Policy title: Data Subject Access Request (DSAR) V1
Published on this page: 22nd October 2021
This procedure sets out he rights of individuals to access their personal data. It also clarifies what DN Colleges (DNCG) must do in this regard to comply with DNCG duties as a data controller.
These rights and duties are set out in sections 7–9A of the Data Protection Act 1998 (DPA) and are often referred to as ‘the right of subject access’, a phrase this code also uses. The code refers to a request made under section 7 of the DPA as a ‘data subject access request’ (DSAR).
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why DNCG are using the data, and check DNCG are doing it lawfully.
You can make a subject access request to find out:
- what personal information DN Colleges Group holds about you
- how we are using it
- who we are sharing it with?
where we got your data from.
You cannot request personal data that forms part of a judicial decision or in documents relating to an investigation or proceedings which have been created by or on behalf of a court of other judicial authority. This is because there are other access routes through which you can obtain this information.
A Data Subject must specify to DNCG, the specific set of data held by DNCG Colleges Group, that is requested.
The DSAR may be requested verbally through a member of staff, or in writing.
If a staff member, receives a verbal DSAR a Data Subject Access Request form, must be completed and submitted to the Data Protection Officer (DPO) within 48 hrs of receipt.
A member of staff requesting a DSAR for their personal information, must request this verbally or in writing to the DPO.
The request can be made to any member of staff, once received the SAR must be submitted to the DPO at email@example.com for verification and advice to proceed.
A request can be denied if the Data Subject does not fall within the legislation to request a SAR, i.e. a request made by a third party, not the data subject directly.
The DPO / Acting DPOs will assess the SAR and advise whether this can be processed or a response as to why this will be declined.
The DPO verifies the SAR and log on the DSAR Log.
The DPO will record the date that the identification checks were conducted, and the specification of the data sought.
Relevant departments will provide the requested information to the DPO or act or behalf of the DPO with the Data Subject.
The data subject will receive the information within one month (30 days) from the recorded date. (The time limit for response can be extended by a further two months if the request is complex or multiple SARs have been received from the same individual but notice of the extension must be given within the original one month limit).
There is no charge to request a DSAR.
The DPO or member of staff will write to the Data Subject to confirm receipt of the DSAR request.
The DPO will ensure that the requested data is collected within the specified time frame above.
- Collecting the data specified by the data subject, or
- Searching all databases and all relevant filing systems (manual files), in the DN Colleges Group, including all back up and archived files (computerised or manual) and all email folders and archives. The IT Director maintains a data map that identifies where all data in DN Colleges Group is stored
- The DPO maintains a record of requests for data and of its receipt, including dates
- The DPO/Core Group will review a DSAR from a child. Before responding to a DSAR of the child data subject, to the DPO/Core Group will consider their ability to making the request by (adequately explaining any implications of sharing their personal data etc) Where required, a parent or guardian consent may be requested.
- The DPO/Core Group reviews all documents that have been provided to identify whether any third parties are present in it, and either removes the identifying third party information from the documentation or obtains written consent from the third party for their identity to be revealed
- Where possible provide remote access to a secure system which would provide the data subject with direct access to his or her personal data
- DPO/Staff to issue personal data to the data subject by agreed method
- DPO to update SAR log with date the SAR completed
Relevant Policies and Procedures
Data Protection Policy
Data Subject Access Request Template
Who to contact with Queries
Data Protection Officer Terry Hutchinson – firstname.lastname@example.org
This procedure will be provided to all staff, students, stakeholders, who may request a Data Subject Access Request. The procedure and SDAR form will be placed on the intranet site and website of Doncaster College, North Lindsey College and DN Colleges Group.
Policy Holder T Hutchinson Data Protection Officer
Approval Committee: GDPR Core Group
Approval Date: 01 December 2019
Next Review Date: 01 December 2021