Subject Access Requests


Policy

1. SCOPE

The following procedure defines the method that will be followed, and the steps to be
taken, when handling Subject Access Requests, under the Data protection Act (DPA) and subsequently under the General Data Protection Regulation (GDPR) for information directed to any staff member of Ascensos Ltd

2. THE RIGHT OF SUBJECT ACCESS

Both the Data Protection Act and General Data Protection Regulation gives individuals the right to request copies of all their personal data processed by Ascensos as a data controller and this document refers to Ascensos only in that role. As a data processor Ascensos will adhere to the SAR policies required except in circumstances where a client SAR is not in compliance with data regulations.

Personal data is any information that relates to a living individual who can be
identified:

a) from that information,

or

b) from that information and other information which is in the possession of, or is likely to come into the possession of Ascensos. It includes any expression of opinion about the individual and any indication of the intentions of the data controller in respect of the individual.

In practice, this definition covers all types of records held by the Ascensos. The individual is entitled under current legislation to see all copies of letters, memos and emails of which the individual is the focus.

In order to get a copy of their personal data, an individual has to make a request in writing using a standardised form (See Appendix A), the applicant must provide sufficient information to identify themselves and the information they are seeking. This for is provided to ensure that Ascensos has a full understanding of what is being requested and that the individual has been suitably identified as being that person.  

Data regulation is currently going through a transition process from DPA to GDPR and to ensure that Ascensos is compliant they are taking the more restrictive requirements to ensure compliance with both.

The DPA allows for a 40 day however GDPR only allows for 30 day. Therefore, once an individual has provided all information  Ascensos has 30 days to comply with the request. If Ascensos does not comply fully with a legitimate request from an individual within the 30-day time limit, Ascensos will be in breach of the GDPR.

This Policy and Procedure is designed to ensure that all requests are dealt with adequately within the 30-day time limit that has been agreed that Ascensos must adhere to ensure that GDPR and therefore prevent Ascensos being in breach of data regulation legislation.

Although not anticipated this 30 day response can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request and explain why the extension is necessary.

3. SUBJECT ACCESS POLICY

  • It will be the Ascensos policy to ensure that all Subject Access Requests are initially acknowledged in writing within 5 working days. At the time of acknowledgement, individuals will be told whether any further information is required.
  • Ascensos will have an electronic facility in place using a standardised form for the submission of requests. This facility will be hosted within their website.
  • It will be the policy of Ascensos to not charge, in compliance with GDPR, per subject access request. Where the request is determined to be ‘manifestly unfounded or excessive’, a fee may be charged consummate with the complexity or time required to the request. Unless Ascensos explicitly advises that there will be a charge everyone making a Subject Access Request shoul
  • Individuals will be required to provide proof of identity and residence, as detailed in the Procedure for Handling Requests, before information will be disclosed. This is to prevent unauthorised disclosures to third parties.
  • Where a request is made by an agent on behalf of an individual, in addition to the proofs referred to in paragraph 3, a request will only be fulfilled where the agent can provide proof of authority to act on the individual’s behalf. Any written authorisation will also be verified by telephoning the person who has given authorisation for the agent to act on their behalf.
  • Ascensos will produce a Subject Access Information Pack and Standardised Subject Access Forms to assist an individual in making a request. These will be made available on request and will be placed on the Ascensos website. Submission of these forms can be made electronically however Ascensos will provide appropriate contact details on the website for non-electronic submissions.
  • This Procedure and the Subject Access Information Pack will be made available in other formats where necessary. Ascensos understand the rights of the individual pertaining to Data Portability and will provide materials in a structured, commonly used  and machine readable format with the exception of paper based files which will be scanned and sent to the applicant
  • Ascensos has the right to withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others'. This is reflective of the current position under the DPA and will be extended to GDPR.
  • Every department will have  nominated personnel who will assist the Ascensos Data Protection Officer to fulfill subject access requests in a timely and.
  • Training will be provided to key staff that will be using this policy and procedure on a frequent basis and, as and when, data regulation changes require.
  • A Standard Operating Procedure entitled Ascensos SAR Process details the operational aspect of how a SAR is dealt with on a step by step basis.

4. RIGHT TO ERASURE

Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors under a number of circumstances, such as by removing their consent for its processing. Once again as both a controller and a processor Ascensos will adhere to our clients policies regarding the processing of client customer data but as a controller we recognise our own obligations of how we handle personal data controlled by Ascensos.

4.1 Requirements

Ascensos as a data controller understand individuals rights to erasure and will fully comply with this in the following circumstances.

Article 17 of the GDPR, The Right To Erasure, states:

“Data Subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:

  1. The controller doesn’t need the data anymore
  2. The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it (such as salary details etc)
  3. The subject uses their right to object (Article 21) to the data processing.
  4. The controller and/or its processor is processing the data unlawfully.
  5. There is a legal requirement for the data to be erased.
  6. The data subject was a child at the time of collection (See Article 8 for more details on a child’s ability to consent)

If a controller makes the data public, then they are obligated to take reasonable steps to get other processors to erase the data, e.g. A website publishes an untrue story on an individual, and later is required to erase it, and also must request other websites erase their copy of the story.

4.2 Exceptions

Data might not have to be erased if any of the following apply:

  • The “right of freedom and expression”
  • The need to adhere to legal compliance, e.g. a bank keeping data for 7 years.
  • Reasons of public interest in the area of public health
  • Scientific, historical research or public interest archiving purposes
  • For supporting legal claims, e.g. PPI offerings.

4.3 Out of Scope

  • Non-electronic documents which are not (to be) filed, (i.e. it’s data you can’t search for), e.g. a random piece of microfiche, or a paper notepad, are not classed as personal data in the GDPR and are therefore not subject to the right to erasure.
  • Some personal data sets are impossible (or infeasible) to edit to remove individual records, e.g. a server backup. Whilst these uneditable data sets are in-scope of the erasure Right, themselves they would be out-of-scope for erasure editing procedures due to their immutable nature.

If as a result of the search you are dissatisfed with the way we are using your personal
information you should raise the matter with the Ascensos Data Protection Offcer who can be contacted
via the address below. We will do everything we can to put the matter right and if we disagree
with you we will tell you our reasons. The Data Protection Offcer will be happy to give you an
explanation of your rights under the Data Protection Act and the General Data Protection Regulation.

Data Protection Officer
Ascensos
250 Airbles Road
Motherwell
ML1 3AT