Subject Access Request - SAR
Scotton Parish Council
Subject Access Request Policy
Introduction
Individuals, also known as data subjects, have the right to access personal data held on them by Scotton Parish Council. Details are set out in the General Privacy Notice and Data Protection policy, which is available on the Parish Council’s Website or by emailing the Clerk – scottonparish@gmail.com
This policy advises of the internal processes on handling of Subject Access Requests (SARs) and includes information on:
• Responsibilities;
• Timing;
• Changes to data; and
• Handling requests for rectification, erasure or restriction of processing.
Scotton Parish Council stores personal data in an easily accessible format so as to enable a timely response to a SAR, and so that personal data on specific data subjects can be easily filtered. SARs may be received by email, or letter. Where the request is made by electronic means, and unless otherwise requested, the information shall be provided electronically.
Upon receipt of a Subject Access Request
Receipt of the SAR will be promptly acknowledged once it has been verified as detailed in this policy, and the data subject will be informed of any costs involved in the processing of the SAR.
• It will be verified that the Parish Council is a Data Controller of the data subject’s personal data. Once verified, the data subject will be informed who at the Parish Council to contact regarding the handling of their SAR.
• The identity of the data subject will be verified and, if needed, any further evidence on the identity of the data subject may be requested.
• The SAR will be verified to ensure it is clear to the Data Controller what personal data is requested, and, if needed, additional information will be requested.
• SARs will be undertaken free of charge to the requestor. However, for any further copies of the information requested, there may be a reasonable fee charge based on administrative costs. There may also be a ‘reasonable fee’ charge when a request is verified and found to be manifestly unfounded or excessive, particularly if it is repetitive, otherwise the Parish Council may refuse to respond.
• Whether the Parish Council processes the data requested, will be verified. If the Parish Council does not process any data, the data subject will be informed accordingly. At all times, the SAR policy will be followed, and progress may be monitored.
Data will not be changed because of the SAR. Routine changes, as part of the processing activities concerned, may be permitted.
• The data requested will be verified to establish if it involves data on other data subjects. This data will be filtered before the requested data is supplied to the data subject. If data cannot be filtered, other data subjects will be contacted to give consent to the supply of their data as part of the SAR.
Responding to a Subject Access Request
The Parish Council will respond to a SAR within one calendar month after receipt of the request:
i. The one calendar month starts from when the Parish Council receives a clear and valid request and the requestor's identity has been validated.
ii. If more time is needed to respond to complex requests, an extension of another two months is permissible, and this will be communicated to the data subject in a timely manner within the first month;
iii. If the Parish Council cannot provide the information requested, it will inform the data subject on this decision without delay and, at the latest, within one calendar month of receipt of the request.
• If data on the data subject is processed, the Parish Council will ensure, as a minimum, the following information in the SAR response:
i. the purposes of the processing;
ii. the categories of personal data concerned;
iii. the recipients or categories of recipients to whom personal data has been or will be disclosed; iv. where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
v. the existence of the right to request rectification or erasure of personal data, or restriction of processing of personal data concerning the Data Subject or to object to such processing;
vi. the right to lodge a complaint with the Information Commissioners Office (the ICO);
vii. if the data has not been collected from the data subject: the source of such data; viii. the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
• The Parish Council will provide a copy of the personal data undergoing processing.
Implementing the Subject Access Requests Policy
• On receipt of a SAR, it must be forwarded immediately to the Clerk as nominated Data Controller who will decide whether a request has been made under the Data Protection legislation.
• The Data Controller must ensure the request has been received in writing, where a data subject is asking for sufficiently well-defined personal data held by the Parish Council, relating to the data subject. What personal data is needed will be clarified with the requestor, who must supply their address and valid evidence to prove their identity. The Parish Council accepts the following forms of identification:
• Current UK/EEA Passport
• UK Photocard Driving Licence (Full or Provisional)
• Firearms Licence/Shotgun Certificate
• EEA National Identity Card
• Full UK Paper Driving Licence
• State Benefits Entitlement Document*
State Pension Entitlement Document*
• HMRC Tax Credit Document*
• Local Authority Benefit Document*
• State/Local Authority Educational Grant Document*
• HMRC Tax Notification Document • Disabled Driver’s Pass
• Financial Statement issued by bank, building society or credit card company+
• Judiciary Document such as a Notice of Hearing, Summons or Court Order
• Utility bill for supply of gas, electric, water or telephone landline+
• Most recent Mortgage Statement
• Most recent Council Tax Bill/Demand or Statement
• Tenancy Agreement
• Building Society Passbook which shows a transaction in the last 3 months and your address
(These documents must be dated * in the past 12 months; + in the past 3 months)
All the personal data that has been requested must be provided unless an exemption applies. (This will involve a search of emails/recoverable emails, word documents, spreadsheets, databases, systems, removable media (for example memory sticks), tape recordings, paper records in relevant filing systems).
• A response must be provided within one calendar month after accepting the request as valid.
• The Parish Council must provide, where necessary, an explanation with the personal data in an “intelligible form”, which will include explaining any codes, acronyms and complex terms. The personal data will be supplied in a permanent form except where the requestor agrees or where it is impossible or would involve undue effort. Agreement may be sought with the requestor that they will view the personal data on screen or inspect files on Council premises. Any exempt personal data will be redacted from the released documents with an explanation why that personal data is being withheld.
• The Parish Council must ensure that all staff are aware of and follow this guidance.
• Where a requestor is not satisfied with a response to a SAR, the Parish Council must manage this as a complaint under the Parish Council’s Complaints Procedure.