This section represents our policy for responding to Subject Access Requests (SARs) under the General Data Protection Regulations (GDPR).
SAR represents a formal request from an individual obligating us to assess all of the personal data we hold and collate which is relevant to the requester. This is a fundamental right of the GDPR
Give individuals a right to obtain:
· Confirmation that their personal data is being accessed
· Access to that personal data being held
· Any other information which would be of assistance (list of those we have shared data with for example)
A SAR is a written request for personal information (known as personal data) held about an individual. Generally, individuals have the right to see what personal information is held about them and they are entitled to be given a description of the information, what it is/was used for and who it may have been shared with. However, this right is subject to certain exemptions that are set out in the GDPR.
The first step is to ensure the identity of the requester, which we will confirm by asking for two forms of identity, one of which must be photographic (driver’s licence, passport, bus pass etc.) and one which must confirm the requester’s home address. Once received and identification is validated the process of gathering any data held will begin. Once we have enough information from a requester to identify any relevant records we will collate all the detail we hold. If we feel we need more information from the requester we will contact them promptly asking for this.
Once we have completed the data gathering a permanent copy of the relevant data will be forwarded to the requester, usually via the method they submitted their original request.
The Information Commissioner’s Office (ICO) describes data as information which: Personal data means data which relate to a living individual who can be identified –
(a) From those data, or
(b) From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data means personal data consisting of information as to –
(a) The racial or ethnic origin of the data subject,
(b) His/her political opinions,
(c) His/her religious beliefs or other beliefs of a similar nature,
(d) Whether he/she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) His/her physical or mental health or condition,
(f) His/her sexual life,
(g) The commission or alleged commission by him/her of any offence, or
(h) Any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.
Taken from the actual legislative document representing the GDPR personal data is defined as:
· ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Any information which falls under any of the above headings will be deemed relevant when handling a SAR.
Previously under the DPA a fee of £10 could be charged. However, the GDPR have removed this fee and we will provide a copy of the information free of charge. However, a ‘reasonable fee’ can be charged in instances where a request is deemed manifestly unfounded or excessive, particularly if it is repetitive. The fee will be based on the administrative cost of providing the information
Where requests are manifestly unfounded, excessive or repetitive we are entitled to charge a reasonable fee in respect of providing the information; or we can refuse to respond. Where a request is refused an explanation of why must be provided to the requester alongside information detailing their right to complain to the supervisory authority (the ICO).
The response deadline has been reduced under the GDPR which stipulates that information must be provided without delay and at the latest within one month of receiving a request. However, there is scope to extend the response deadline by an additional two months when handling particularly complex or numerous requests. In such instances contact will be made with the requester explaining why the extension is necessary.
If we receive a request for information contained within a credit reference file we must inform the requester that we are unable to comply with their request and provide them with contact details for the credit reference agencies we use.
If you are dissatisfied with our response you can complain to the Information Commissioner's Office via the following:
Wycliffe House, Water Lane, Wilmslow Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745