal­en­dar days. The 30 day peri­od begins from the date that the required doc­u­ments are received. The requestor will be informed by the Data Pro­tec­tion Offi­cer in writ­ing if there will be any devi­a­tion from the 30-day time­frame due to oth­er inter­ven­ing events.

6.4.Review of Information

The Data Pro­tec­tion Offi­cer will con­tact and ask the rel­e­vant department(s) for the required infor­ma­tion as request­ed in the DSAR. This may also involve an ini­tial meet­ing with the rel­e­vant depart­ment to go through the request if required. The depart­ment which holds the infor­ma­tion must return the required infor­ma­tion by the dead­line imposed by the Data Pro­tec­tion Offi­cer and/or a fur­ther meet­ing is arranged with the depart­ment to review the infor­ma­tion. The Data Pro­tec­tion Offi­cer will deter­mine whether there is any infor­ma­tion which may be sub­ject to an exemp­tion and/or if con­sent is required to be pro­vid­ed from a third party.

The Data Pro­tec­tion Offi­cer must ensure that the infor­ma­tion is reviewed/received by the imposed dead­line to ensure the 30 cal­en­dar day time­frame is not breached. The Data Pro­tec­tion Offi­cer will ask the rel­e­vant depart­ment to com­plete a “Data Sub­ject Dis­clo­sure Form” to doc­u­ment com­pli­ance with the 30-day requirement.

6.5.Response to Access Requests

The Data Pro­tec­tion Offi­cer will pro­vide the final­ized response togeth­er with the infor­ma­tion retrieved from the department(s) and/or a state­ment that the Com­pa­ny does not hold the infor­ma­tion request­ed, or that an exemp­tion applies. The Data Pro­tec­tion Offi­cer will ensure that a writ­ten response will be sent back to the requestor. This will be via email, unless the requestor has spec­i­fied anoth­er method by which they wish to receive the response (e.g. post). The Com­pa­ny will only pro­vide infor­ma­tion via chan­nels that are secure. When hard copies of infor­ma­tion are post­ed, they will be sealed secure­ly and sent by record­ed delivery.

6.6.Archiving

After the response has been sent to the requestor, the DSAR will be con­sid­ered closed and archived by the Data Pro­tec­tion Officer.

The pro­ce­dure is pre­sent­ed as a flow­chart in the Annex of this document.

 

7.     Exemptions

An indi­vid­ual does not have the right to access infor­ma­tion record­ed about some­one else, unless they are an autho­rized rep­re­sen­ta­tive, or have parental responsibility.

The Com­pa­ny is not required to respond to requests for infor­ma­tion unless it is pro­vid­ed with suf­fi­cient details to enable the loca­tion of the infor­ma­tion to be iden­ti­fied and to sat­is­fy itself as to the iden­ti­ty of the data sub­ject mak­ing the request.

In prin­ci­ple, the Com­pa­ny will not nor­mal­ly dis­close the fol­low­ing types of infor­ma­tion in response to a Data Sub­ject Access Request:

• Infor­ma­tion about oth­er peo­ple – A Data Sub­ject Access Request may cov­er infor­ma­tion which relates to an indi­vid­ual or indi­vid­u­als oth­er than the data s Access to such data will not be grant­ed unless the indi­vid­u­als involved con­sent to the dis­clo­sure of their data.
• Repeat requests – Where a sim­i­lar or iden­ti­cal request in rela­tion to the same data sub­ject has pre­vi­ous­ly been com­plied with with­in a rea­son­able time peri­od, and where there is no sig­nif­i­cant change in per­son­al data held in rela­tion to that data sub­ject, any fur­ther request made with­in a six month peri­od of the orig­i­nal request will be con­sid­ered a repeat request, and the Com­pa­ny will not nor­mal­ly pro­vide a fur­ther copy of the same data
• Pub­licly avail­able infor­ma­tion – The Com­pa­ny is not required to pro­vide copies of doc­u­ments which are already in the pub­lic domain.
• Opin­ions giv­en in con­fi­dence or pro­tect­ed by copy­right law – The Com­pa­ny does not have to dis­close per­son­al data held in rela­tion to a data sub­ject that is in the form of an opin­ion giv­en in con­fi­dence or pro­tect­ed by copy­right law.
• Priv­i­leged doc­u­ments – Any priv­i­leged infor­ma­tion held by Com­pa­ny need not be dis­closed in response to an In gen­er­al, priv­i­leged infor­ma­tion includes any doc­u­ment which is con­fi­den­tial (e.g. a direct com­mu­ni­ca­tion between a client and his/her lawyer) and is cre­at­ed for the pur­pose of obtain­ing or giv­ing legal advice.

 

8.     Data Subject Access Request Refusals

There are sit­u­a­tions where indi­vid­u­als do not have a right to see infor­ma­tion relat­ing to them. For instance:

• If the infor­ma­tion is kept only for the pur­pose of sta­tis­tics or research, and where the results of the sta­tis­ti­cal work or research are not made avail­able in a form that iden­ti­fies any of the individuals
• Requests made for oth­er, non-data pro­tec­tion pur­pos­es can be rejected.

If the respon­si­ble per­son refus­es a Data Sub­ject Access Request on behalf of the Com­pa­ny, the rea­sons for the rejec­tion must be clear­ly set out in writ­ing. Any indi­vid­ual dis­sat­is­fied with the out­come of his/her Data Sub­ject Access Request is enti­tled to make a request to the Data Pro­tec­tion Offi­cer to review the outcome.

 

9.     Responsibilities

The over­all respon­si­bil­i­ty for ensur­ing com­pli­ance with a DSAR rests with the Data Pro­tec­tion Officer.

If the Com­pa­ny acts as a data con­troller towards the data sub­ject mak­ing the request then the DSAR will be addressed based on the pro­vi­sions of this procedure.

If the Com­pa­ny acts as a data proces­sor the Data Pro­tec­tion Offi­cer will for­ward the request to the appro­pri­ate data con­troller on whose behalf the Com­pa­ny process­es per­son­al data of the data sub­ject mak­ing the request.

 

10.    Managing records kept on the basis of this document

Record name	Stor­age location	Per­son respon­si­ble for storage	Con­trols for record protection	Reten­tion time
Data Sub­ject Access Request Forms	GDPR sec­tion of CRM	Data Pro­tec­tion Officer	Only autho­rized per­sons may access the folder	10 years
Data Sub­ject Dis­clo­sure Form	GDPR sec­tion of CRM	Data Pro­tec­tion Officer	Only autho­rized per­sons may access the folder	10 years

 

 

11.     Validity and document management

This doc­u­ment is valid as of March 2018.

The own­er of this doc­u­ment is the Data Pro­tec­tion Offi­cer, who must check and, if nec­es­sary, update the doc­u­ment at least once a year.