POLICY: Data Subject Access
Policy Statement
A data subject is the individual to whom personal data relates. The General Data Protection Regulation (GDPR), gives data subjects certain rights, for example, to confirm whether we’re processing their personal data lawfully; to rectify or delete their personal data; and to obtain copies of the personal data. This policy demonstrates our approach to identifying and responding to such requests.
Scope
This policy relates to our data subjects which may include employees, contractors, clients, suppliers and the like. This policy applies to all who may be responsible for identifying and responding to data subject access requests, including any external organisations who might process personal data on our behalf.
Duties and Responsibilities
Leadership Accountability-The leadership is accountable for implementation and oversight of this policy. They must understand its requirements, especially for areas under their control, and drive the adoption of the appropriate behaviours throughout our organisation.
Data Protection Team-The team is responsible for the implementation, monitoring and review of the overall procedure. The team must ensure that the individuals directly involved in processing requests are aware of their responsibilities and are adequately trained. Regular table-top exercises are encouraged.
The Manner of Requests
Data subject access requests can be made in writing, electronically or verbally. We must therefore, develop and implement the mechanisms to quickly identify and respond to requests.
Verifying Identity
If we have doubts about the identity of the person making the request, we can ask for more information. However, it is important that we only request information that is necessary to confirm who they are. It should be the minimum amount and only what is relevant in the particular context. In many cases, asking for a copy of an identity document, passport or birth certificate is disproportionate and, contrary to what some believe, does not necessarily provide proper assurance as to the real identity of the person. We must therefore ensure that we have in place, the appropriate procedures and mechanisms to verify the requester’s legitimacy to make such requests.
Request Detection and Response
All persons responsible must be able to recognise and properly escalate a request. The request must be evaluated for legitimacy and then processed according to the nature of the request and the GDPR’s specific requirements.
Response Time
We have to respond to a subject access request within one month of receipt of the request. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within one month of receipt of the request – wherein we must inform the data subject as to the reasons why.
Fees
We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information.
Exemptions
Exempt information must be redacted from the released documents with an explanation of why that information is being withheld. e.g. personal data of third parties.
Complaints
Where we do not take action on the request of the data subject, we shall inform the data subject without delay and, at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with our supervisory authority and seeking a judicial remedy.