The following procedure defines the method that will be followed, and the steps to be
taken, when handling Subject Access Requests, under the Data protection Act (DPA) and subsequently under the General Data Protection Regulation (GDPR) for information directed to any staff member of Ascensos Ltd
Both the Data Protection Act and General Data Protection Regulation gives individuals the right to request copies of all their personal data processed by Ascensos as a data controller and this document refers to Ascensos only in that role. As a data processor Ascensos will adhere to the SAR policies required except in circumstances where a client SAR is not in compliance with data regulations.
Personal data is any information that relates to a living individual who can be identified:
In practice, this definition covers all types of records held by the Ascensos. The individual is entitled under current legislation to see all copies of letters, memos and emails of which the individual is the focus.
In order to get a copy of their personal data, an individual has to make a request in writing using a standardised form (See Appendix A), the applicant must provide sufficient information to identify themselves and the information they are seeking. This for is provided to ensure that Ascensos has a full understanding of what is being requested and that the individual has been suitably identified as being that person.
Data regulation is currently going through a transition process from DPA to GDPR and to ensure that Ascensos is compliant they are taking the more restrictive requirements to ensure compliance with both.
The DPA allows for a 40 day however GDPR only allows for 30 day. Therefore, once an individual has provided all information Ascensos has 30 days to comply with the request. If Ascensos does not comply fully with a legitimate request from an individual within the 30-day time limit, Ascensos will be in breach of the GDPR.
This Policy and Procedure is designed to ensure that all requests are dealt with adequately within the 30-day time limit that has been agreed that Ascensos must adhere to ensure that GDPR and therefore prevent Ascensos being in breach of data regulation legislation.
Although not anticipated this 30 day response can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request and explain why the extension is necessary.
It will be the Ascensos policy to ensure that all Subject Access Requests are initially acknowledged in writing within 5 working days. At the time of acknowledgement, individuals will be told whether any further information is required.
Ascensos will have an electronic facility in place using a standardised form for the submission of requests. This facility will be hosted within their website.
It will be the policy of Ascensos to not charge, in compliance with GDPR, per subject access request. Where the request is determined to be ‘manifestly unfounded or excessive’, a fee may be charged consummate with the complexity or time required to the request. Unless Ascensos explicitly advises that there will be a charge everyone making a Subject Access Request should be able to access their information at no charge.
Individuals will be required to provide proof of identity and residence, as detailed in the Procedure for Handling Requests, before information will be disclosed. This is to prevent unauthorised disclosures to third parties.
Where a request is made by an agent on behalf of an individual, in addition to the proofs referred to in paragraph 3, a request will only be fulfilled where the agent can provide proof of authority to act on the individual’s behalf. Any written authorisation will also be verified by telephoning the person who has given authorisation for the agent to act on their behalf.
Ascensos will produce a Subject Access Information Pack and Standardised Subject Access Forms to assist an individual in making a request. These will be made available on request and will be placed on the Ascensos website. Submission of these forms can be made electronically however Ascensos will provide appropriate contact details on the website for non-electronic submissions.
This Procedure and the Subject Access Information Pack will be made available in other formats where necessary. Ascensos understand the rights of the individual pertaining to Data Portability and will provide materials in a structured, commonly used and machine readable format with the exception of paper based files which will be scanned and sent to the applicant
Ascensos has the right to withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’. This is reflective of the current position under the DPA and will be extended to GDPR.
Every department will have nominated personnel who will assist the Ascensos Data Protection Officer to fulfill subject access requests in a timely and.
Training will be provided to key staff that will be using this policy and procedure on a frequent basis and, as and when, data regulation changes require.
A Standard Operating Procedure entitled Ascensos SAR Process details the operational aspect of how a SAR is dealt with on a step by step basis.
Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors under a number of circumstances, such as by removing their consent for its processing. Once again as both a controller and a processor Ascensos will adhere to our clients policies regarding the processing of client customer data but as a controller we recognise our own obligations of how we handle personal data controlled by Ascensos.
Ascensos as a data controller understand individuals rights to erasure and will fully comply with this in the following circumstances.
Article 17 of the GDPR, The Right To Erasure, states:
“Data Subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:
If a controller makes the data public, then they are obligated to take reasonable steps to get other processors to erase the data, e.g. A website publishes an untrue story on an individual, and later is required to erase it, and also must request other websites erase their copy of the story.
Data might not have to be erased if any of the following apply:
Non-electronic documents which are not (to be) filed, (i.e. it’s data you can’t search for), e.g. a random piece of microfiche, or a paper notepad, are not classed as personal data in the GDPR and are therefore not subject to the right to erasure.
Some personal data sets are impossible (or infeasible) to edit to remove individual records, e.g. a server backup. Whilst these uneditable data sets are in-scope of the erasure Right, themselves they would be out-of-scope for erasure editing procedures due to their immutable nature.
If as a result of the search you are dissatisfed with the way we are using your personal information you should raise the matter with the Ascensos Data Protection Offcer who can be contacted via the address below. We will do everything we can to put the matter right and if we disagree with you we will tell you our reasons. The Data Protection Offcer will be happy to give you an explanation of your rights under the Data Protection Act and the General Data Protection Regulation.
Data Protection Officer
250 Airbles Road