Data Subject Access Request Procedure
Purpose of the procedure
The purpose of this document is to outline KDYS’s procedure in relation to the management of data subject access requests.
A subject access request enables a data subject to gain access to any personal data held about them by KDYS. It promotes the right of data subjects to submit a subject access request in order to obtain a copy of such data held about them, in electronic or hard copy form, by KDYS, as the data controller.
It also outlines the procedure to be followed by data subjects when submitting a data access request to KDYS.
Scope of this document
This policy outlines how KDYS will meet its legal obligations under the European Union General Data Protection Regulation (GDPR) upon receipt of a data access request.
The Data Subject Access Request procedure is maintained by KDYS’s Data Compliance Officer (DCO) who is responsible for dealing with all subject access requests received by the organisation. All questions or comments related to this policy or a specific subject access request should be directed to firstname.lastname@example.org or contact the Data Compliance Officer at 064 6631748.
What is personal data?
Personal data is any data, in both physical and electronic form, related to an identified or identifiable person. It includes anything that can be used to identify a person, directly or indirectly, by means of his or her physical, physiological, mental, economic, cultural, or social identity.
What is a data subject access request?
A data subject access request is a written or verbal request for personal data held about you by KDYS. Under Article 15 of the GDPR you have, as the data subject, the right to see what personal data KDYS is processing and receive a copy of the data itself.
Young people and data access requests
In the event, a child or young person aged under 18 makes an access request, or a parent\guardian makes an access request on behalf of the child or young person, the following considerations will apply:
- the young person’s level of maturity and their ability to make decisions regarding their personal data.
- the nature of the personal data being requested.
- any court orders relating to parental access or responsibility.
- any duty of confidence owed to the child or young person.
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. (This is particularly important if there have been allegations of abuse or ill-treatment);
- any detriment to the child or young person if individuals with parental responsibility cannot access this information
- any views the child or young person has on whether their parents should have access to information about them.
How do you make a subject access request?
To allow us to respond promptly to any data subject access request we ask you to:
- Download the DSAR Form, available here.
- Please complete, sign and date the form and be specific as possible about the information you wish to access.
- Attach a photocopy of your proof of identity and address to the DASR form.
- Send the completed request form, along with the proof of identity and address to email@example.com or Data Compliance Officer, Fair Hill, Killarney, Co Kerry.
- If you cannot download the DSAR Form from the internet please write to us at the above address requesting a form.
Use of the DSAR Form is not mandatory. However, completing the form should enable us to process your request more efficiently.
What do we do when we receive a valid data subject access request?
- We will first check that we have enough information to be sure of your identity. Usually, we will have no reason to doubt a person’s identity. However, in rare cases we may request additional evidence we reasonably need to confirm your identity. We do this to ensure that we only disclose information about personal data to the data subject.
- We will then check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this.
- We will then conduct a full search of all our relevant data systems and collect all data relevant to the subject access request. Provided that none of the restrictions specified in Article 23 of the GDPR apply, we will then share with you the data and the additional information that you are entitled to.
- We will notify the joint controller of the request, if applicable.
- The default position is that you will get a hard copy of the information in a permanent and intelligible format unless the supply of such a copy is not possible or would involve a disproportionate effort, or you have agreed otherwise. Any terms which are not intelligible without an explanation will be accompanied by an explanation.
- You will be notified when the requested data is available for collection. You will be requested to sign a receipt of collection to confirm that you have received the said data. In the event, that a physical collection is not possible, the DCO will make arrangements with you to ensure that the data will be dispatched by secure, registered delivery, and we will seek timely confirmation from you, as the data is subject to receipt of the material.
Before supplying the information requested to you, the DCO will check each item of data to establish If any exemptions or restrictions apply, which would result in that item of data not being released.
If data relating to a third party is involved, it will not be disclosed without the consent of that third party or alternatively the data will be anonymised in order to conceal the identity of the third party. Where it is not possible to anonymise the data to ensure that the third party is not identified, then that item of data may not be released.
Where KDYS may be unsure as to what information to disclose, KDYS reserves the right to seek legal advice or contact the Data Commissioner for guidance.
The DCO will ensure that the information is provided in an intelligible form (e.g. codes explained) or will provide an explanation.
Are there any fees payable?
While in most instances there is no charge we reserve the right, in accordance with Article 12 of the GDPR to charge a fee or refuse the request if it is considered to be “manifestly unfounded or excessive”. Subsequent copies may incur a reasonable fee based on administrative costs.
How soon will my subject access request be dealt with?
All valid data subject access requests, accompanied by a valid proof of identity, received by KDYS will be dealt with within 30 days of the latest of the following:
- Our receipt of your request or
- following our receipt of any further information we may ask you to provide to enable us to comply with your request.
This policy will be reviewed at least annually to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.