Subject Rights Request Policy
1.0 LEGISLATION AND GUIDANCE
The DPA 2018 and the General Data Protection Regulations (GDPR) sets out individuals rights in regards to personal data that we process. This policy deals with an individual’s rights in relation to personal data and how we manage any requests. The policy is based on guidance published by the Information Commissioner’s Office (ICO) Individuals Rights|ICO
2.0 DATA SUBJECT – RIGHTS OF THE INDIVIDUAL
2.1 Individuals
Individuals have certain rights under the DPA 2018 and the GDPR. These are:
- The right to be informed via Privacy Notices.
- The right of access to any personal information the organisation holds about them.
- The right of rectification, we must correct inaccurate or incomplete data within one month.
- The right to erasure. Individuals have the right to have their personal data erased and to prevent processing unless we have a legal obligation to process their personal information.
- The right to restrict processing. Individuals have the right to suppress processing. We can retain just enough information about them to ensure that the restriction is respected in future.
- The right to data portability. We can provide the individual with their personal data in a structured, commonly used, machine readable format when asked.
- The right to object. Individuals can object to their personal data being used for profiling, direct marketing or research purposes.
- Rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
2.2 Children
A child, (anyone under the age of 18) has the same data protection rights over their personal data as an adult. We will give personal data processed about children specific consideration as they may be less aware of the risks, consequences and safeguards concerned.
Children below the age of 12 are generally not regarded to be mature enough to understand their rights and the implications of processing their personal data. Therefore, the rights of these children, including giving consent, can be exercised by their parents or carers without the express permission of the child, provided we are satisfied that the request has come from a person with parental responsibility. This is not a rule and a child’s ability to understand their rights will always be judged on a case-by-case basis.
Children aged 12 and above are generally regarded to be mature enough to understand their rights and the implications of processing their personal data. Therefore, the rights of these children, including consent, can be exercised the child. Any request from parents or carers of children in this age range may not be granted without the express permission of the child. This is not a rule and a child’s ability to understand their rights will always be judged on a case-by-case basis. If we judge a child is not mature enough to understand their rights, their rights, including consent, can be exercised by parents or carers without the express permission of the pupil, provided we are satisfied that the request has come from a person with parental responsibility.
3.0 SUBJECT RIGHTS REQUEST
3.1 Subject access requests
Individuals have a right to make a ‘subject access request’ (SAR) to gain access to personal information that the organisation holds about them. This includes:
- Confirmation that their personal data is being processed.
- Access to a copy of the data.
- The purposes of the data processing.
- The categories of personal data concerned.
- Who the data has been, or will be, shared with.
- How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period.
- The source of the data, if not the individual.
- Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.
3.2 How do we recognise and accept subject rights requests?
A Subject access or other subject rights request is simply a request made verbally or in writing by or on behalf of an individual for or about the information which they are entitled to ask for. Requests do not need to include the words ‘subject access’ or mention DPA. If a request states that it is a freedom of information (FOI) request but is clearly relating to the requester’s personal data, we will treat this as a SAR. Our preference is to receive requests is by an application form however, we do not insist on this and will accept requests by any means including hard copy, email, fax or social media. If a verbal request is made, we will complete security checks to ensure that we are speaking to the data subject and use our application form to gather the information needed. Verbal requests can be made in person or in a phone call, however, we will not disclose the content of personal data over the telephone, and we will give the individual the option of completing an application form themselves.
Subject rights requests should include:
- Name of individual
- Correspondence address
- Contact number and email address
- Details of the information that the request is about.
We may ask an individual the reason for their request if it will help us to locate the information and provide a more expedient service. However requesters do not have to tell us their reason for making the request or what they intend to do with any information requested. A request is valid even if it has not been sent to the person who normally deals with such requests.
We have Data Subject Rights guidance on our website <appendix 1> with an application form <appendix 2>. As above this is not a requirement for accepting a subject rights request, however enquiries should be directed to this to assist with the process.
3.3 Requests made on behalf of others
The data subject may make a subject rights request via a third party. This could be a Solicitor acting on behalf of a client or another individual that the data subject wants to act for them. In these cases we must be satisfied that the third party requester is entitled to act on behalf of the individual. If this is not provided with the request, we will ask the third party to provide this. As an example this could be:
- A written authority/consent for the third party to act for the individual
- A more general power of attorney
4.0 SUBJECT RIGHTS – RESPONDING TO A REQUEST
* If staff receive a subject rights request they must immediately contact the Duty Manager and DPO.
4.1 When responding to subject rights requests:
- We may ask the individual to provide 2 forms of identification;
- We may contact the individual via phone to confirm the request was made;
- We will acknowledge receipt of the request;
- We will respond without delay and within 1 month of receipt of the request.
4.1.1 Subject Access Requests (SAR’s)
- If a SAR is requested as a FOI we will contact the individual to confirm that we are dealing with this as a SAR and clarify the time limit for responding (FOI requests have a 20 working day limit);
- We will provide the information free of charge (please also see point 4.2 below for circumstances where we may charge a fee);
- We will make any reasonable adjustments required for disabled people and respond in a format that is accessible to that person, i.e. braille, large print, audio formats;
- We may delete names or edit documents if they include third party information;
- We may tell the individual we will comply within 3 months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within 1 month, and explain why the extension is necessary.
We will not disclose information if it:
- Might cause serious harm to the physical or mental health of the data subject or another individual
- Would reveal that the data subject is at risk of abuse, where the disclosure of that information would not be in the data subject’s best interests;
- Is given to a court in proceedings concerning the data subject.
- Supplying information to the requester
- When responding to a request we will:
- Confirm whether any personal data is being processed – e.g. if we hold no personal data about the requester, we will still respond to let them know this;
- Follow Plymouth Active Leisure’s Subject Access Request Procedures that ensures we meet our obligations and maintain the security of personal information during the process of gathering information requested.
4.1.2 Rectification
- We will take reasonable steps to satisfy ourselves that the data is accurate.
- We will take into consideration whether information is incorrect or misleading.
- We will restrict the use of the information disputed whilst we are verifying its accuracy.
- We may decide that the information is not inaccurate, for example where this is the opinion of a person.
- If we are satisfied that the data is accurate we will let the individual know and tell them that we will not be amending the data and explain why.
- Where information has since been corrected but there is a need for the incorrected information to be retained we will let the individual know and explain why.
4.1.3 Erasure
- We will erase personal data if:
- the data is no longer necessary for the purpose which we originally collected or processed it for;
- We are relying on consent as our lawful basis for holding the data and the individual withdraws consent;
- We are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- We are processing the personal data for direct marketing purposes and the individual objects to that processing;
- We have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
- We have to do it to comply with a legal obligation; or
- If we have shared personal data that we have agreed to erase we will tell the other organisation.
- If the personal data has been made public in an online environment we will ensure that it is removed from these platforms.
- We may not be able to comply with a request for erasure where rights do not apply, for example where personal data is being processed to comply with a legal obligation, or where an exemption applies.
- If we decide that we cannot erase personal data we will let the individual know and explain why.
4.1.4 Restriction or suppression
- We will restrict the processing of personal data if:
- The individual contests the accuracy of their personal data and we are verifying the accuracy of the data;
- The data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- We no longer need the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim; or
- The individual has objected to us processing their data under Article 21(1), and we are considering whether our legitimate grounds override those of the individual.
- If we restrict personal data we may store the personal data but will not use it unless:
- We have the individual’s consent;
- It is for the establishment, exercise or defence of legal claims;
- It is for the protection of the rights of another person (natural or legal); or
- It is for reasons of important public interest.
- If we have disclosed the personal data that we have agreed to restrict to others we will notify the other organisations.
- We may lift the restriction, for example if we make a decision on the accuracy of personal data or whether our legitimate grounds override those of the individual.
- If we do decide to lift the restriction we will inform the individual before we do this. We will inform them of the reasons and of their right to make a complaint to the ICO or another supervisory authority and their ability to seek a judicial remedy.
4.1.5 Data Portability
- Where we are the data controller for personal data we will:
- Directly transmit requested data to the individual; or
- Provide access to an automated tool that allows the individual to extract the requested data themselves;
- We will ensure any transfer of data is secure;
- We will provide data in a structured, commonly used and machine readable format, i.e. CSV files.
- If we provide information directly to an individual or to another organisation in response to a data portability request, we are not responsible for any subsequent processing carried out by the individual or the other organisation.
- If we have legitimate reasons why we cannot undertake a transmission, for example if this would adversely affect the rights and freedoms of others, we will inform the individual and explain what the legitimate reasons are.
4.1.6 Object
- An individual has an absolute right to object to personal data being processed for direct marketing purposes and a right to object to processing for:
- A task carried out in the public interest;
- The exercise of official authority vested in us; or
- Our legitimate interests (or those of a third party).
4.1.7 Automated decision making including profiling
- We do not use any automated decision making processes or profiling.
4.2 If the subject rights request is unfounded or excessive:
- We may refuse to act on it, or charge a reasonable fee which takes into account administrative costs.
- A request will be deemed to be unfounded or excessive if it is repetitive, or asks for further copies of the same information.
- When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO.
APPENDIX 1: DATA PROTECTION ACT – DATA SUBJECT RIGHTS REQUEST
YOUR RIGHTS
The Data Protection Act 2018 gives you a number of information rights. You are entitled to:
- Access to the personal information that the organisation holds about you
- Know the types of information that we hold about you
- Know what your information is being used for and why
- Know where the information came from and who we might share it with
- Know how long we will keep your personal information
- Have information about you erased if it meets certain conditions
- Have corrections made to inaccurate information and in certain circumstances restrict what we do with your information
In certain circumstances:
- The right to data portability where we provide you with your personal information in a commonly used, machine readable form.
HOW WE WILL RESPOND TO YOUR REQUEST
Your right to access your information
If you would like access to your personal information we will provide you with:
- A copy of the requested information within one month, free of charge.
- Your information in either paper or electronic form. Please let us know when you make your request your preferred format.
Following your request for access if you feel that any of the data is inaccurate and should be corrected or erased please submit a further Data Subject Rights Request.
When we complete your request we will keep a copy of your application, identity documents and the information provided to you for six years.
Please be aware:
- If your request is particularly complex we have the right to extend the period of compliance by a further two months (60 days). In this case we will contact you within the first month to let you know. We may also ask if you can provide more detail about the specific information you hope to obtain.
- We reserve the right to charge a fee where the request is manifestly unfounded, excessive or where we have already provided a copy. This fee will be based on the administrative cost of providing you with the information.
- In exceptional circumstances, where a request is deemed to be manifestly unfounded, excessive and in particular repetitive we may refuse to respond. If we decide to refuse your request we will, within one month of receiving your request, explain why and inform you of your right to complain to the Information Commissioner and to a judicial remedy.
Your other information Rights
Your request will be passed to…
FURTHER INFORMATION
If you would like further information about your information rights under the Data Protection Act 2018 please contact the organisation’s Data Protection Officer at dataprotectionofficer@plymouth.gov.uk, on 01752 398380 or in writing at Finance, Plymouth City Council, Ballard House, Ground Floor, Plymouth, PL1 3BJ.
Independent advice
You can also contact the Information Commissioner’s Office to seek an independent opinion. You can call them on 03031231113, write to them at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilsmslow, Cheshire, SK9 5AF or visit the Information Commissioner’s website.
EXERCISING YOUR RIGHTS
Please complete the form below and return this to:
Data Protection Officer
Plymouth Active Leisure
Tel: 01752
email
Privacy Notice
For information about how Plymouth Active Leisure will use the information you supply in this form and the information rights you have please see our Privacy Notice.