You have a right, under the General Data Protection Regulation (also known as UK GDPR, Data Protection Act 2018), to access the personal data we hold on you. To do so, you should made a subject access request, and this policy sets out how you should make a request, and our actions upon receiving the request.
“Personal data” is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including your name.
“Special categories of personal data” includes information relating to:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life or
- sexual orientation.
C) Making a request
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.
Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.
Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request.
Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.
In addition, we may also charge a reasonable fee if you request further copies of the same information.
F) Information you will receive
When you make a subject access request, you will be informed of:
- whether or not your data is processed and the reasons for the processing of your data;
- the categories of personal data concerning you;
- where your data has been collected from if it was not collected from you;
- anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
- how long your data is kept for (or how that period is decided);
- your rights in relation to data rectification, erasure, restriction of and objection to processing;
- your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed;
- the reasoning behind any automated decisions taken about you.
G) Circumstances in which your request may be refused
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.
H) Contacting our data protection officer (DPO)
You may contact our DPO if you wish to make a Data Subject Access Request (DSAR) or you have any questions relating to our processing of personal data.
Contact details: Data Privacy Services, [email protected]