Data Subject Access Requests Policy

Issued By   Data protection officer

Effective Date: 19/10/2018

Review Date: 19/10/2020

Contents

1. Introduction ……………………………………………………………………………………………………

2. Purpose …………………………………………………………………………………………………………

3. Responsibilities ………………………………………………………………………………………………

3.1 All Staff and Volunteers …………………………………………………………………………………..

4. Procedure ………………………………………………………………………………………………………

5. Associated documents and policies ………………………………………………………………………

6. Definitions ……………………………………………………………………………………………………..

7. Fees ………………………………………………………………………………………………………………………….

Appendix 1 – Rights of Data Subjects

Data Subject Requests Procedure

1.         Introduction

The GDPR (General Data Protection Regulation) creates some new Rights for Data Subjects

as well as strengthening existing Rights. As a Data Controller Autism Inclusive must be able to

comply with these Rights. The GDPR provides the following Rights for individuals:

1.1. Right of Access (Also known as a Subject Access Request) (Such requests must be

dealt with within 1 calendar month)

1.2. Right to Rectification (Under GDPR must be dealt with without undue delay)

1.3. Right to Erasure (Under GDPR must be dealt with without undue delay)

1.4. Right to Restrict Processing

1.5. Right to Data Portability

1.6. Right to Object

1.7. Rights in Relation to Automatic Decision Making and Profiling

Further information about each of the above Rights can be found in Appendix 1 of this

procedure. It is important that should you receive and identify such a request against any of

the above Rights that this procedure is followed.

It is important to recognise that such requests may be made by current or past Autism Inclusive Staff and may not follow a clear and standard format where the Data Subject clearly sets out which Right they are requesting to be exercised. For example they may simply say ‘I want to know what Autism Inclusive is using my data for’ or ‘I want to see all emails about me in the Autism Inclusive system’.

When a request is recognised it is important that you obtain some basic details about the request, such as the time frame, whether it is in relation to a particular event or time / activity as this can help to provide the correct information required in a timely manner before forwarding the request to the Data Protection Team for

action.

It should be noted that Data Subjects can make such requests verbally (for example

over the telephone), as well as in an email or postal letter.

2.         Purpose

The purpose is to provide a procedure to follow when a Data Subject Request in relation to

the above Rights is received by Autism Inclusive.

2. Responsibilities

2.1 All Staff

All staff have a responsibility to recognise a request and to comply with the

procedure as follows.

3.         Procedure

3.1 Appendix 2 presents the procedure in a visual way.

3.2 Where a request is received by staff covering any of the GDPR Data

Subject Rights (See Section 1 of this document) the request must be passed to the

Autism Inclusive Data Protection officer immediately.

3.3 The request must be forwarded to    contact@AutismInclusive.org.uk . If the request was made

over the phone then as much information as possible regarding what was requested

must be typed into an email and sent to the Data Protection Team immediately. If the

request is received in a postal letter, this can either be scanned and sent to the Data

Protection Officer by email, or the hardcopy taken to the Data Protection officer

Immediately.

3.4 The Data Protection Officer will process the request accordingly and respond to the Data

Subject in line with the legislation. They may ask for input and/or provision of data from

teams across Autism Inclusive in order to ensure they have fully complied with the request. Due

to the time limits for complying, teams requested to assist should treat such requests as

a priority.

3.5 If there is uncertainty around whether it is a request please refer to the Data Protection

Officer for further advice.

4. Associated documents and policies

 This policy is to be read in conjunction with the related policies;

• Data Protection Policy

5.Definitions

Data Subject      An individual who is the subject of personal data and whom particular

personal data is about

Personal Data    ‘Personal data’ means any information relating to an identified or

identifiable person (‘data subject’).

An identifiable person is one who can be identified, directly or indirectly, in

particular by reference to an identifier such as a name, an identification

number, location data, an online identifier or to one or more factors specific

to the physical, physiological, genetic, mental, economic, cultural or social

identity of that person

GDPR    General Data Protection Regulation is a regulation by the European

Parliament intended to strengthen and unify data protection for individuals

Processing         Obtaining, recording or holding the information or data or carrying out any

operation or set of operations on the information or data, including –

a. organisation, adaptation or alteration of the information or data,

b. retrieval, consultation or use of the information or data,

c. disclosure of the information or data by transmission, dissemination

or otherwise making available, or

d. alignment, combination, blocking, erasure or destruction of the

information or data.

Legal Basis for Processing          Processing will only be lawful if at least one of the following applies:

a. the data subject has given consent to the processing of their

personal data for one or more specific purposes

b. processing is necessary for the performance of a contract with the

data subject or in order to take steps to enter a contract

c. processing is necessary to comply with a legal obligation

d. processing is necessary to protect the vital interests of the data

subject

e. processing is necessary for the performance of a task carried out in

the public interest or in the exercise of official authority vested in the

controller

f. processing is necessary for the purposes of the legitimate interests

pursued by the controller or by a third party, except where such interests

are overridden by the of the data subject

Appendix 1 – Rights of Data Subjects.

Right of Access (Also known as a Subject Access Request)

Data Subjects have the Right to obtain:

• Confirmation that their data is being processed

• Access to their personal data and

• Other supplementary information

Right of access requests must be responded to within one month.

Right to Rectification

Data Subjects are entitled to have their personal data rectified if it is inaccurate or

incomplete. If the information in question has been disclosed to a third party the Data

Controller must inform them of the request for rectification where possible. The Data Subject

is also entitled to be informed of the third parties to whom the data has been disclosed,

where appropriate.

Rights to rectification must be responded to within one month.

Right to Erasure

This Right is also known as the ‘Right to be Forgotten’. It enables Data Subjects to request

the deletion or removal of personal data where there is no compelling reason for its

continued processing by the Data Controller.

The Right to Erasure applies in the following circumstances:

• The personal data is no longer necessary in relation to the purpose for which it was

originally collected

• The processing was based on consent, and the Data Subject has now withdrawn their

consent

• The Data Subject objects to processing and there is no overriding legitimate interest

of the Data Controller

• The data was being unlawfully processed

• The data must be erased to comply with a legal obligation

Right to Restrict Processing

When this Right is exercised you are permitted to store the personal data but not further

process it. Restricted information about the individual may be retained to ensure that the

restriction is respected in the future.

The Right to Restrict Processing applies in the following circumstances:

• When a Data Subject contests the accuracy of their personal data, then processing

should be restricted to storage only until accuracy is verified

• When a Data Subject objects to processing which is being carried out for the reason

of performance of a task in the public interest, or for the legitimate interests of the

Data Controller, then the Data Controller must restrict processing to storage only

whilst they consider whether their legitimate grounds override the Rights and

freedoms of the individual.

• When processing is unlawful and a Data Subject opposes erasure and requests

restriction to storage instead.

• When the Data Controller no longer needs the personal data but the Data Subject

requires it for the purpose of a legal claim.

Right to Data Portability

This Right allows individuals to obtain and reuse their personal data for their own purposes

across different services. It allows the individual to move, copy or transfer personal data

easily from one IT environment to another in a safe and secure way in a common data

format, for example, Excel or CSV file.

The Right to Data Portability applies in the following circumstances:

• When the personal data was provided to the controller directly by the Data Subject

• Where the processing is based on consent or performance of a contract

• When processing is carried out by automated means

Right to Object

Individuals have the Right to object to:

• Processing based on legitimate interest or performance of a task in the public

interest/exercise of official authority (including profiling)

• Direct marketing (including profiling)

• Processing for the purposes of scientific/historical research and statistics

Rights in Relation to Automatic Decision Making and Profiling

This Right provides safeguards for individuals against the risk that a potentially damaging

decision is taken without human intervention.

The Right not to be subject to a decision applies when:

• It is based on automated processing

• It produces legal/significant effects on the individual

It does not apply if the decision:

• Is necessary for entering into or performance of a contract

• Is authorised by law

• Is based on explicit consent

• Does not have a legal/significant effect on the data subject                                                                    

Fees

Where the request is manifestly unfounded or excessive Autism Inclusive may charge a “reasonable fee” for the administrative costs of complying with the request.

Autism Inclusive may also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.